UPDATED August 3, 2001--The "Code Red" worm has faded from the spotlight, perhaps because many network administrators heeded calls to patch their IIS servers. On Aug. 1, CERT indicated that it had received more than 100,000 reports of affected systems by mid-afternoon. By Aug. 3, the SANS Institute reported that more than 375,000 unique source IP addresses had been infected, but that the rate of scanning and infection had slowed considerably and that no more than 175,000 unique machines remained infected.
It's not over yet, though, because the worm is programmed to continue scanning for vulnerable systems until August 20. When will it end? When all vulnerable systems are patched and rebooted.
If you know what Code Red is, chances are you've already patched your Microsoft IIS 4 or 5 server... but if you haven't, or if "Code Red" is news to you (where've you been, Tahiti? lucky you!), here's a short refresher course and some tips for making sure your network is protected. Two important notes:
- You must check and, if necessary, patch your IIS server ASAP to halt the cycle of scanning and infection, which began at midnight universal time on August 1.
- A few Cisco products are also affected, directly or indirectly. See "Affected Systems" below for more details, or refer to Cisco's Code Red advisory.
How the Code Red Worm Works
On July 16, we received early word of a worm that exploits the recently identified .ida ISAPI filter vulnerability on Microsoft IIS servers. This worm scans the Internet, identifies vulnerable systems, and installs itself on them. Each infected system then joins others in scanning for and infecting exploitable IIS servers, causing infections to grow exponentially, along with the traffic generated by the scanning activity.
After its discovery, the worm spread slowly at first but, on July 19, infected more than 250,000 systems in just nine hours. It then directed all infected systems to launch a distributed denial-of-service attack on www.whitehouse.gov as scheduled on July 20. White House IT administrators averted the assault, however, by shifting the WWW locater to another IP address. Code Red then disappeared from the radar.
Code Red didn't go away, however - it just took a preprogrammed nap. Embedded within the exploit are instructions to go dormant after the 20th of the month - along with instructions to reactivate on the first of the month. This means the infection-propagation-attack cycle resumed at 00:00 UDT August 1 - for those of you in the Americas, that was 8:00 p.m. EDT and 5:00 p.m. PDT on July 31, 2001.
CERT also noted that the worm probably mutated to scan for random rather than known IP addresses. The traffic associated with this growth in scanning, CERT experts feared, would directly decrease the speed of Internet links and cause sporadic but widespread outages among all types of systems. This apparently didn't materialize.
The July 19 CERT advisory (revised July 30) offers an excellent summary of the Code Red attack cycle, based on eEye Digital Security's original analysis of the worm.
Affected Systems
Systems that could be infected include
- Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed
- Windows 2000 with IIS 4.0 or IIS 5.0 enabled and indexing services installed
- Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager (these systems run IIS)
- Cisco 600 series DSL routers
Every organization that runs Windows NT or Windows 2000 and IIS is, theoretically, vulnerable. Note that IIS is installed automatically for many applications; you must check manually to see whether or not it's enabled on your system. Windows 95, 98, and Me systems will not be affected.
For more information on the Cisco products affected and specific instructions for patching them, please see Cisco's Code Red advisory.
What to Do
To purge an infected machine of the worm, reboot it. Yep, that's it - the worm is memory-resident, which means it embeds itself in volatile memory rather than on hard drives. Rebooting the server wipes it off the machine.
Now, to protect your system from reinfection - a very real possibility given how widespread the worm already is - install Microsoft's patch for the .ida ISAPI IIS vulnerability:
Microsoft has posted a description of the patch, installation instructions, and detailed information on the vulnerability it addresses at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp.
You'll find step-by-step instructions for installing the patch at www.digitalisland.net/codered. eEye also offers a CodeRed Scanner at http://www.eeye.com/html/Research/Tools/codered.html.
CERT also asks all affected organizations to report Code Red activity. If you find that any machines under your administrative control are compromised, please email cert@cert.org with "[CERT#36881]" included in the subject line.
- ©2001 8wire, Inc. All rights reserved.
|
