Go to Home Page GuidesHow to ArticlesReviewsForumsFrequently Asked QuestionsNewsLinksPotpourri

Site Search

 

Code Red and Blue Worms
Last updated: 9/18/01

MS Security bulletin - Code Red Worm

The following is a Security Bulletin from the Microsoft Product Security

Notification Service.

Please do not reply to this message, as it was sent from an unattended

mailbox.

********************************

The Microsoft Security Response Center, along with other

organizations listed below, is jointly publishing this alert that

ALL IIS ADMINISTRATORS ARE ASKED TO READ

A Very Real and Present Threat to the Internet:

July 31 Deadline For Action

Summary:

The Code Red Worm and mutations of the worm pose a

continued and serious threat to Internet users. Immediate action

is required to combat this threat. Users who have deployed

software that is vulnerable to the worm (Microsoft IIS

Versions 4.0 and 5.0) must install, if they have not done so

already, a vital security patch.

How Big Is The Problem?

On July 19, the Code Red worm infected more than 250,000 systems

in just 9 hours. The worm scans the Internet, identifies

vulnerable systems, and infects these systems by installing

itself. Each newly installed worm joins all the others causing

the rate of scanning to grow rapidly. This uncontrolled growth

in scanning directly decreases the speed of the Internet and

can cause sporadic but widespread outages among all types of

systems. Code Red is likely to start spreading again on

July 31st, 2001 8:00 PM EDT and has mutated so that it may be

even more dangerous. This spread has the potential to disrupt

business and personal use of the Internet for applications such

as electronic commerce, email and entertainment.

Who Must Act?

Every organization or person who has Windows NT or Windows 2000

systems AND the IIS web server software may be vulnerable.

IIS is installed automatically for many applications. If you

are not certain, follow the instructions attached to determine

whether you are running IIS 4.0 or 5.0. If you are using

Windows 95, Windows 98, or Windows Me, there is no action that

you need to take in response to this alert.

What To Do If You Are Vulnerable?

a. To rid your machine of the current worm, reboot your computer.

b. To protect your system from re-infection:

Install Microsoft's patch for the Code Red vulnerability problem:

- - Windows NT version 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

- - Windows 2000 Professional, Server and Advanced Server:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Step-by-step instructions for these actions are posted at

http://www.microsoft.com/technet/treeview/default.asp?

url=/technet/itsolutions/security/topics/codeptch.asp

Microsoft's description of the patch and its installation,

and the vulnerability it addresses is posted at:

http://www.microsoft.com/technet/treeview/default.asp?

url=/technet/security/bulletin/MS01-033.asp

Because of the importance of this threat, this alert is

being made jointly by:

Microsoft

The National Infrastructure Protection Center

Federal Computer Incident Response Center (FedCIRC)

Information Technology Association of America (ITAA)

CERT Coordination Center

SANS Institute

Internet Security Systems

Internet Security Alliance

-*******************************************************************

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

9/18 10:48 AM EST Code Red Worm is back.  The following is a notice from my web site hosting service this AM:
Network Problems. Beginning around 9:20am this morning, a terrific volume of Windows NT-based probes began to hit our network. These probes are randomly generated by Windows NT servers on the Internet that have been infected by the Code Red worm or other variations. Although these probes present no threat to our FreeBSD servers, the volume of traffic is reducing performance for some servers. We are working to mitigate the effect on servers, as well as to restore service to any server that crashes under load. We are currently receiving over 8000 hits per second from as many as one hundred thousand NT servers on the Internet. Network performance has not been affected.  If you have a Windows NT or 2000 server/device (running Microsoft Internet Information Services, Version 4.0 or 5.0) on the Internet and have not fixed this problem yet, don't you think it is time to take steps right now to do your part to squash this worm?

9/7 Code Blue Worm Deemed Bigger Threat Than Code Red. Code Blue is deemed to be more threatening to users than earlier Code Red variants because, unlike Code Red, Code Blue gradually increases its usage of system resources and, if not stopped, can bring computers running Windows NT or Windows 2000 to a halt...

9/5 'Anti-Worms' Fight off Code Red Threat

8/20 The Week In Security: Code Red Inspires New Tools; Symantec's New Appliance

8/17 FBI: Early Efforts Nip Code Red Worm. Following a concerted effort to make computer users aware of the viruslike Code Red worm, the FBI said Thursday that the worm's damage will be far less than originally feared when it enters its scheduled "attack mode" this weekend.

8/15 Code Red II Virus Attacks HK Government Servers

8/14 Microsoft MCSE Training Comes Under Fire. IT Professionals and trainers are blaming insufficient security training offered under the nationwide Microsoft Certified Systems Engineer program for contributing to the spread of Code Red and other damaging viruses.

8/11 Security Firm Blamed For Code Red Costs. 'Was it really necessary to release full details of the IIS buffer overflow that made the Code Red I and II worms possible?'

8/11 Code Red Creates Hacker Hit ListAnyone with a list of these wide-open boxes, gleaned from their server logs, has the potential to anonymously take over a few thousand servers overnight, with full administrator-level access...

8/10 'Code Red': The Virus That Will Not Die. The worm has attacked 400,000 to 800,000 server computers since it first struck in mid-July.  The worldwide economic impact: $2.1 billion and counting.

8/10 Code Red III Alert In Korea May Be False Alarm - ExpertNothing really concrete one way or the other in this most recent story.

8/10 Code Red III Detected in South Korea.  The Code Red III worm spreads even faster than earlier versions and leaves a wider "back door" on infected machines.... 43,201 servers infected so far.

8/9 Code Red Virus 'Most Expensive in History of Internet.' The economic cost of the original Code Red worm and its more malicious cousin, Code Red II, has risen to more than $2 billion.

8/9 Microsoft Fails to Patch Hotmail Servers, Hit by Code RedProving again that it doesn't practice what it preaches, Microsoft Corp. on Thursday confirmed that the Code Red worm infected two servers used for its Hotmail Web-based e-mail service.

8/9 Code Red II Computer Worm Spreads in U.S. Computers

8/9 Worms Prompt AT&T to Unplug Customer Sites. To keep the spread of the Code Red worms from slowing down its cable Internet network, AT&T is blocking access to Web servers that residential customers are running, a spokeswoman said Wednesday.

8/8 Code Red Hits DSL Routers, Cable-MODEM Networks. Time-Warner's RoadRunner service issued an advisory to its customers this week, acknowledging that customers "may experience slow network response, flashing connectivity lights on the cable modem, and other activity, such as unusual port scan log activity or increased firewall activity."  As Code Red in its approximately four variations has spread, it has also impacted Qwest DSL customers, which saw their Cisco DSL routers - which include a Microsoft Internet Information Server interface embedded in them - knocked off-line...

8/8 Virus Writing Group Denies Involvement With Code Red

8/8 Microsoft Releases Code Red Cleanup. The cleanup tool is designed to "eliminate the obvious effects of the Code Red II worm."   It does not install the patch released by Microsoft correct the buffer-overflow bug in the IIS Web server.  It may not fix other worms, etc. installed using the back door installed by Code II.  Scans looking for servers with the back door are being detected.  Tool description and download.

8/8 Got a Virus? You're Sued! Analysts are now predicting that those who have been lax in their security practices will begin to find themselves on the losing end of civil suits for negligence.

8/8 Computer Worm's Sequel Becomes More Damaging Than Original. "In the next few days I expect you'll see kids scanning around for systems that have this unlocked back door, looking for a way to take advantage of it," Blake said.  Machines already infected with Code Red can be re-infected with Code Red II.  Computer users with cable modems are seeing one of the side effects of Code Red II's search for servers to infect.  These users, including those using the Road Runner system in Texas, are seeing a rapidly flashing data light on their modems.

8/8 Code Red II Worms Its Way Deeper Into Internet. Costing nearly $2 billion and on its way to becoming one of the most expensive security threats to hit the Internet. "We're already seeing reports of denial of service attacks starting up..."  Some slowdowns for U.S. cable modem networks.

8/7 Code Red-Like Worm 'Storming Back'. Called "Code Red C" or "Code Red II" by some researchers... Fearnow, SANS Institute incident handler, said from Indianapolis that about 100,000 systems were infected Sunday, and in a "conservative" estimate, another 50,000 to 100,000 may be victimized through Monday.

8/7 Code Red II Crashes Dinner for Internet Experts. "The cumulative effect of all those (infected) boxes being available is probably going to be significantly worse than anything we've seen thus far..."

8/7 Code Red Cuts Off Qwest DSL Service. 'The vast majority Qwest's 360,000 DSL customers are not affected.'

8/6 New Code Red: Worse Than the First? A new and possibly more virulent version of the worm was detected circulating the Internet over the weekend, attacking machines and leaving them vulnerable to other intruders. More Serious Code Red II Worm on the Loose.  Installs a backdoor in servers that allows attackers to easily access the infected computer, gain control of the machine by changing passwords, and giving them the ability to copy, browse, and delete files.

8/1 (Updated) Code Red Worm is Scanning the Internet... The Code Red worm is active and looking for servers to infect.  The increasing activity “is indicative of the first phase of operation for the worm, in which it scans random IP address for systems to compromise,” CERT reported. “These reports indicate that the number of compromised systems is increasing exponentially.”

7/31 Code Red Damage Will Hinge On Voluntary Patching. If users don't download patches for the more than 6 million computers that are vulnerable to the virulent Code Red worm before the virus wakes from its dormancy tonight, the next outbreak of the worm could cause more harm than the first...

7/31 How to Protect Your Computer from The 'Code Red' Worm

7/31 Users Offer Tips on Foiling Code Red

7/31 Code Red Worm Carries Larger Warning. Federal computer security experts are using the Code Red computer worm to raise agency executives' awareness that a formal process is needed for fixing problems that make systems vulnerable to such attacks.

Copyright, Disclaimer, and Trademark Information Copyright © 1996-2006 Larry F. Byard.  All rights reserved. This material or parts thereof may not be copied, published, put on the Internet, rewritten, or redistributed without explicit, written permission from the author.