According to some claims, the Code Red worm has now infected at least a quarter of a million Microsoft IIS Web servers. If you read my July 2 column and applied the patches listed there or in Microsoft Security Bulletin MS01-033, you were spared the panic generated by the media hype over the Code Red worm during the week of July 16.
The worm strikes
The Code Red worm began by flooding every Internet server address with a penetration attempt, but this ceased almost entirely at 8:00 P.M. on Thursday, July 19, when the worm was programmed to turn its attention to attempting a DoS attack on www.whitehouse.gov, or more specifically, on the White House server’s 126.96.36.199 IP address. Since there was plenty of warning, the White House security office changed the server to 188.8.131.52 in time to sidestep the attack, but that’s not the end of the story.
The Code Red worm will continue the attack on 184.108.40.206 for several more days, but fortunately, the government’s action saved all of us a lot of trouble—although it may not have realized it. Even with the White House server protected, the Code Red worm could have been a major blow to all Internet traffic. With hundreds of thousands of infected servers all sending massive amounts of data at the same time, this DoS would have been so large (400 MB/hour/server according to a CNET report) that it wouldn’t have affected just the target server; it would have placed a significant load on the backbone of the entire Internet.
Fortunately, the Code Red worm has a flaw. It first checks the IP address of a server to see if there is really a server at that address. Since the White House had altered its IP address, any DNS servers that had recorded the change were reporting an invalid address to the worm, thus limiting the amount of Internet traffic it could initiate.
Before you start congratulating yourself on not using Microsoft software and thus being invulnerable to this attack, it turns out that Cisco 600 series routers are also vulnerable to the Code Red worm. As the company admitted on Friday, July 20, there is a known vulnerability in the router code that will cause those machines to stop forwarding traffic after they are scanned by the Code Red worm, at least until they are rebooted.
Fixing the vulnerability
Patching your server is the only way to stop this worm, which is still out there roaming the Internet. Perhaps the only good news is that this worm was so successful, it looks as if virtually every potential victim has already been infected. Nevertheless, all those infected servers still need to be patched. There also may still be a flood of attacks on Aug. 1 because of the worm’s design. In addition, there are bound to be copycats, and since this is strictly a script-kiddie-level attack, it will be fairly easy to duplicate with a different payload.
It’s important to remember that this worm resides entirely in your system’s memory; nothing is written to the hard drive, so powering down a server should clean it out, but the server will be reinfected if you fail to make the required patch. The fact that it does not write to storage means that the Code Red worm can’t be detected by antivirus software.
What do you think about the Code Red worm?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.