Code Red II: Worst May Be Yet to Come

By Dennis Fisher  |  Posted 2001-08-13

As the Code Red II worm tore through the Internet last week, infecting servers at Microsoft Corp. and causing outages around the country, security experts worried that this latest attack is just a dry run for crackers gearing up for something far worse.

The worm, which first appeared Aug. 4, uses the widely publicized .ida buffer-overflow vulnerability in Microsofts Internet Information Server 4.0 Web software—and its successor, Internet Information Services 5.0—to compromise machines running Windows 2000. It also plants a backdoor, opening the infected machines to future attacks. However, unlike earlier Code Red worms, this latest version cannot compromise servers running Windows NT 4.0, which represent the vast majority of the nearly 6 million IIS machines on the Internet.

The decision by the Code Red II worms author to attack the smaller base of Windows 2000 machines has led many experts to believe that it is simply a warm-up for a future attack. "It would be pretty simple to make it attack NT 4.0 machines," said Dan Ingevaldson, senior researcher with the X-Force at Internet Security Systems Inc., in Atlanta. "I think its pretty obvious that the lessons learned from the first [Code Red] were used to write this one."

Buffer overflows are among the most common software vulnerabilities, and experts say it would not be difficult for a worm author to adjust his code to exploit another such flaw.

Officials at Microsoft, of Redmond, Wash., which experienced the worm on some of the servers used by its Hotmail e-mail server infected by Code Red, said the fact that Code Red II compromises only Windows 2000 servers is superfluous and was likely an arbitrary choice by the worms author. Security experts disagree, saying that the lack of a compromise for NT 4.0 is likely a mistake that either the worms creator or another cracker will find and fix soon enough.

Rocket Fuel