http://digitalmass.boston.com/news/packages/code_red/code_red_2.html

Code Red II worms its way deeper into Internet

By Elinor Mills Abreu, Reuters, 8/8/2001

SAN FRANCISCO -- The Code Red II computer bug has wormed its way deeper into the World Wide Web, costing nearly $2 billion on its way to becoming one of the most expensive security threats to hit the Internet. Computers infected with the worm were being used to attack other parts of the Internet, experts said, with the second generation of the virus proving even more malicious and resilient than its predecessor.

Experts in the U.S., Europe and Asia reported attacks by the pernicious worm, with one South Korean government department being closed down because of infection.

The new version -- which first surfaced on Saturday --spreads through a hole in Microsoft's Internet Information Server Web software running on Windows NT and 2000 computers.

It leaves a "back door" on infected computers which advertise their vulnerability by scanning Web-connected machines, sometimes launching coordinated attacks on other parts of the Internet.

"We're already seeing reports of denial of service attacks starting up," said Alan Paller, research director at the System Administration, Networking and Security Institute (SANS) in Bethesda, Maryland.

He was referring to attacks launched by Code Red which are designed to shut down Web sites by overwhelming them with excessive traffic, prompting a denial of service.

"We have evidence that it has happened but no idea of its prevalence or severity," said Steve Gibson, president of Gibson Research in Laguna Hills, California.

CLOSING THE LOOPHOLE

In order to protect their systems, network administrators need to remove the "back door" from their systems and reformat and reinstall all the software on the computer -- in addition to installing the software patch that closes the loophole that Code Red exploited, security analysts said.

"Even after you apply the Microsoft patch and remove the Trojan (horse) back door it's impossible to know what might have been done to your system while it was open," said Gibson.

The economic damage caused by the Code Red worms has risen to near $2 billion, up from an estimated $1.2 billion as of a week earlier, according to Computer Economics, Californian research company that keeps a tally of computer viruses.

The final cost could eventually top the estimated $8.7 billion in estimated damages from last year's Love Bug virus, the company said.

Part of the reason was the widespread, unintended consequences of the worm, which anti-virus professionals have taken to calling its "collateral damage."

For example, some models of Cisco Systems digital subscriber line routers, Hewlett-Packard print servers and 3Com Corporation's LAN modems can crash, even if those devices were not targeted by the worm, experts said.

"They're not getting infected, but they're still shutting down," said Elias Levy, chief technology officer of SecurityFocus.com.

The worm also shut down the Web site of New York-based Syncit.com for about five days last week when it caused disk drives on a test system to fail, Chief Technology Officer Terence Way told Reuters.

The company, which allows people to synchronise and share Web-based information such as bookmarks, had been running Microsoft Web server software and was on two backup servers when the worm struck.

"CROWN JEWELS INFECTED"

"Here I am in paranoid mode, but it's not my desktop (computer) that gets infected, it's the crown jewels -- the Web site," Way said.

Code Red II also forced some slowdowns for U.S. cable modem networks.

While the first version of Code Red scans for new victims using random numeric Internet Protocol addresses, Code Red II scans addresses grouped together.

That can be a problem for cable networks, which share bandwidth, since a slowdown in one part of the system can affect everyone on it, experts said.

"Rarely, if ever, do cable modem customers connect to each other within the network," said Gibson. "The process of finding another customer generates a lot of noise, which is spread out system-wide."

Cable Internet providers Cox Communications, AOL Time Warner and ExciteAtHome Corp all confirmed some marginal slowdowns for some users because of Code Red activity on Tuesday.

-- Anonymous, August 08, 2001