Code Red II includes dangerous 'backdoor' Trojan

The new and potentially more dangerous variant of the Code Red worm, which appeared over the weekend, can add a 'backdoor' Trojan to any Microsoft Corp. Web server that is vulnerable to a specific exploit. The Trojan could let anyone with a Web browser to take over those servers.

As with previous versions, the latest Code Red worm acts as a distributed denial-of-service attack tool by exploiting a buffer-overflow vulnerability in unpatched Microsoft Web servers. But this variant, which has been dubbed by some security analysts as Code Red II, allows an explorer.exe Trojan shell to be loaded onto IIS Web servers that are not protected by patches distributed in the Microsoft Service Pack II update of last July.

According to Russ Cooper, editor of the online security newsgroup NTbugtrak and a security expert at vendor TruSecure Corp., the latest variant is far more dangerous than the previous versions. "It's a completely differently written program," he said. The group of security experts that first identified Code Red II believes it was written by the 29A Group, an alias for a group of hackers.

As released by the virus writer, Code Red II can install a "virtual Web directory" on the compromised Microsoft Web server, making every file accessible to anyone with a Web browser.

"It's extremely easy to figure out which machines are compromised by this," said Cooper. The latest variant of Code Red works on a 24-hour cycle to spread and attack, unlike the previous versions that had a longer monthly dormancy and awakening cycle.

Cooper said he was hosting a security experts symposium called NTbugtrak Retreat in Ontario last Saturday when independent security experts in Australia and Romania, as well as vendor labs including those of TruSecure and Symantec Corp., reported sighting the new version of Code Red. A dinner party was going on, but the 30 or so participants at the event immediately began analyzing the samples of the new variant, says Cooper.

"It turned into a 'disassembly party' as we analyzed the code," Cooper explained. Into early hours of Sunday morning the security experts tested the code to identify its properties, and found it to be far more dangerous than its predecessors.

The latest variant can be stopped by ensuring that every Microsoft Web server gets the patch made available at www.microsoft.com for both the buffer-overflow and Trojan Horse vulnerabilities identified in the past.

The federal government's National Infrastructure Protection Center (NIPC) warned about the Code Red worm last week and repeated its public warning about the new variant. But in spite of the enormous amount of press coverage that the NIPC warning received, owners of Web servers are failing to apply the relevant patches, said Cooper.

An estimated 400,000 Microsoft Servers were infected last week by the original Code Red in spite of the widespread press coverage of the worm's danger. Eliminating it "just didn't work, in spite of all our reporting," Cooper pointed out.

Cooper believes there are three categories of users who haven't installed the appropriate patch to their Microsoft Web servers. The first are home or small business users with Web servers, particularly those using the high-speed Internet services such as @home and RoadRunner. "People may not even know that junior has a Web server," Cooper noted.

The second category is companies that have simply forgotten that older Web servers exist on their intranet, and because they have no firewall, these older Web servers are actually sitting on the Internet and becoming infected through Code Red's automated search for new machines.

Finally, the news about Code Red may not have reached faraway countries where people don't typically read news reports from the West, but Microsoft Web servers are becoming infected. All in all, says Cooper, "I think I'm going to have to go on the Oprah Winfrey show to really get the message out to people."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?