A new Internet worm has been spotted that attacks Microsoft Corp. Internet Information Server (IIS) systems that are vulnerable to a month-old security flaw. The worm could lead to denial of service attacks against affected sites, according to the researchers who discovered it.
But the announcement of the discovery, and the information provided along with it and other security alerts, has lead some to question the methods some security companies use to notify the public to potential problems. Many companies adhere to a philosophy called full disclosure, which holds that as much information as possible about vulnerabilities should be made public, including even the publication of tools to attack these flaws. Others in the community, however, say that full disclosure helps no one other than those who would attack systems.
The worm that has sparked renewal of the debate has been dubbed "Code Red" by the researchers at eEye Digital Security Inc. who discovered it, both because the worm defaces Web pages with the text "Hacked by Chinese" and because Code Red Mountain Dew soda fueled an all night session in which the worm was identified and analyzed, according to a posting to the Bugtraq e-mail list by Marc Maiffret, chief hacking officer at eEye and one the discoverers of the worm.
Code Red attacks IIS servers vulnerable to the index server flaw discovered in June by eEye and for which Microsoft issued a patch. The worm, which allows a hole in the server to be exploited to gain complete control of affected system, can infect all unpatched servers running Windows NT 4, Windows 2000, Windows XP and IIS 4.0 or higher with indexing features enabled.
When the worm infects a system, it checks for the file c:\ notworm and if not does not find that file, the worm scans 100 random IP (Internet Protocol) addresses searching for new, vulnerable IIS servers, according to the advisory released by eEye. Though the worm was thought to be querying a Web site at http://www.worm.com, eEye's Maiffret said Thursday in an interview that that now does not appear to be the case. If the server that the worm infects is running on an English-language version of Windows, the worm will deface the Web site to read "Welcome to http://www.worm.com! Hacked by Chinese!," according to eEye.
The use of worm.com in the defacement is nothing more than the equivalent of saying "Welcome to screw you.com," Maiffret said. The actual worm.com Web site has been taken offline, however, according to a Microsoft Corp. representative. Maiffret doubts that worm.com is actually part of the worm because "God, that would be really stupid and there are some really smart things in this code," he said.
If the worm finds other vulnerable systems, it will copy itself to them and repeat the process. Though the addresses are nearly random, each time the worm begins the scan, it starts from the same address list, meaning that addresses that come early in the sequence of those too be scanned are likely to be hit repeatedly as the worm spreads, the advisory said.
Additionally, the worm will check the infected system's date, and if it finds that the date is between the 20th and 27th of the month, the infected system will send 100K bytes of traffic to port 80 (the server address for HTTP, hypertext transfer protocol, traffic) to the Whitehouse.gov Web site, new research showed Thursday, according to Maiffret. From the 1st to the 19th, the worm spreads itself, and from the 28th to the end of the month, it lays dormant, he said.
The worm is "still continuing to grow, infecting more machines, which in turn, are launching more attacks," according to Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We're just lucky it doesn't do anything more malicious," he said.
Code Red is spreading quickly, Cooper said, pointing to figures from the security Web site DShield.org, which tracked the worm as being hosted on 27 IP addresses on July 13, resulting in 611 probes for new machines to infect. However, by July 16, DShield counts over 6,150 infected machines, resulting in over 316,000 probes. EEye's Maiffret said that one system administrator who contacted the company said he had tracked over 15,000 infected systems. Additionally, a government agency who told Maiffret that they had to remain anonymous is also tracking the worm and has found over 68,000 infected systems, he said.