New variant of Code Red worm found

The same company that discovered the original Code Red worm which has been wreaking havoc worldwide this week said late Friday that it has identified a variant of the worm which is harder to track.

The variant of the Code Red worm has been modified in subtle but important ways that make it harder to identify and track, said eEye Digital Security Inc. Chief Hacking Officer Marc Maiffret in a message to the Bugtraq security e-mail list. The variant worm no longer contacts hosts early in the sequence of IP (Internet Protocol) addresses that the original worm scanned, which will make the worm harder to track, Maiffret said. Also, the variant does not deface the pages of infected host systems the way the original worm did, making it more difficult to know if a system is compromised, he said. The worm does still send attack traffic to the White House Web site.

The new worm has only had about 13 bytes of code changed from the original, and is employing capabilities that were always in the original worm, Maiffret said. Though the code that enables the new functions of the worm has always been there, Maiffret believes that the new worm is a re-release of the original, rather than part of a natural progression.

"This is the worst security event in Internet history," said Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We haven't seen a worm that involves this many hosts and is this complex."

If the systems affected by the worm continue to go unpatched, "the impact, we predict, is a meltdown." The Internet will be so bogged down with traffic from infected systems that many Web sites will become unavailable, including, possibly, the very sites that would provide information on how to patch the vulnerability or defeat the worm, he said. Additionally, the worm is crashing infrastructure devices, like routers, which has the potential to take many more systems offline, he said.

The variant of Code Red has infected as many systems in one day in the wild as the original worm did roughly a week, Cooper said.

Administrators and the computer security community have a 10 to 11 day window of opportunity to fix the vulnerability in Microsoft Corp. IIS (Internet Information Server) servers before the worm begins scanning for new victims again, Cooper said. Variants could shrink this window even smaller, as variants may include new code, he said.

Stuart Staniford, president of Silicon Defense and another security expert who has been tracking the spread of the variant, posted a follow-up e-mail to Maiffret's to the Bugtraq list later Friday.

"There's no doubt a great deal of it still (lying) dormant," he wrote. "This was definitely a big bad worm. I imagine the worm writers can improve significantly on 1.8 compromises/hour though (the rate at which the worm is infecting servers, according to Staniford), so it's only going to get worse."

NTBugtraq's Cooper is working on code to help stem the spread of the worm and said that he would be publishing a script that will patch the vulnerability with a single click. The script will be available on the NTBugtraq Web site (www.ntbugtraq.com) later Friday, he said. He also said that he would be willing to help any administrator patch their system either by e-mail or the phone.

The original Code Red is a worm that attacks Microsoft IIS systems vulnerable to a certain type of buffer overflow attack discovered in mid-June. The worm spreads itself by infecting a system and then running through 100 nearly random IP addresses looking for other vulnerable machines. When it finds them, it infects them and repeats the process. The worm also makes infected systems send 100k-bytes of traffic to the Whitehouse.gov Web site from July 20 to July 27.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?