With new IIS worm, security practices questioned

A new Internet worm has been spotted that attacks Microsoft Corp. Internet Information Server (IIS) systems that are vulnerable to a month-old security flaw. The worm could lead to denial of service attacks against affected sites, according to the researchers who discovered it.

But the announcement of the discovery, and the information provided along with it and other security alerts, has lead some to question the methods some security companies use to notify the public to potential problems. Many companies adhere to a philosophy called full disclosure, which holds that as much information as possible about vulnerabilities should be made public, including even the publication of tools to attack these flaws. Others in the community, however, say that full disclosure helps no one other than those who would attack systems.

The worm that has sparked renewal of the debate has been dubbed "Code Red" by the researchers at eEye Digital Security Inc. who discovered it, both because the worm defaces Web pages with the text "Hacked by Chinese" and because Code Red Mountain Dew soda fueled an all night session in which the worm was identified and analyzed, according to a posting to the Bugtraq e-mail list by Marc Maiffret, chief hacking officer at eEye and one the discoverers of the worm.

Code Red attacks IIS servers vulnerable to the index server flaw discovered in June by eEye and for which Microsoft issued a patch. The worm, which allows a hole in the server to be exploited to gain complete control of affected system, can infect all unpatched servers running Windows NT 4, Windows 2000, Windows XP and IIS 4.0 or higher with indexing features enabled.

When the worm infects a system, it checks for the file c:\ notworm and if not does not find that file, the worm scans 100 random IP (Internet Protocol) addresses searching for new, vulnerable IIS servers, according to the advisory released by eEye. Though the worm was thought to be querying a Web site at http://www.worm.com, eEye's Maiffret said Thursday in an interview that that now does not appear to be the case. If the server that the worm infects is running on an English-language version of Windows, the worm will deface the Web site to read "Welcome to http://www.worm.com! Hacked by Chinese!," according to eEye.

The use of worm.com in the defacement is nothing more than the equivalent of saying "Welcome to screw you.com," Maiffret said. The actual worm.com Web site has been taken offline, however, according to a Microsoft Corp. representative. Maiffret doubts that worm.com is actually part of the worm because "God, that would be really stupid and there are some really smart things in this code," he said.

If the worm finds other vulnerable systems, it will copy itself to them and repeat the process. Though the addresses are nearly random, each time the worm begins the scan, it starts from the same address list, meaning that addresses that come early in the sequence of those too be scanned are likely to be hit repeatedly as the worm spreads, the advisory said.

Additionally, the worm will check the infected system's date, and if it finds that the date is between the 20th and 27th of the month, the infected system will send 100K bytes of traffic to port 80 (the server address for HTTP, hypertext transfer protocol, traffic) to the Whitehouse.gov Web site, new research showed Thursday, according to Maiffret. From the 1st to the 19th, the worm spreads itself, and from the 28th to the end of the month, it lays dormant, he said.

Red alert

The worm is "still continuing to grow, infecting more machines, which in turn, are launching more attacks," according to Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We're just lucky it doesn't do anything more malicious," he said.

Code Red is spreading quickly, Cooper said, pointing to figures from the security Web site DShield.org, which tracked the worm as being hosted on 27 IP addresses on July 13, resulting in 611 probes for new machines to infect. However, by July 16, DShield counts over 6,150 infected machines, resulting in over 316,000 probes. EEye's Maiffret said that one system administrator who contacted the company said he had tracked over 15,000 infected systems. Additionally, a government agency who told Maiffret that they had to remain anonymous is also tracking the worm and has found over 68,000 infected systems, he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?