New variant of Code Red worm found

The same company that discovered the original Code Red worm which has been wreaking havoc worldwide this week said late Friday that it has identified a variant of the worm which is harder to track.

The variant of the Code Red worm has been modified in subtle but important ways that make it harder to identify and track, said eEye Digital Security Inc. Chief Hacking Officer Marc Maiffret in a message to the Bugtraq security e-mail list. The variant worm no longer contacts hosts early in the sequence of IP (Internet Protocol) addresses that the original worm scanned, which will make the worm harder to track, Maiffret said. Also, the variant does not deface the pages of infected host systems the way the original worm did, making it more difficult to know if a system is compromised, he said. The worm does still send attack traffic to the White House Web site.

The new worm has only had about 13 bytes of code changed from the original, and is employing capabilities that were always in the original worm, Maiffret said. Though the code that enables the new functions of the worm has always been there, Maiffret believes that the new worm is a re-release of the original, rather than part of a natural progression.

"This is the worst security event in Internet history," said Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We haven't seen a worm that involves this many hosts and is this complex."

If the systems affected by the worm continue to go unpatched, "the impact, we predict, is a meltdown." The Internet will be so bogged down with traffic from infected systems that many Web sites will become unavailable, including, possibly, the very sites that would provide information on how to patch the vulnerability or defeat the worm, he said. Additionally, the worm is crashing infrastructure devices, like routers, which has the potential to take many more systems offline, he said.

The variant of Code Red has infected as many systems in one day in the wild as the original worm did roughly a week, Cooper said.

Administrators and the computer security community have a 10 to 11 day window of opportunity to fix the vulnerability in Microsoft Corp. IIS (Internet Information Server) servers before the worm begins scanning for new victims again, Cooper said. Variants could shrink this window even smaller, as variants may include new code, he said.

Stuart Staniford, president of Silicon Defense and another security expert who has been tracking the spread of the variant, posted a follow-up e-mail to Maiffret's to the Bugtraq list later Friday.

"There's no doubt a great deal of it still (lying) dormant," he wrote. "This was definitely a big bad worm. I imagine the worm writers can improve significantly on 1.8 compromises/hour though (the rate at which the worm is infecting servers, according to Staniford), so it's only going to get worse."

NTBugtraq's Cooper is working on code to help stem the spread of the worm and said that he would be publishing a script that will patch the vulnerability with a single click. The script will be available on the NTBugtraq Web site ( later Friday, he said. He also said that he would be willing to help any administrator patch their system either by e-mail or the phone.

The original Code Red is a worm that attacks Microsoft IIS systems vulnerable to a certain type of buffer overflow attack discovered in mid-June. The worm spreads itself by infecting a system and then running through 100 nearly random IP addresses looking for other vulnerable machines. When it finds them, it infects them and repeats the process. The worm also makes infected systems send 100k-bytes of traffic to the Web site from July 20 to July 27.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?