The new and potentially more dangerous variant of the Code Red worm, which appeared over the weekend, can add a 'backdoor' Trojan to any Microsoft Corp. Web server that is vulnerable to a specific exploit. The Trojan could let anyone with a Web browser to take over those servers.
As with previous versions, the latest Code Red worm acts as a distributed denial-of-service attack tool by exploiting a buffer-overflow vulnerability in unpatched Microsoft Web servers. But this variant, which has been dubbed by some security analysts as Code Red II, allows an explorer.exe Trojan shell to be loaded onto IIS Web servers that are not protected by patches distributed in the Microsoft Service Pack II update of last July.
According to Russ Cooper, editor of the online security newsgroup NTbugtrak and a security expert at vendor TruSecure Corp., the latest variant is far more dangerous than the previous versions. "It's a completely differently written program," he said. The group of security experts that first identified Code Red II believes it was written by the 29A Group, an alias for a group of hackers.
As released by the virus writer, Code Red II can install a "virtual Web directory" on the compromised Microsoft Web server, making every file accessible to anyone with a Web browser.
"It's extremely easy to figure out which machines are compromised by this," said Cooper. The latest variant of Code Red works on a 24-hour cycle to spread and attack, unlike the previous versions that had a longer monthly dormancy and awakening cycle.
Cooper said he was hosting a security experts symposium called NTbugtrak Retreat in Ontario last Saturday when independent security experts in Australia and Romania, as well as vendor labs including those of TruSecure and Symantec Corp., reported sighting the new version of Code Red. A dinner party was going on, but the 30 or so participants at the event immediately began analyzing the samples of the new variant, says Cooper.
"It turned into a 'disassembly party' as we analyzed the code," Cooper explained. Into early hours of Sunday morning the security experts tested the code to identify its properties, and found it to be far more dangerous than its predecessors.
The latest variant can be stopped by ensuring that every Microsoft Web server gets the patch made available at www.microsoft.com for both the buffer-overflow and Trojan Horse vulnerabilities identified in the past.
The federal government's National Infrastructure Protection Center (NIPC) warned about the Code Red worm last week and repeated its public warning about the new variant. But in spite of the enormous amount of press coverage that the NIPC warning received, owners of Web servers are failing to apply the relevant patches, said Cooper.
An estimated 400,000 Microsoft Servers were infected last week by the original Code Red in spite of the widespread press coverage of the worm's danger. Eliminating it "just didn't work, in spite of all our reporting," Cooper pointed out.
Cooper believes there are three categories of users who haven't installed the appropriate patch to their Microsoft Web servers. The first are home or small business users with Web servers, particularly those using the high-speed Internet services such as @home and RoadRunner. "People may not even know that junior has a Web server," Cooper noted.
The second category is companies that have simply forgotten that older Web servers exist on their intranet, and because they have no firewall, these older Web servers are actually sitting on the Internet and becoming infected through Code Red's automated search for new machines.
Finally, the news about Code Red may not have reached faraway countries where people don't typically read news reports from the West, but Microsoft Web servers are becoming infected. All in all, says Cooper, "I think I'm going to have to go on the Oprah Winfrey show to really get the message out to people."