Worm + unpatched IIS servers = "Code Red"

If you have an unpatched IIS server running, its condition may already be Code Red - that's the name of a new worm that has been infecting english-only versions of MS IIS servers. Suspected to have originated from China, the worm generates lists of the servers it infects.

Almost 12,000 Web servers have been infected by a new Internet worm that takes advantage of a security flaw in Microsoft software to deface sites, security experts said Wednesday. The worm could also help attackers identify infected computers and gain control of them.

Known as the Code Red worm because of evidence that it may have been launched from China, the self-spreading program infects servers using unpatched versions of Microsoft's Internet Information Server software and defaces the Web sites hosted by the servers.

The code is still being analyzed to see if it does any further damage. But the way the worm is written, it could allow online vandals to build a list of infected systems and later take control of them, said Marc Maiffret, chief hacking officer with eEye Digital Security.

"It is a very slick worm," Maiffret said. "Until all these people go out and patch their systems, it will keep going."

eEye found the vulnerability in Microsoft's software--the so-called index-server flaw--last month and reported it to the software giant, which acknowledged the flaw June 18 and posted a downloadable fix on its Web site. Microsoft urged people to patch the hole before the Internet underground could produce tools to take advantage of the estimated 6 million vulnerable systems.

"Obviously, not a lot of people patched it," Maiffret said. "Even with the press, a lot of people didn't hear about it."

System administrators first detected the Code Red worm this past Friday.

The worm spreads by selecting 100 IP addresses, scanning the computers associated with them for the hole, and spreading to the vulnerable machines. The worm then defaces any Web site hosted by the server with the text:

Welcome to http://www.worm.com! 
Hacked by Chinese! 

Code Red seems to deface only English-language servers, going into hibernation on non-English versions of Microsoft's IIS software.

Believing that Worm.com acted as a collection point for information sent from compromised servers, Microsoft has successfully requested that Worm.com's Internet service provider pull the plug on the site. If Worm.com had built such a list, it could have allowed online vandals to target computers known to be vulnerable.

"That site was a collection point for data about what sites had been compromised," said Scott Culp, security program manager for Microsoft's security response center. "By taking it down, it prevents the malicious individual that created the worm from getting that information. It doesn't prevent the worm from spreading."

But according to eEye's Maiffret, removing Worm.com from the Web will probably have no effect, because the way Code Red is programmed can allow anyone--including an online vandal or malicious hacker--to make a list of every system that has been compromised.

That's because each instance of the worm will attack the same computers in the same order, according to eEye's analysis. Maiffret said that while the addresses of the computers attacked by the worm seem to be random, because the worm uses the same starting point, or "seed," to generate the list, the "random" lists that any two worms generate are identical. Like identical genes, which produce a clone, identical seed numbers produce attack lists that are the same.

That means any computer on the "randomized" list will be attacked by every newly infected computer. By monitoring who attacks a target machine, a list of attacking--thus infected--computers can be made.

One eEye client has done just that, said Maiffret, and found that almost 11,900 servers had been infected as of 7 a.m. PDT Wednesday. Unlike other worm attacks, where the actual number of infections can only be estimated, these numbers correspond to the actual infections, he said.

Unfortunately, if attackers have access to a machine on the target list, they, too, can make a list of compromised machines. Later, an attacker can use the list to take control of the servers.

For system administrators who have not patched their systems, now would be a good time, said Microsoft's Culp.

"We are going back out to customers and telling them that if they didn't put the patch on before, this is all the reason they need to put the patch on now," he said.