A new worm, Code Red, is making the rounds on the Internet. Code Red plays on an existing security-related bug in Microsoft Internet Information Server (IIS)-based Web servers. Microsoft made a patch available for the bug on June 18, yet countless Web servers apparently remain unpatched—including Microsoft's own Windows Update Web site. An alert reader informed Windows 2000 Magazine yesterday that the worm had, in fact, penetrated the Windows Update site. The worm changes the home page of sites that it attacks to read, "Welcome to http://www.worm.com !, Hacked By Chinese!"
According to eEye Digital Security, a company that reverse-engineered the worm to learn its purpose and how it works, says that the worm appears to be an effort to cause a massive Denial of Service (DoS) attack against the US Whitehouse Web site. When the worm infects a system, it starts 100 threads on the system, each running a copy of the worm. Ninety-nine of the threads further propagate the worm, while the remaining thread checks the system it's running on to determine whether the system is based in English. If the system is running an English version of Windows, the worm changes the site's home page. If the system is not based on the English version of Windows, the worm uses the remaining thread to propagate itself with the other 99 threads.
The worm infects systems by playing on a known issue centered around .ida and .idq files related to IIS Web servers. According to Microsoft's bulletin MS01-033, the security bug stems from a glitch in the idq.dll file, which contains an unchecked buffer. An attacker using the worm can exploit the buffer to take any actions an attacker desires. Although the .ida and .idq files pertain to the Index Service and Indexing Service that's related to IIS, the indexer doesn't need to be running for an attacker to take advantage of the bug.
The worm is spreading rapidly, and Microsoft suggests that users to patch their systems immediately. The worm points out once again the need to review all security bulletins and alerts and to apply any associated patch as quickly as possible.
eEye has made a document available that contains the fully disassembled Code Red worm code with a detailed analysis of the worm's full activity. The document and a detailed bulletin regarding the Code Red worm are available at eEye's Web site.
The Computer Emergency Response Team (CERT) has also issued a bulletin regarding the worm. In addition to the bulletin, CERT has also made available a document that guides Windows and UNIX users through the steps necessary to recover from a system compromise.
