Worm ups the ante in possible virus attacks.
vnunet.com, 10 Aug 2001
In the wake of the Code Red virus, security watchers have pointed out that millions of IT administrators and web users are now in possession of an exhaustive list of web servers vulnerable to attack.
Speculative calculations suggest that these figures could be nearing the quarter of a million mark.
When Code Red has infected and settled into a new host, it starts scanning the internet for more vulnerable machines.
Every machine or firewall it hits logs the attempt in a log file, and now these log files on every web server out there contain a very long list of machines that have been infected and are still vulnerable.
The ISAPI .ida exploit used by Code Red to break into NT boxes is common knowledge.
And even though Microsoft assures us that the patch to stop the attack has been downloaded a few million times, there are still a few more million vulnerable web servers out there.
Anyone with a list of these wide-open boxes, gleaned from their server logs, has the potential to anonymously take over a few thousand servers overnight, with full administrator-level access.
US software consultant Braddock Gaskill, who wrote a White Paper (http://braddock.com/cr2.html) on the methodology behind this security flaw, said that an intruder could simply break into infected machines, read their log files and thus acquire a whole new range of vulnerable IP addresses.
"I've got one machine that has hit me with HTTP probes over 200 times in the last week. I've tried to contact the admin, but no luck. My next temptation is to crack into the box and just wipe it to stop the annoying alerts I get every few hours," he said.
He added that the strong recommendation from this report is that "as part of any CodeRed II recovery effort, the system web logs should immediately be destroyed, and Intrusion Detection Systems should be checking for and tracing recursive attempts to access web logs though the backdoor.
"In addition, the backdoor could conceivably be used with such a list of hosts to purge the worm and close the backdoors of all affected hosts," he said.
In the aftermath of the Code Red outbreak, experts suggested that the hysteria surrounding the worm may have been at least partly responsible for its failure to bring the internet to its knees. Although some reports were labelled as scaremongering, they may have prompted administrators to harden their servers against attack and ultimately stemmed the spread of the worm. But now a second variant of Code Red has appeared, it remains to be seen if the large number of still unpatched servers out there will help the worm spread further yet.
FBI warns that the worm is set for 'hyper growth' and that as many as 350,000 PCs could be infected.
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
Google's announcement this week that it plans to step into...
Do you agree?
Have your say on this article