Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Code Red II Variant on the Prowl

From: InfoSec News <isn () c4i org>
Date: Wed, 12 Mar 2003 01:00:23 -0600 (CST)
http://www.eweek.com/article2/0,3959,924269,00.asp

By Dennis Fisher
March 11, 2003 

Security experts are watching a new variant of the Code Red II worm
that began appearing on some monitoring networks Tuesday. The worm is
nearly identical to its ancestor, save for a modified drop-dead date
that is now several thousand years in the future.

Known as Code Red.F, the worm uses the same infection method as the
previous versions, attacking Web servers running Microsoft Corp.'s IIS
software. The worm so far has infected only a few machines, and
because most administrators patched their servers after the initial
Code Red outbreak in 2001, it is unlikely to spread extensively,
experts say.

All of the Code Red worms exploit an unchecked buffer in the Index
Server in the IIS software. They then spread by infecting one machine
and then scanning a list of random IP addresses and attempting to
connect to port 80. The original Code Red, which struck in July 2001,
infected several hundred thousand IIS servers and caused massive
traffic disruptions on some portions of the Internet.

Roger Thompson, the technical director of malicious code research at
TruSecure Corp., in Herndon, Va., first began seeing new worm activity
Tuesday morning. His WormCatcher network of distributed hosts
monitoring activity on ports that worms commonly use started catching
packets that were 3,818 bytes long coming in on port 80.

"After looking at it, it was quite obviously a Code Red II variant,"  
he said. "It's not going to be as bad as the previous version, but it
will stay with us."

Thompson said he had seen 20 unique infections as of Tuesday
afternoon.

Like the first Code Red, this version of the worm code contains a date
on which it is set to stop attempting to propagate itself. Code Red II
died in October 2001, but Code Red.F won't exhaust itself for about
30,000 years, Thompson said.

The change in the drop-dead date and the fact that the buffer overflow
is caused with a multitude of Xs instead of Ns are the only
differences between Code Red II and its offspring.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: