RealTime IT News

Code Red is Back!

The Code Red worm is rearing its ugly head again, crashing some servers even though they have been patched against the buffer overflow the worm exploits.

Reports have been filtering in that servers running Microsoft Windows NT 4.0 and Microsoft's IIS 4.0 Web server software, and which also utilize URL redirection, are prone to crashing due to the worm. This particular problem does not affect patched versions of IIS 5.0 Windows 2000. Machines running Windows NT 4.0 or Windows 2000 and unpatched versions of IIS 4.0 or 5.0, are vulnerable to the worm.

However, in this case, the crashes occur due to the fact that when IIS 4.0 is set to redirect URLs it will accept any URL, leaving it vulnerable to an overflow that crashes IIS.

According to a Microsoft IIS Technical Support staffer posting to a message board, Microsoft is working on a fix but it is not yet ready. Currently, the only solution to the problem is to remove all redirected IIS Web sites and URLs from the server, apply the patches Microsoft issued in June, and reboot the server.

"Removing the [.ida] script mappings will not avoid all the problems if you are running IIS 4.0," the staffer posted. "Removing the redirections is currently the best solution (this is in addition to installing the fix or removing the script mappings)."

Code Red first appeared in July and was discovered by eEye Digital Security. At the time, eEye said the worm was similar to the sadmind/IIS worm that propagated near the end of the U.S.-China hacker skirmishes in May.

The worm exploits a well-known hole in IIS for which Microsoft published a patch in June.

Code Red appears to propagate on a cyclical basis, and some officials, particularly Ronald Dick, head of the Federal Bureau of Investigation's National Infrastructure Protection Center, have predicted that there is a good chance the worm will continue to spread on a periodic basis.

The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and Advanced Server is available here.