Internet Goes Red

The Code Red worm ripped through Internet servers like no other previously unleashed piece of malicious code. "We are witnessing Internet history," says Chris Rouland, director of Internet Security Systems X-Force, which tracks Internet vulnerabilities. Based on reports, the Code Red worm has infected over 225,000 servers.

The worm enters the targeted server through port 80. If the host is running Microsoft IIS, the worm executes a malformed HTTP "get" request to try and run a buffer overflow against the Microsoft IIS Indexing Service dynamic link library. Once the worm successfully exploits the target, it starts searching for new servers to infect, and the compromised Web site is defaced.

Code Red's ultimate target was Whithouse.gov. The worm was set to attack the White House Web site Friday, July 20, by unleashing a torrent of traffic at the site. According to Rouland, the White House managed to avoid attack by switching the site's IP address. As he explains, the author of Code Red made a critical design flaw by hard-coding the White House's IP address. "That won't happen next time," he says, meaning that future versions of this worm will be able to change the targeted IP address.

When the ILoveYou virus struck last year, many copycats struck in the following weeks. "I wouldn't be surprised to see many, many copy cats of this worm," he predicts. In fact, reports started surfacing late Friday afternoon on the security mailing list Bugtraq that several versions may already be on the loose.

An explanation of the IIS buffer overflow vulnerability is available at CERT's Web site, as well as a link to Microsoft's patch, issued more than a month ago.

Is this virus threatening your company? Or has it already bit you? Tell other IT folks what you're doing to combat the problem in the Listening Post discussion forum.