Code Red II includes dangerous 'backdoor' Trojan

The new and potentially more dangerous variant of the Code Red worm, which appeared over the weekend, can add a 'backdoor' Trojan to any Microsoft Corp. Web server that is vulnerable to a specific exploit. The Trojan could let anyone with a Web browser to take over those servers.

As with previous versions, the latest Code Red worm acts as a distributed denial-of-service attack tool by exploiting a buffer-overflow vulnerability in unpatched Microsoft Web servers. But this variant, which has been dubbed by some security analysts as Code Red II, allows an explorer.exe Trojan shell to be loaded onto IIS Web servers that are not protected by patches distributed in the Microsoft Service Pack II update of last July.

According to Russ Cooper, editor of the online security newsgroup NTbugtrak and a security expert at vendor TruSecure Corp., the latest variant is far more dangerous than the previous versions. "It's a completely differently written program," he said. The group of security experts that first identified Code Red II believes it was written by the 29A Group, an alias for a group of hackers.

As released by the virus writer, Code Red II can install a "virtual Web directory" on the compromised Microsoft Web server, making every file accessible to anyone with a Web browser.

"It's extremely easy to figure out which machines are compromised by this," said Cooper. The latest variant of Code Red works on a 24-hour cycle to spread and attack, unlike the previous versions that had a longer monthly dormancy and awakening cycle.

Cooper said he was hosting a security experts symposium called NTbugtrak Retreat in Ontario last Saturday when independent security experts in Australia and Romania, as well as vendor labs including those of TruSecure and Symantec Corp., reported sighting the new version of Code Red. A dinner party was going on, but the 30 or so participants at the event immediately began analyzing the samples of the new variant, says Cooper.

"It turned into a 'disassembly party' as we analyzed the code," Cooper explained. Into early hours of Sunday morning the security experts tested the code to identify its properties, and found it to be far more dangerous than its predecessors.

The latest variant can be stopped by ensuring that every Microsoft Web server gets the patch made available at www.microsoft.com for both the buffer-overflow and Trojan Horse vulnerabilities identified in the past.

The federal government's National Infrastructure Protection Center (NIPC) warned about the Code Red worm last week and repeated its public warning about the new variant. But in spite of the enormous amount of press coverage that the NIPC warning received, owners of Web servers are failing to apply the relevant patches, said Cooper.

An estimated 400,000 Microsoft Servers were infected last week by the original Code Red in spite of the widespread press coverage of the worm's danger. Eliminating it "just didn't work, in spite of all our reporting," Cooper pointed out.

Cooper believes there are three categories of users who haven't installed the appropriate patch to their Microsoft Web servers. The first are home or small business users with Web servers, particularly those using the high-speed Internet services such as @home and RoadRunner. "People may not even know that junior has a Web server," Cooper noted.

The second category is companies that have simply forgotten that older Web servers exist on their intranet, and because they have no firewall, these older Web servers are actually sitting on the Internet and becoming infected through Code Red's automated search for new machines.

Finally, the news about Code Red may not have reached faraway countries where people don't typically read news reports from the West, but Microsoft Web servers are becoming infected. All in all, says Cooper, "I think I'm going to have to go on the Oprah Winfrey show to really get the message out to people."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?