Network administrators braced themselves Tuesday night for the next incarnation of Code Red, the worm that first...
poked its head out of the dirt on July 13. But overnight news reports noted that the worm did not assault Web sites last night with denial-of-service attacks. Microsoft Internet Information Servers (IIS) were left to sleep in peace, possibly due to the diligence of administrators who downloaded a patch for the worm. Microsoft said Tuesday that more than one million patches were downloaded.
On Monday, several agencies, including Carnegie Mellon's CERT Coordination Center, SANS Institute and Federal Computer Incidence Response Center (FedCIRC), had issued warnings regarding Code Red. The new incarnation could have been more dangerous due to mutations. Every organization and person using Windows NT or Windows 2000 systems and the IIS Web server software could have been a potential victim, according to the CERT Web site.
Yet, the next worm may not lie so dormant, or the gatekeepers may not be so vigilant. Code Red spread itself by searching for a vulnerability on IIS and leaving its code on the server. It then looked for other systems to infect by generating random Internet Protocol (IP) addresses. During its first phase, it spread. In the second phase, Code Red lay dormant, and in the third phase, it launched coordinated denial of service attacks. The last Web site to be targeted was the U.S. White House's address, according to Matthew Kovar, director of security solutions & services research at Yankee Group, based in Boston.
Of course, all the chaos of receiving the virus can be avoided if the server's administrator downloads the latest security patch from Microsoft, he said. And apparently, most network administrator heeded the warnings leading up to last night's expected reactivation.
To avoid other Code Red-like worms, security intelligence is an option, Kovar said. Security intelligence involves understanding the vulnerabilities and threats in a system. A variation on that is security intelligence services, which actually alert network administrators to system holes that worms can wiggle through and offer a fix particular to that system, Kovar said.
"I use the analogy to (the Greek character) Pi. Threats and vulnerabilities never repeat themselves exactly and never end," he said. Code Red, for example, combines two types of viruses, which by themselves, are not that serious.
The fact that Code Red -- and its inevitable offspring -- attacks other computers is serious, however. Kovar believes that companies should be held responsible if their computers participate in a denial of service attack. To avoid the liabilities associated with that, network administrators should check outbound connection logs and perform a rudimentary analysis on the router to discover which IP addresses are being hit, he said.
Large companies with a large data pipeline, infected with Code Red, could easily shut down a company using a T1 line. The most likely conduits could be university and research centers, where a large bandwidth is available, according to Kovar.
"The line of logic says companies should be looking to secure online assets in the same way the secure brick and mortar assets," Kovar said. E-risk insurance is one way of doing this.
There are also products from Top Layer, Niksun, Arbor Networks, Asta Networks and Captus Networks that can monitor the traffic flowing through a network and stop a denial of service attack. These work by slowing network capacity given to traffic that appears to be going to one address less bandwidth, he said.
And if Code Red or one of its relatives does make an appearance on a system, network administrators need to reboot the system and install the patch. The worm burrows itself in RAM, so it will disappear after the reboot, Kovar said.
FOR MORE INFORMATION