RealTime IT News

Code Red: "I'll Be Back!"

Computer security organizations, ranging from the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) to the Computer Emergency Response Team Coordination Center (CERT/CC), said Sunday they fear a relaunch of the Code Red worm which attacked servers around the world on July 19.

"We really need to get the word on the street exactly how detrimental Code Red can be to our systems," said Dave McCurdy, executive director of the Internet Security Alliance, one of the groups that issued the warning. "It poses a serious potential threat, but one that can be avoided with the proper precautions."

McCurdy added, "We're doing everything possible to ensure all users of the Internet -- especially small businesses and individual users who may not yet be aware of Code Red -- have the tools they need to safeguard their systems."

Code Red attacks servers running Microsoft's IIS 4.0 and 5.0 Web server software. It propagates rapidly -- it infected 250,000 systems in nine hours on July 19 -- by spawning 100 threads that scan the Internet for vulnerable servers and installing itself on those systems. As the worm multiplies and the scanning escalates, the worm causes massive latency across the Internet.

It also checks for the existence of the file c:notworm, which it leaves behind in an infected system. If it finds the file, Code Red goes dormant.

It then checks whether the Web site the server is running is in English. If so, it defaces the page with the message: "Hello! Welcome to http://www.worm.com! Hacked By Chinese!"

The worm entered another stage at 8 p.m. EDT on July 20, when it stopped propagating and every worm in existence sent 100 connections to port 80 of the www.whitehouse.gov page.

The security organizations believe it is likely to begin spreading again on Tuesday.

"Code Red is likely to start spreading again on July 31st, 2001 8 p.m. EDT and has mutated so that it may be even more dangerous," the groups, which include Microsoft, the NIPC, the Federal Computer Incident Response Center, Information Technology Association of America, CERT/CC, SANS Institute, Internet Security Systems and Internet Security Alliance, warned in a jointly published alert. "This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, e-mail and entertainment."

The worm only affects Windows NT or Windows 2000 systems running the IIS Web server software. Windows 95, Windows 98 and Windows Me are not affected.

Microsoft last month published a patch which will protect vulnerable systems. The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and Advanced Server is available here.