New variant of Code Red worm found

The same company that discovered the original Code Red worm which has been wreaking havoc worldwide this week said late Friday that it has identified a variant of the worm which is harder to track.

The variant of the Code Red worm has been modified in subtle but important ways that make it harder to identify and track, said eEye Digital Security Inc. Chief Hacking Officer Marc Maiffret in a message to the Bugtraq security e-mail list. The variant worm no longer contacts hosts early in the sequence of IP (Internet Protocol) addresses that the original worm scanned, which will make the worm harder to track, Maiffret said. Also, the variant does not deface the pages of infected host systems the way the original worm did, making it more difficult to know if a system is compromised, he said. The worm does still send attack traffic to the White House Web site.

The new worm has only had about 13 bytes of code changed from the original, and is employing capabilities that were always in the original worm, Maiffret said. Though the code that enables the new functions of the worm has always been there, Maiffret believes that the new worm is a re-release of the original, rather than part of a natural progression.

"This is the worst security event in Internet history," said Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). "We haven't seen a worm that involves this many hosts and is this complex."

If the systems affected by the worm continue to go unpatched, "the impact, we predict, is a meltdown." The Internet will be so bogged down with traffic from infected systems that many Web sites will become unavailable, including, possibly, the very sites that would provide information on how to patch the vulnerability or defeat the worm, he said. Additionally, the worm is crashing infrastructure devices, like routers, which has the potential to take many more systems offline, he said.

The variant of Code Red has infected as many systems in one day in the wild as the original worm did roughly a week, Cooper said.

Administrators and the computer security community have a 10 to 11 day window of opportunity to fix the vulnerability in Microsoft Corp. IIS (Internet Information Server) servers before the worm begins scanning for new victims again, Cooper said. Variants could shrink this window even smaller, as variants may include new code, he said.

Stuart Staniford, president of Silicon Defense and another security expert who has been tracking the spread of the variant, posted a follow-up e-mail to Maiffret's to the Bugtraq list later Friday.

"There's no doubt a great deal of it still (lying) dormant," he wrote. "This was definitely a big bad worm. I imagine the worm writers can improve significantly on 1.8 compromises/hour though (the rate at which the worm is infecting servers, according to Staniford), so it's only going to get worse."

NTBugtraq's Cooper is working on code to help stem the spread of the worm and said that he would be publishing a script that will patch the vulnerability with a single click. The script will be available on the NTBugtraq Web site (www.ntbugtraq.com) later Friday, he said. He also said that he would be willing to help any administrator patch their system either by e-mail or the phone.

The original Code Red is a worm that attacks Microsoft IIS systems vulnerable to a certain type of buffer overflow attack discovered in mid-June. The worm spreads itself by infecting a system and then running through 100 nearly random IP addresses looking for other vulnerable machines. When it finds them, it infects them and repeats the process. The worm also makes infected systems send 100k-bytes of traffic to the Whitehouse.gov Web site from July 20 to July 27.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?