Code Red II includes dangerous 'backdoor' Trojan

The new and potentially more dangerous variant of the Code Red worm, which appeared over the weekend, can add a 'backdoor' Trojan to any Microsoft Corp. Web server that is vulnerable to a specific exploit. The Trojan could let anyone with a Web browser to take over those servers.

As with previous versions, the latest Code Red worm acts as a distributed denial-of-service attack tool by exploiting a buffer-overflow vulnerability in unpatched Microsoft Web servers. But this variant, which has been dubbed by some security analysts as Code Red II, allows an explorer.exe Trojan shell to be loaded onto IIS Web servers that are not protected by patches distributed in the Microsoft Service Pack II update of last July.

According to Russ Cooper, editor of the online security newsgroup NTbugtrak and a security expert at vendor TruSecure Corp., the latest variant is far more dangerous than the previous versions. "It's a completely differently written program," he said. The group of security experts that first identified Code Red II believes it was written by the 29A Group, an alias for a group of hackers.

As released by the virus writer, Code Red II can install a "virtual Web directory" on the compromised Microsoft Web server, making every file accessible to anyone with a Web browser.

"It's extremely easy to figure out which machines are compromised by this," said Cooper. The latest variant of Code Red works on a 24-hour cycle to spread and attack, unlike the previous versions that had a longer monthly dormancy and awakening cycle.

Cooper said he was hosting a security experts symposium called NTbugtrak Retreat in Ontario last Saturday when independent security experts in Australia and Romania, as well as vendor labs including those of TruSecure and Symantec Corp., reported sighting the new version of Code Red. A dinner party was going on, but the 30 or so participants at the event immediately began analyzing the samples of the new variant, says Cooper.

"It turned into a 'disassembly party' as we analyzed the code," Cooper explained. Into early hours of Sunday morning the security experts tested the code to identify its properties, and found it to be far more dangerous than its predecessors.

The latest variant can be stopped by ensuring that every Microsoft Web server gets the patch made available at www.microsoft.com for both the buffer-overflow and Trojan Horse vulnerabilities identified in the past.

The federal government's National Infrastructure Protection Center (NIPC) warned about the Code Red worm last week and repeated its public warning about the new variant. But in spite of the enormous amount of press coverage that the NIPC warning received, owners of Web servers are failing to apply the relevant patches, said Cooper.

An estimated 400,000 Microsoft Servers were infected last week by the original Code Red in spite of the widespread press coverage of the worm's danger. Eliminating it "just didn't work, in spite of all our reporting," Cooper pointed out.

Cooper believes there are three categories of users who haven't installed the appropriate patch to their Microsoft Web servers. The first are home or small business users with Web servers, particularly those using the high-speed Internet services such as @home and RoadRunner. "People may not even know that junior has a Web server," Cooper noted.

The second category is companies that have simply forgotten that older Web servers exist on their intranet, and because they have no firewall, these older Web servers are actually sitting on the Internet and becoming infected through Code Red's automated search for new machines.

Finally, the news about Code Red may not have reached faraway countries where people don't typically read news reports from the West, but Microsoft Web servers are becoming infected. All in all, says Cooper, "I think I'm going to have to go on the Oprah Winfrey show to really get the message out to people."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?