Code Red the Dracula of worms?

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6981816.html?tag=mn_hd

By CNET News.com Staff 
August 27, 2001, 9:35 a.m. PT 

A new permutation of the Code Red II worm was discovered on Friday,
and experts say that Code Red is now unlikely ever to disappear.

The new variant has been dubbed CodeRed.d, and exploits the same flaw
in Microsoft's Internet Information Server (IIS) software as the
initial Code Red. According to Roger Thompson, technical director of
malicious code research at antivirus firm TruSecure, who detected the
variant, the appearance of a new worm indicates that we are stuck with
the Code Red problem "forever."

"This is pretty much noise level for Code Red II and CodeRed.d--it's
not going to get any better or worse and will stay like this forever,"
said Thompson. "Those machines that have not yet been patched never
will be, meaning that the worm is here to stay."

CodeRed.d is nearly identical to its predecessor, except for two minor
pieces of code that make it slightly more malicious. Code Red II used
a self-recognition string of code that prevented it from re-infecting
the same machine. But in the new variant, the string of code is
replaced with underscore characters, meaning that both Code Red II and
CodeRed.d can re-infect the same machine at once.

"People won't notice, but it will be banging out twice as many
attempts to attack other PCs," said Thompson. "It randomly selects a
range of addresses to attack other machines--each worm will be
churning out 300 threads to try and infect 300 different addresses at
any one time."

And CodeRed.d can target a greater spread of IP addresses than could
earlier versions of Code Red, said Thompson. "But this is mitigated by
those who have patched their machines."

Thompson discovered CodeRed.d after writing his WormCatcher program,
which monitors for traffic on a Web server's port 80 and immediately
detects any unknown worm variants. The first report of the new Code
Red II permutation came from New Zealand, followed by a second from
the U.S.

"I am now getting 10 hits an hour of reported catches, but I suspect
that this figure would have been much higher last month, when few
people had installed the Microsoft patch," said Thompson.

According to Thompson, four to five new worms are created by accident
on the Internet every day--but CodeRed.d was intentional. "This didn't
happen by accident--someone was trying to get Code Red to go again,
and we will be seeing more variations of this worm," Thompson warned.

Staff writer Wendy McAuliffe reported from London.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.