A new version of the Code Red worm has surfaced, but experts say it will have a fraction of the traction previous versions enjoyed.
The major difference between Code Red.F and its predecessors, which appeared in July 2001, is that it no longer contains the kill switch that prevented the original worm from activating itself if the year was greater than 2001. Code Red.F has a slight tweak that makes the new variant reboot when the year is equal to or greater than 34952. As Code Red only resides in memory, restarting an infected system would wipe it out.
Like the previous versions, Code Red.F exploits a buffer overflow in Microsoft's Internet Information Services (IIS) Web server, versions 4.0 and 5.0. Current antivirus signatures would also detect Code Red.F. Systems patched following the original Code Red outbreaks are also protected against Code Red.F.
The only systems that would be susceptible to Code Red.F would probably also be infected with other versions of the worm, said Russ Cooper, surgeon general at TruSecure Corp., a Herndon, Va., managed security services provider. "Code Red.F would just replace the existing Code Red on the system," he said.
While the patch that plugs the buffer overflow has been available since June 18, 2001, there are still some vulnerable systems out there, Cooper said. Antivirus companies are reporting moderate infection rates.
"We like to think everybody is interested in this stuff," Cooper said, noting that some enterprises just don't pay attention to proper security practices like applying patches.
Cooper has seen companies get hit by past versions of Code Red when they've done maintenance and the system is inadvertently rolled back so that it's no longer patched. In other cases, new Web servers are rolled out with the default settings, which could set the stage for Cod Red infection. "A company may also have a box from a third-party software vendor (with IIS installed) that could be susceptible to Code Red," he said.
Many companies patched their systems after the original Code Red struck because they were no workarounds and because it uses port 80 to spread, said David Perry, global director of education for Trend Micro, a Tokyo-based antivirus software vendor. "To block it, they would have had to cut off Web access, so they installed the patch," he said.
In 2001, Code Red was able to infect 250,000 systems in nine hours, but this latest incarnation won't approach even a fraction of that figure. Because of its nature, it would become apparent very quickly whether Code Red.F would be big, Perry said. The worm resides only in memory, so it spreads or it doesn't. An e-mail worm, by contrast, could lie in wait in users' accounts for a period of time until the user opens it, he said.
The weakness of memory-only worms was apparent when Code Red originally struck. Nimda, which struck shortly after Code Red, showed an even more dangerous element; it could spread like Code Red but also had an e-mail component and wrote itself to disk, Perry said.
The writer of Code Red.F didn't heed the lesson of past Code Red variants. The new worm wasn't particularly savvy; changing the expiration date will hardly make it more effective, Perry said. Creating a similar worm that exploited a different vulnerability would have given it more of a chance to spread. "There are a bunch they could have used that we don't talk about," he said.
FOR MORE INFORMATION:
- FEEDBACK: Is IIS worth the security risk?
Send your thoughts to News Writer Edward Hurley.