The Code Red worm is rearing its ugly head again, crashing some servers even
though they have been patched against the buffer overflow the worm exploits.
Reports have been filtering in that servers running Microsoft Windows NT 4.0
and Microsoft’s IIS 4.0 Web server software, and which also utilize URL
redirection, are prone to crashing due to the worm. This particular problem
does not affect patched versions of IIS 5.0 Windows 2000. Machines
running Windows NT 4.0 or Windows 2000 and unpatched versions of IIS
4.0 or 5.0, are vulnerable to the worm.
However, in this case, the crashes occur due to the fact that when IIS 4.0
is set to redirect URLs it will accept any URL, leaving it vulnerable to an
overflow that crashes IIS.
According to a Microsoft IIS Technical Support staffer posting to a message
board, Microsoft is working on a fix but it is not yet ready. Currently, the
only solution to the problem is to remove all redirected IIS Web sites and
URLs from the server, apply the patches Microsoft issued in June, and reboot
“Removing the [.ida] script mappings will not avoid all the problems if you
are running IIS 4.0,” the staffer posted. “Removing the redirections is
currently the best solution (this is in addition to installing the fix or
removing the script mappings).”
Code Red first appeared in July and was discovered by eEye Digital Security. At the
time, eEye said the worm was similar to the sadmind/IIS worm that propagated
near the end of the U.S.-China hacker skirmishes in May.
The worm exploits a well-known hole in IIS for which Microsoft published a
patch in June.
Code Red appears to propagate on a cyclical basis, and some officials,
particularly Ronald Dick, head of the Federal Bureau of Investigation’s
National Infrastructure Protection Center, have predicted that there is a
good chance the worm will continue to spread on a periodic basis.