New variant of Code Red worm found

The same company that discovered the original Code Red worm which has been wreaking havoc worldwide this week said late Friday that it has identified a variant of the worm which is harder to track.

The variant of the Code Red worm has been modified in subtle but important ways that make it harder to identify and track, said eEye Digital Security Inc. Chief Hacking Officer Marc Maiffret in a message to the Bugtraq security e-mail list. The variant worm no longer contacts hosts early in the sequence of IP (Internet Protocol) addresses that the original worm scanned, which will make the worm harder to track, Maiffret said. Also, the variant does not deface the pages of infected host systems the way the original worm did, making it more difficult to know if a system is compromised, he said. The worm does still send attack traffic to the White House Web site.

The new worm has only had about 13 bytes of code changed from the original, and is employing capabilities that were always in the original worm, Maiffret said. Though the code that enables the new functions of the worm has always been there, Maiffret believes that the new worm is a re-release of the original, rather than part of a natural progression.

"This is the worst security event in Internet history," said Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We haven't seen a worm that involves this many hosts and is this complex."

If the systems affected by the worm continue to go unpatched, "the impact, we predict, is a meltdown." The Internet will be so bogged down with traffic from infected systems that many Web sites will become unavailable, including, possibly, the very sites that would provide information on how to patch the vulnerability or defeat the worm, he said. Additionally, the worm is crashing infrastructure devices, like routers, which has the potential to take many more systems offline, he said.

The variant of Code Red has infected as many systems in one day in the wild as the original worm did roughly a week, Cooper said.

Administrators and the computer security community have a 10 to 11 day window of opportunity to fix the vulnerability in Microsoft Corp. IIS (Internet Information Server) servers before the worm begins scanning for new victims again, Cooper said. Variants could shrink this window even smaller, as variants may include new code, he said.

Stuart Staniford, president of Silicon Defense and another security expert who has been tracking the spread of the variant, posted a follow-up e-mail to Maiffret's to the Bugtraq list later Friday.

"There's no doubt a great deal of it still (lying) dormant," he wrote. "This was definitely a big bad worm. I imagine the worm writers can improve significantly on 1.8 compromises/hour though (the rate at which the worm is infecting servers, according to Staniford), so it's only going to get worse."

NTBugtraq's Cooper is working on code to help stem the spread of the worm and said that he would be publishing a script that will patch the vulnerability with a single click. The script will be available on the NTBugtraq Web site (www.ntbugtraq.com) later Friday, he said. He also said that he would be willing to help any administrator patch their system either by e-mail or the phone.

The original Code Red is a worm that attacks Microsoft IIS systems vulnerable to a certain type of buffer overflow attack discovered in mid-June. The worm spreads itself by infecting a system and then running through 100 nearly random IP addresses looking for other vulnerable machines. When it finds them, it infects them and repeats the process. The worm also makes infected systems send 100k-bytes of traffic to the Whitehouse.gov Web site from July 20 to July 27.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?