Prepare for Code Red to rear its head again

Prepare for Code Red to rear its head again

By William Jackson

GCN Staff


JULY 30—If you thought the Code Red worm was behind you, think again. The federally funded CERT Coordination Center reports that the self-propagating malicious code, which infected as many as 280,000 computers in a matter of hours on July 19, could come back to life at 8 p.m. EDT tomorrow.

According to the advisory posted at www.cert.org, researchers found that the worm is programmed to go into a propagation mode from the 1st through the 19th of each month beginning at midnight Greenwich Mean Time (8 p.m. EDT). Copies of the worm on infected machines scan the Internet trying to connect to TCP Port 80. On servers running unprotected versions of Microsoft Internet Information Server the worm exploits a buffer overflow in the IIS Indexing Service DLL and installs a copy of itself, which begins scanning for new victims.

Although the code is not programmed to launch denial-of-service attacks until the 20th through the 27th of the month, scanning traffic during the propagation phase could slow Internet service and completely block some addresses.

'Our analysis estimates that starting with a single infected host, the time required to infect all vulnerable IIS servers could be less than 18 hours,' the advisory warns.

Because the worm resides in memory, rebooting a server will eliminate it. To protect from being infected, Microsoft Corp.'s patch for Windows NT 4.0 or Windows 2000 Professional, Server and Advanced Server should be downloaded from the company's Web site at www.microsoft.com and installed.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above