Code Red II includes dangerous 'backdoor' Trojan

The new and potentially more dangerous variant of the Code Red worm, which appeared over the weekend, can add a 'backdoor' Trojan to any Microsoft Corp. Web server that is vulnerable to a specific exploit. The Trojan could let anyone with a Web browser to take over those servers.

As with previous versions, the latest Code Red worm acts as a distributed denial-of-service attack tool by exploiting a buffer-overflow vulnerability in unpatched Microsoft Web servers. But this variant, which has been dubbed by some security analysts as Code Red II, allows an explorer.exe Trojan shell to be loaded onto IIS Web servers that are not protected by patches distributed in the Microsoft Service Pack II update of last July.

According to Russ Cooper, editor of the online security newsgroup NTbugtrak and a security expert at vendor TruSecure Corp., the latest variant is far more dangerous than the previous versions. "It's a completely differently written program," he said. The group of security experts that first identified Code Red II believes it was written by the 29A Group, an alias for a group of hackers.

As released by the virus writer, Code Red II can install a "virtual Web directory" on the compromised Microsoft Web server, making every file accessible to anyone with a Web browser.

"It's extremely easy to figure out which machines are compromised by this," said Cooper. The latest variant of Code Red works on a 24-hour cycle to spread and attack, unlike the previous versions that had a longer monthly dormancy and awakening cycle.

Cooper said he was hosting a security experts symposium called NTbugtrak Retreat in Ontario last Saturday when independent security experts in Australia and Romania, as well as vendor labs including those of TruSecure and Symantec Corp., reported sighting the new version of Code Red. A dinner party was going on, but the 30 or so participants at the event immediately began analyzing the samples of the new variant, says Cooper.

"It turned into a 'disassembly party' as we analyzed the code," Cooper explained. Into early hours of Sunday morning the security experts tested the code to identify its properties, and found it to be far more dangerous than its predecessors.

The latest variant can be stopped by ensuring that every Microsoft Web server gets the patch made available at www.microsoft.com for both the buffer-overflow and Trojan Horse vulnerabilities identified in the past.

The federal government's National Infrastructure Protection Center (NIPC) warned about the Code Red worm last week and repeated its public warning about the new variant. But in spite of the enormous amount of press coverage that the NIPC warning received, owners of Web servers are failing to apply the relevant patches, said Cooper.

An estimated 400,000 Microsoft Servers were infected last week by the original Code Red in spite of the widespread press coverage of the worm's danger. Eliminating it "just didn't work, in spite of all our reporting," Cooper pointed out.

Cooper believes there are three categories of users who haven't installed the appropriate patch to their Microsoft Web servers. The first are home or small business users with Web servers, particularly those using the high-speed Internet services such as @home and RoadRunner. "People may not even know that junior has a Web server," Cooper noted.

The second category is companies that have simply forgotten that older Web servers exist on their intranet, and because they have no firewall, these older Web servers are actually sitting on the Internet and becoming infected through Code Red's automated search for new machines.

Finally, the news about Code Red may not have reached faraway countries where people don't typically read news reports from the West, but Microsoft Web servers are becoming infected. All in all, says Cooper, "I think I'm going to have to go on the Oprah Winfrey show to really get the message out to people."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Computerworld
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?