| Information on Code Red IIS worm A malicious piece of code, operating as a computer worm, is exploiting unpatched IIS servers on the Internet. This worm, dubbed "Code Red", exploits a security vulnerability in the Windows NT4 and Windows 2000 Index Services, and may result in one of several outcomes, including web site defacement and installation of Denial of Service tools. A patch for this vulnerability was released on June 18th, 2001, and is discussed in Microsoft Security Bulletin MS01-033. www.tartoos.com Analysis of the Code Red worm shows that it will infect unpatched IIS servers—first defacing the web page, and then loading malicious code that could be used in launching Distributed Denial of Service (DDOS) attacks. The defaced web page may contain the words "Hacked by Chinese!" and a link to http://www.worm.com, while the DDOS code appears to prepare the system to launch an attack against www.whitehouse.gov. Upon compromising the system, the worm attempts to propagate itself to other unpatched IIS systems on the Internet. The patch provided Microsoft Security Bulletin MS01-033 eliminates the vulnerability exploited by the worm, and systems that have applied the patch are not vulnerable to this attack. Systems that have been compromised by this worm should be removed from the network and the software and data reinstalled as specified in the guidelines drafted by the CERT(r) Coordination Center - available at http://www.cert.org/tech_tips/win-UNIX-system_compromise.html. Customers should apply the patch discussed in MS01-033 to the restored system to prevent future vulnerability to this attack. www.tartoos.com |