With new IIS worm, security practices questioned

A new Internet worm has been spotted that attacks Microsoft Corp. Internet Information Server (IIS) systems that are vulnerable to a month-old security flaw. The worm could lead to denial of service attacks against affected sites, according to the researchers who discovered it.

But the announcement of the discovery, and the information provided along with it and other security alerts, has lead some to question the methods some security companies use to notify the public to potential problems. Many companies adhere to a philosophy called full disclosure, which holds that as much information as possible about vulnerabilities should be made public, including even the publication of tools to attack these flaws. Others in the community, however, say that full disclosure helps no one other than those who would attack systems.

The worm that has sparked renewal of the debate has been dubbed "Code Red" by the researchers at eEye Digital Security Inc. who discovered it, both because the worm defaces Web pages with the text "Hacked by Chinese" and because Code Red Mountain Dew soda fueled an all night session in which the worm was identified and analyzed, according to a posting to the Bugtraq e-mail list by Marc Maiffret, chief hacking officer at eEye and one the discoverers of the worm.

Code Red attacks IIS servers vulnerable to the index server flaw discovered in June by eEye and for which Microsoft issued a patch. The worm, which allows a hole in the server to be exploited to gain complete control of affected system, can infect all unpatched servers running Windows NT 4, Windows 2000, Windows XP and IIS 4.0 or higher with indexing features enabled.

When the worm infects a system, it checks for the file c:\ notworm and if not does not find that file, the worm scans 100 random IP (Internet Protocol) addresses searching for new, vulnerable IIS servers, according to the advisory released by eEye. Though the worm was thought to be querying a Web site at http://www.worm.com, eEye's Maiffret said Thursday in an interview that that now does not appear to be the case. If the server that the worm infects is running on an English-language version of Windows, the worm will deface the Web site to read "Welcome to http://www.worm.com! Hacked by Chinese!," according to eEye.

The use of worm.com in the defacement is nothing more than the equivalent of saying "Welcome to screw you.com," Maiffret said. The actual worm.com Web site has been taken offline, however, according to a Microsoft Corp. representative. Maiffret doubts that worm.com is actually part of the worm because "God, that would be really stupid and there are some really smart things in this code," he said.

If the worm finds other vulnerable systems, it will copy itself to them and repeat the process. Though the addresses are nearly random, each time the worm begins the scan, it starts from the same address list, meaning that addresses that come early in the sequence of those too be scanned are likely to be hit repeatedly as the worm spreads, the advisory said.

Additionally, the worm will check the infected system's date, and if it finds that the date is between the 20th and 27th of the month, the infected system will send 100K bytes of traffic to port 80 (the server address for HTTP, hypertext transfer protocol, traffic) to the Whitehouse.gov Web site, new research showed Thursday, according to Maiffret. From the 1st to the 19th, the worm spreads itself, and from the 28th to the end of the month, it lays dormant, he said.

Red alert

The worm is "still continuing to grow, infecting more machines, which in turn, are launching more attacks," according to Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We're just lucky it doesn't do anything more malicious," he said.

Code Red is spreading quickly, Cooper said, pointing to figures from the security Web site DShield.org, which tracked the worm as being hosted on 27 IP addresses on July 13, resulting in 611 probes for new machines to infect. However, by July 16, DShield counts over 6,150 infected machines, resulting in over 316,000 probes. EEye's Maiffret said that one system administrator who contacted the company said he had tracked over 15,000 infected systems. Additionally, a government agency who told Maiffret that they had to remain anonymous is also tracking the worm and has found over 68,000 infected systems, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

PC World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?