eEye Digital Security papers from AMT Software - Advanced Managemet Technology Software

AMT Banner

eEye Digital Security Papers

Code Red Update

On August 4th, a new worm was discovered attacking servers around the world. Dubbed "Code Red II", this new worm is not a variation of the original worm, but is in fact a completely separate worm. Code Red II attacks servers running Microsoft IIS using the same vulnerability as the original, but once the new worm has compromised the machine it performs a different and much more sinister set of attacks.

For a detailed analysis of how Code Red II works, click here.

The original Code Red worm gained steam for most of the day Wednesday August 1st and may result in clogged Web traffic. Infections jumped to about 115,000 at 3:30 p.m. ET from about 1,000 systems at 5 a.m. ET, and government officials say it is on pace to infect 250,000 systems before the day ends. Still, the malicious program's spread appears to be slowing down, and Web traffic remains undisturbed by the worm, according to Internet traffic measurement companies.

On July 31st, security experts were saying the speed and stability of the Internet were at risk because of Code Red, a malicious worm that takes advantage of a hole in Microsoft's Internet Information Server (IIS) Web server software. The worm, which was first analyzed by eEye on July 17th 2001, infected more than 300,000 servers and attacked the White House Web site last month before going into hibernation.

The worm was set to become active again at 5 p.m. PDT Tuesday July 31st, launching a new round of infections that could generate enough traffic to slow parts of the Internet.

Unlike other major systems attacks which spread via e-mail, Code Red infects servers than run Web sites. Ordinary computer users -- who can prevent the spread of a virus by avoiding suspicious-looking emails -- can still catch the worm if they run Microsoft's Windows NT or Windows 2000 operating systems on their home or work computer.

The Code Red worm, named for the new flavor of Mountain Dew soda preferred by the eEye Digital Security team, sends probes across the Internet, looking for computers to break into. When it finds a computer with a security weakness (a computer that has not been patched for the .ida vulnerability), it sneaks in, sets up a home base, and starts the search process over again. The worm does little damage to the computers it infects. The danger of Code Red lies in the pressure it puts on Internet infrastructure.

Code Red is programmed to actively propagate between the 1st and 19th day of each month. On the 20th day of each month, all of the infected computers launch an attack on the server hosting the White House Web site to try to crash it with a flood of data and traffic. The White House has since moved its Web site, so it will not be affected, but the attack will continue and may affect the overall performance of the Internet.

eEye Digital Security was first to disassemble the Code Red worm, dissect its functionality and understand its ultimate goal. Read the initial technical analysis of the worm here: http://www.eeye.com/html/Research/Advisories/AL20010717.html

eEye has created a free tool that you can run against your IIS servers to see if they are vulnerable the Code Red worm. Read more about this tool and download it here: http://www.eeye.com/html/Research/Tools/codered.html

How To Secure Your System From The Code Red Worm
The worm spreads itself to new vulnerable systems via the .ida vulnerability. Applying the patch for this vulnerability will keep a server from being infected. However, because the worm tends to attack the same chain of IP addresses over and over again, your server's performance could still be affected by a high-traffic overload.

Three steps to removing the worm from your servers:

1. Download the Microsoft patch for the .ida vulnerability:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

2. Reboot your system

3. Run a network scanner to ensure that your system is secure and to identify other patches that need installing. eEye provides a high-end network scanner: http://www.amtsoft.com/retina

How do I protect myself from future attacks like this one?
Network vulnerabilities and the malicious exploits that leverage them are discovered on a daily basis. Hackers and crackers operate on a global level, challenging themselves to discover and leverage new security vulnerabilities. IT administrators must apply continuous scrutiny and diligence in monitoring the latest security advisories and applying the latest security patches.

A more proactive way to protect your Web server is to install a new class of products called Application Firewalls. Application Firewalls are products specifically designed to protect a certain susceptible network application.

SecureIIS, Application Firewall for Microsoft's IIS Web server.
SecureIIS works between the layers of IIS, allowing it to analyze incoming data for security threats before it reaches your server. Unlike conventional firewalls that can only protect against publicized security breaches, SecureIIS is able to block a new attack before it is discovered and its patch made public. This feature is due to the ability of SecureIIS to protect against any attack that can be categorized into one of many common classes of attack. Two of these classes are buffer overflow attacks and high-bit attacks, both of which are used by the Code Red worm. As a result, every eEye client running SecureIIS was protected from the Code Red worm before it was discovered, even if they were late in applying their patches.