With new IIS worm, security practices questioned

A new Internet worm has been spotted that attacks Microsoft Corp. Internet Information Server (IIS) systems that are vulnerable to a month-old security flaw. The worm could lead to denial of service attacks against affected sites, according to the researchers who discovered it.

But the announcement of the discovery, and the information provided along with it and other security alerts, has lead some to question the methods some security companies use to notify the public to potential problems. Many companies adhere to a philosophy called full disclosure, which holds that as much information as possible about vulnerabilities should be made public, including even the publication of tools to attack these flaws. Others in the community, however, say that full disclosure helps no one other than those who would attack systems.

The worm that has sparked renewal of the debate has been dubbed "Code Red" by the researchers at eEye Digital Security Inc. who discovered it, both because the worm defaces Web pages with the text "Hacked by Chinese" and because Code Red Mountain Dew soda fueled an all night session in which the worm was identified and analyzed, according to a posting to the Bugtraq e-mail list by Marc Maiffret, chief hacking officer at eEye and one the discoverers of the worm.

Code Red attacks IIS servers vulnerable to the index server flaw discovered in June by eEye and for which Microsoft issued a patch. The worm, which allows a hole in the server to be exploited to gain complete control of affected system, can infect all unpatched servers running Windows NT 4, Windows 2000, Windows XP and IIS 4.0 or higher with indexing features enabled.

When the worm infects a system, it checks for the file c:\ notworm and if not does not find that file, the worm scans 100 random IP (Internet Protocol) addresses searching for new, vulnerable IIS servers, according to the advisory released by eEye. Though the worm was thought to be querying a Web site at http://www.worm.com, eEye's Maiffret said Thursday in an interview that that now does not appear to be the case. If the server that the worm infects is running on an English-language version of Windows, the worm will deface the Web site to read "Welcome to http://www.worm.com! Hacked by Chinese!," according to eEye.

The use of worm.com in the defacement is nothing more than the equivalent of saying "Welcome to screw you.com," Maiffret said. The actual worm.com Web site has been taken offline, however, according to a Microsoft Corp. representative. Maiffret doubts that worm.com is actually part of the worm because "God, that would be really stupid and there are some really smart things in this code," he said.

If the worm finds other vulnerable systems, it will copy itself to them and repeat the process. Though the addresses are nearly random, each time the worm begins the scan, it starts from the same address list, meaning that addresses that come early in the sequence of those too be scanned are likely to be hit repeatedly as the worm spreads, the advisory said.

Additionally, the worm will check the infected system's date, and if it finds that the date is between the 20th and 27th of the month, the infected system will send 100K bytes of traffic to port 80 (the server address for HTTP, hypertext transfer protocol, traffic) to the Whitehouse.gov Web site, new research showed Thursday, according to Maiffret. From the 1st to the 19th, the worm spreads itself, and from the 28th to the end of the month, it lays dormant, he said.

Red alert

The worm is "still continuing to grow, infecting more machines, which in turn, are launching more attacks," according to Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We're just lucky it doesn't do anything more malicious," he said.

Code Red is spreading quickly, Cooper said, pointing to figures from the security Web site DShield.org, which tracked the worm as being hosted on 27 IP addresses on July 13, resulting in 611 probes for new machines to infect. However, by July 16, DShield counts over 6,150 infected machines, resulting in over 316,000 probes. EEye's Maiffret said that one system administrator who contacted the company said he had tracked over 15,000 infected systems. Additionally, a government agency who told Maiffret that they had to remain anonymous is also tracking the worm and has found over 68,000 infected systems, he said.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

PC World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?