Code Red plague on the rampage

The Code Red worm, which began its trail of destruction earlier this week, is spreading fast and this morning defaced Microsoft's Windows update site.

The knock-on effects from this fast-spreading IISS server worm are causing more problems to network kit because it attacks anything that uses HTTP, including Linux servers and printers.

Earlier this morning [Friday], windowsupdate.microsoft.com was defaced with the worm's characteristic statement: "Hello! Welcome to http://www.worm.com! Hacked by Chinese!"

Microsoft has since fixed the hack, but suffered the embarrassment of revealing that it did not update its own servers with the latest security patches.

The Code Red worm exploits a known buffer overflow vulnerability in the ISAPI extension in the Index Server of Windows 2000 and XP beta, for which Microsoft released a patch in June.

Paul Rogers, network security analyst at MIS, suggested that if the Windows update server had been open to this vulnerability for a month now, "who's to say someone didn't break in without doing anything so obvious as defacing the site, and Trojan some of the Windows update files."

He said that knock-on effects from the worm, which is programmed to break into Port 80 and deface a site, were causing other network problems.

Cisco has released an advisory warning that it may affect some of its kit, "and print servers are crashing too," said Rogers. "Basically anything accepting HTTP requests is getting DoS'ed," he added.

The White House, which was the original target for the worm's built-in denial of service command, managed to sidestep the torrent of data by shifting whitehouse.gov to a different IP address.

But Rogers said that as more info is gleaned about the worm, "it seems that it is programmed to lie dormant for some period after this weekend, and that means it could attack again."

The required patch to protect your IIS servers from this worm can be found here.