"Code Red" worm claims 12,000 servers

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6604515.html?tag=tp_pr

By Robert Lemos
Special to CNET News.com 
July 18, 2001, 1:35 p.m. PT 

Almost 12,000 Web servers have been infected by a new Internet worm
that takes advantage of a security flaw in Microsoft software to
deface sites, security experts said Wednesday. The worm could also
help attackers identify infected computers and gain control of them.

Known as the Code Red worm because of evidence that it may have been
launched from China, the self-spreading program infects servers using
unpatched versions of Microsoft's Internet Information Server software
and defaces the Web sites hosted by the servers.

The code is still being analyzed to see if it does any further damage.
But the way the worm is written, it could allow online vandals to
build a list of infected systems and later take control of them, said
Marc Maiffret, chief hacking officer with eEye Digital Security.

"It is a very slick worm," Maiffret said. "Until all these people go
out and patch their systems, it will keep going."

eEye found the vulnerability in Microsoft's software--the so-called
index-server flaw--last month and reported it to the software giant,
which acknowledged the flaw June 18 and posted a downloadable fix on
its Web site. Microsoft urged people to patch the hole before the
Internet underground could produce tools to take advantage of the
estimated 6 million vulnerable systems.

"Obviously, not a lot of people patched it," Maiffret said. "Even with
the press, a lot of people didn't hear about it."

System administrators first detected the Code Red worm this past
Friday.

The worm spreads by selecting 100 IP addresses, scanning the computers
associated with them for the hole, and spreading to the vulnerable
machines. The worm then defaces any Web site hosted by the server with
the text:

Welcome to http://www.worm.com! 
Hacked by Chinese! 

Code Red seems to deface only English-language servers, going into
hibernation on non-English versions of Microsoft's IIS software.

Believing that Worm.com acted as a collection point for information
sent from compromised servers, Microsoft has successfully requested
that Worm.com's Internet service provider pull the plug on the site.
If Worm.com had built such a list, it could have allowed online
vandals to target computers known to be vulnerable.

"That site was a collection point for data about what sites had been
compromised," said Scott Culp, security program manager for
Microsoft's security response center. "By taking it down, it prevents
the malicious individual that created the worm from getting that
information. It doesn't prevent the worm from spreading."

But according to eEye's Maiffret, removing Worm.com from the Web will
probably have no effect, because the way Code Red is programmed can
allow anyone--including an online vandal or malicious hacker--to make
a list of every system that has been compromised.

That's because each instance of the worm will attack the same
computers in the same order, according to eEye's analysis. Maiffret
said that while the addresses of the computers attacked by the worm
seem to be random, because the worm uses the same starting point, or
"seed," to generate the list, the "random" lists that any two worms
generate are identical. Like identical genes, which produce a clone,
identical seed numbers produce attack lists that are the same.

That means any computer on the "randomized" list will be attacked by
every newly infected computer. By monitoring who attacks a target
machine, a list of attacking--thus infected--computers can be made.

One eEye client has done just that, said Maiffret, and found that
almost 11,900 servers had been infected as of 7 a.m. PDT Wednesday.
Unlike other worm attacks, where the actual number of infections can
only be estimated, these numbers correspond to the actual infections,
he said.

Unfortunately, if attackers have access to a machine on the target
list, they, too, can make a list of compromised machines. Later, an
attacker can use the list to take control of the servers.

For system administrators who have not patched their systems, now
would be a good time, said Microsoft's Culp.

"We are going back out to customers and telling them that if they
didn't put the patch on before, this is all the reason they need to
put the patch on now," he said.





ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.