- SAN FRANCISCO (Reuters)
- A smarter and nastier version of the ``Code Red'' worm is spreading across
the Internet, potentially exposing sensitive information and setting infected
computers up to launch attacks on other Web servers, security experts said
on Monday.
-
- The new worm, dubbed ``Code Red II'' surreptitiously
infects computers running Microsoft's Windows NT or 2000 operating systems
and its Internet Information Server Web server software, and then spreads
to other machines.
-
- The malicious program, which first surfaced on Saturday,
is not spreading any faster than its predecessor, but it could prove to
be far more damaging because of the way that it leaves servers vulnerable
to future hacking, experts said.
-
- ``Every single human being on the Internet with a clue
can break into your server if you have been infected by Code Red II,''
said Alan Paller, research director at the Systems Administration, Networking
and Security Institute (SANS).
-
- ``If you have credit card numbers stored on your Web
server you have to consider them forfeit,'' Paller added.
-
- Computers infected by the virus are easy targets for
malicious hackers who could find potential victims by simply looking at
the Internet addresses of the computers that are scanning their own Web-connected
computers, experts said.
-
- ``The people who run Web sites are frantic,'' Paller
said. ''The companies that run big Web hosting services, they're just getting
hammered.''
-
- Code Red II installs a ``back door'' onto an infected
computer's machine that would allow anyone using a Web browser to remotely
access the server and execute commands, said Elias Levy, chief technology
officer at <http://SecurityFocus.comSecurityFocus.com.
-
- The new worm also allows a remote attacker to access
files on the computer's ``C'' and ``D'' drives, Levy said.
-
- ``We're seeing some indication that people are starting
to look through the back doors,'' said Levy, who captured a version of
the new worm on Saturday.
-
- ``The number of potentially vulnerable machines has gone
down,'' Levy said. However, Code Red II ``is a lot more aggressive and
fast than the old worm.''
-
- Machines infected by Code Red I scan 100 other computers
at a time looking for vulnerable computers to infect, Levy said.
-
- Machines infected with Code Red II running Chinese language
versions of the Microsoft software can scan and spread to 600 other computers
simultaneously and all other infected computers can spread to 300 other
machines simultaneously, Levy said.
-
- Code Red II also is able to move quicker than Code Red
I because it doesn't wait for connections to time-out when scanning other
computers that might be unreachable, Levy said.
-
- The new worm also doesn't just scan random numeric Internet
protocol (IP) addresses looking for new computers to infect, but selects
IP addresses that look like they may be in the same network as the infected
computer, to increase the likelihood of finding susceptible victims, Levy
added.
-
- For instance, digital subscriber line and cable modem
users are being heavily scanned by others who use the same network service,
experts said.
-
- ``It will tend to sweep through an entire operation,''
said Paller.
-
- There appear to be an estimated 150,000 to 160,000 Web-connected
computers infected with one worm or the other, and around 70,000 infected
by both worms, Levy said.
-
- That is a large number considering that it only takes
200 computers to effectively shut down a Web site by launching a distributed
denial of service attack, Paller said. In a denial of service attack a
Web site is bombarded with so much traffic that no one else can access
the site.
-
- Code Red originally was written to launch such an attack
on the White House Web site (<http://www.whitehouse.govhttp://www.whitehouse.gov)
but the attack was averted by changing the IP address of the Web server
in July.
-
- The worm was written to go dormant on the 28th of the
month, but infected computers with incorrect internal clocks caused the
worm to begin spreading again on Aug. 1.
-
- More infections are being spread from the U.S., Korea
and China than other countries, however experts still don't know the origin
of either of the worms, Levy added.
-
- Code Red first became a threat in mid-July, hitting an
estimated 350,000 machines. Another version of the worm has hit an estimated
540,000 computers since Aug. 1, but many of those likely are reinfections
of the same computer.
-
- The worm caused no significant impact on overall Internet
performance last week, but it did overload some routers and Web sites,
forcing them to be taken off-line or to crash.
-
- Network Associates' McAfee anti-virus software detects
and removes the backdoor that Code Red II installs, but the software patch
provided by Microsoft is needed to prevent future infections, experts said.
-
- A free software patch with instructions remains available.
(http://www.digitalisland.net/codered/). The Mercury Interactive Web is
also offering free vulnerability scans for Code Red. (http://atsecurecheck.mercuryinteractive.com/codered)
|
