Code Red worm/virus info
- If you, like me, have been hearing a lot about
'Code Red' you may want to find out more about it.
I thought I'd sent the following:
>FAQ: The Code Red threat
>By CNET News.com Staff
>July 31, 2001, 6:00 p.m. PT
>CNET News.com answers common questions about the Code Red worm:
>When will the Code Red worm strike?
>The worm became active at 5 p.m. PDT Tuesday, potentially launching a new
>round of infections that could slow parts of the Internet.
>What is Code Red?
>Named after a caffeine drink favored by computer programmers, the Code Red
>worm takes advantage of a hole in Microsoft's Internet Information Server
>(IIS) Web server software. Starting on July 13 it may have infected more
>than 350,000 servers worldwide, launching a massive denial-of-service (DoS)
>attack against the White House's official Web site.
>The most recent version of the worm fixes a flaw in the way it searches for
>and records addresses of vulnerable servers. That means the worm could be
>more virulent as it returns to action Tuesday, launching a data flood that
>could potentially overwhelm many servers and slow large swatches of the
>Should everyone be worried about an infection?
>No. If you are a home computer user running Windows 95, Windows 98 or
>Windows Me--or any non-Microsoft operating system--the worm cannot infect
>your system. Only computers running Windows NT or Windows 2000 and IIS can
>be infected with this worm. The worm doesn't destroy data, but it could be
>modified to do so. Only computers set to use the English language will have
>their Web pages defaced.
>Code Red also can damage smaller networks by calling attention to a
>vulnerability in Cisco System's 600 series DSL routers. The worm could cause
>the router to stop forwarding traffic.
>Although it won't infect home computers, users may experience delays or
>malfunctioning of their favorite Web sites because of worm-generated surges
>in Internet traffic. Because of that and the danger it poses to Microsoft
>Web servers, Microsoft, federal security agencies and trade groups hosted a
>globally televised press conference Monday to urge businesses to install a
>software patch that prevents infection.
>Is there a particular target of the DoS attacks?
>Yes. From the 20th of every month to the 28th, the worm targets an IP
>address formerly associated with the White House Web site, flooding it with
>data in an attempt to knock it offline.
>The White House took precautions against it, changing its numerical Internet
>address to dodge the attack. Last week, the Pentagon shut down public access
>to all of its Web sites temporarily to purge and protect them. But security
>experts say virus writers could easily alter the worm so it could attack
>If most people are safe, why are the media, Microsoft and the government
>making such a big deal of it?
>Rob Rosenberger, editor of the Vmyths.com news service, said the FBI's new
>National Infrastructure Protection Center has over-hyped the worm to boost
>its public profile, in the process prompting many people unaffected by the
>worm to waste time trying to download and install patches.
>"Vmyths.com believes they launched a 'Code Red publicity tour' largely to
>improve their image," Rosenberger said of the FBI. "They suffered intense
>humiliation last week when (NIPC) Director Ron Dick faced an irate Senate
>Why is the worm coming back?
>Code Red remains active between the first of the month and the 28th, when it
>goes into hibernation. While the worm does not reactivate itself
>automatically, anyone sending a copy of the worm once the active period
>begins--in this case at midnight GMT Aug. 1, or 5 p.m. PDT Tuesday--would
>start a new round of infections to attack mode and barrage the
>whitehouse.gov Internet domain with large packets of data.
>Who created the worm?
>It's unclear. At first, officials suspected that the worm originated in
>China because some infected Web sites were defaced with the message, "Hacked
>by Chinese." But a Chinese network safety official denied those allegations
>Who's fault is it?
>Many people blame Microsoft, whose server software contains a vulnerability
>that enables Code Red to infect servers. Microsoft has also been criticized
>for allowing other worms, such as those that have spread through the Outlook
>e-mail software by taking advantage of Microsoft's support for Visual Basic
>scripts. Microsoft last month botched and apologized for two patches for a
>flaw in its Exchange e-mail server software.
>Can anyone stop the worm?
>Maybe. Security experts could create an automated patching worm, which would
>spread around the Net and infect vulnerable machines to install the patch.
>Another idea is an automated program that--when attacked by a server
>infected with the worm--would attack back, hacking the server, deleting the
>worm and closing the hole. Such code is called "hack-back."
>But the ethics of the hack-back approach are murky. Security expert and
>hacker Max Butler, also known as Max Vision, started an 18-month prison term
>last month for creating a worm that essentially closed security holes on
>vulnerable servers. The worm also left an open back door into the servers,
>casting doubt on Butler's altruistic intentions.
>The FBI has dismissed using any hack-back tactic as well. "It is not
>something that we could consider," said spokeswoman Debbie Weierman. "It
>would basically be viewed as an unauthorized intrusion."
>What has the tech industry learned from this worm and several other
>high-profile worms in recent months?
>Many security experts are questioning the whole approach of expecting
>software customers to download and install fixes to prevent a particular
>issue--also known as the "patch and pray" technique.
>Instead of fixing buggy software, the focus should be on locking down
>computer systems to prevent activity that could be compromising, said Randy
>Sandone, CEO of security software maker Argus Systems Group.
>Christopher W. Klaus, founder of software and services company Internet
>Security Systems, advocates an approach called "vulnerability scanning" that
>routinely examines computer systems for possible security threats.