Ingezonden persbericht

Media Alert : ISS' X-Force predicts Code Red worm will strike again on August 1st

Geachte persrelatie,

Het Internet is recentelijk opgeschrikt door de aanwezigheid van de 'Code Red'-worm. Op servers die nog steeds geinfecteerd zijn bevindt de worm zich in zijn 'slaap fase'. X-Force van Internet Security Systems verwacht dat de worm uit de 'slaapstand' komt en weer opnieuw zal toeslaan op of vanaf woensdag 1 augustus 2001.

Onderstaande informatie is afkomstig van X-Force, de Research & Development afdeling van Internet Security Systems ( ), een toonaangevende, wereldwijde leverancier van oplossingen voor beveiligingsbeheer voor het internet. X-Force van ISS is een team beveiligingsexperts dat zich ten doel heeft gesteld om bedreigingen van hackers tegen te gaan. Zij richten zich op het ontdekken, documenteren en coderen van de laatste veiligheidsbedreigingen. Samen met de solution engineers van ISS brengt het team voortdurend nieuwe preventie- en detectieoplossingen op de markt.

Chris Rouland, Directeur van X-Force, is beschikbaar voor commentaar. Indien u een gesprek met hem wenst kunt u kunt u zich wenden tot Claire Westerhof van Lammers van Toorenburg PR,
telefoon 030 656 50 70 of per e-mail Dit is tevens het adres voor FAQ´s en verder advies van X-Force.

Met vriendelijke groeten,
Lammers van Toorenburg PR

Claire Westerhof

The Internet has recently been faced with the threat of a worm, dubbed 'Code Red'. The worm exploits a vulnerability in unpatched versions of Microsoft IIS (Internet Information Server). This vulnerability was previously discussed in an ISS Security Alert dated June 19, 2001 ( IIS Web servers without the patch for the Index Server ISAPI Extension buffer overflow can be compromised by the worm, and then used to attack other vulnerable Web servers. The worm may pose a threat as a denial of service attack against the Internet as a whole, caused by the extra traffic generated as the worm spreads.

The worm has already been cleared from a large number of infected Web servers, and the vulnerability has been patched. On servers that are still infected, the worm is in a preprogrammed 'sleep' mode. There are concerns that these infected servers will awake from this sleep mode and begin propagating again on August 1, 2001. While these reports are largely inaccurate, there is a definite threat that the Code Red worm, or a variant of the worm, will be launched and begin spreading on or after August 1st.

The Code Red worm is a malicious worm that attacks Microsoft IIS Web servers that are missing an important security patch. The worm was first discovered on July 13, 2001, although the full impact of the worm was not felt until July 19th, when it spread to thousands of computer systems in a period of several hours. The outbreak of the Code Red worm in the last two weeks was initiated by the original version of the worm. Since then, two variants have been discovered, which were likely responsible for the rapid spread of the worm on July 19th. The new variants include changes to the code that make them more efficient at propagating, and therefore, they pose a much greater threat to the Internet. The two variants, versions 2a and 2b, include many changes from the original version, although the variants are very similar to each other.

All three versions of the Code Red worm reside only in memory - there is no file associated with the worm. As a result, the worm can be removed from a Web server simply by rebooting the system. To protect the server against future infection, however, the IIS vulnerability must be patched on the server. The three known versions of the worm also share a characteristic schedule. Based on the system clock on the infected computer, the worm behaves differently according to the day of the month (as described below).

1st - 19th: Scanning/Propagating Phase
The worm propagates by scanning IP addresses on the Internet and attempting to connect to the HTTP port (TCP port 80). When the IP address of a vulnerable IIS Web server is found, the worm infects the system. The newly infected system begins to scan IP addresses, and the other system continues searching for additional servers to infect.

20th - 27th: Flooding (DDoS) Phase
The worm initiates a distributed denial of service attack by flooding a pre-configured IP address with large amounts of traffic. The IP address configured in the all known versions of the worm is an IP address that previously belonged to To counteract the attack, the White House Web site was moved to a different IP address, so the flooding portion of the first wave of the Code Red worm was unsuccessful. Future variants of the worm, however, could be configured with different addresses or Web sites to flood.

Beginning on the 28th: 'Sleep' Phase
The worm goes into an infinite sleep phase. While the worm will remain in the computer's memory until the system is rebooted, the worm will not attempt to propagate or initiate any packet flooding attacks once it enters the sleep phase.

In the initial version of the worm, infected Web sites would appear to be defaced for a period of ten (10) hours after infection. The worm would cause IIS to respond to requests with a Web page that displayed the following message:
Welcome to!
Hacked by Chinese!
At the same time, the worm used up all the remaining threads on the system, scanning for other vulnerable IIS Web severs. It would start by scanning a pseudo-random list of IP addresses in the same order. This allowed individuals with IP addresses in the beginning of that list to track how many systems were infected. It also prevented the first version of the worm from spreading very quickly, because the newly infected systems were scanning addresses that had already been scanned by previously infected servers.

The new variants of the Code Red worm include updated propagation methods that could potentially make them far more dangerous than the initial versio n. Each infected system chooses random IP addresses to scan, instead of initially scanning a predictable set of systems as the initial version did. The traffic caused by the increased propagation of the newer variants could be enough to degrade Internet speeds to home users, businesses, and government agencies. Some users may experience very slow connections to the Internet, and others may experience intermittent outages during the propagation and flooding phase of the worm.

The newer variants also do not deface the infected Web servers, as the initial version did. As a result, system administrators may not notice infected servers immediately, because the Web site will not be defaced. This allows the worm to propagate for longer periods before the infected system is detected and the worm is removed. For these reasons, the propagation of the new variants may spread more quickly and affect more servers in a short period of time.

Microsoft Internet Information Server 4.0 and 5.0 without the patch for the 'Unchecked Buffer in Index Server ISAPI Extension' vulnerability Cisco products that run affected versions of Microsoft IIS.

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Deel: ' X-Force voorspelt dat Code Red worm weer toe zal slaan '

Lees ook