Users who thought that installing a Microsoft patch would comfortably protect their systems against problems caused by the Code Red worm may need to change their thinking following last weekend's emergence of the more aggressive Code Red II.
Microsoft's patch, available in separate versions for Windows 2000 and Windows NT 4.0, will prevent computers running the software vendor's Web server software from being infected by Code Red II. But users and analysts said it can't stop servers from becoming potential targets for massive port scanning attacks being unleashed by worm-infected machines around the globe.
"There's a lot of innocent victims here," said Marty Lindner, an incident handling team leader at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. The problem, he said, is that Code Red II is invading unpatched servers and then using them to send out huge numbers of system scans in an attempt to find other computers that are vulnerable.
Even though many users have patched their servers, Lindner added, the scans are tying up their available systems resources and slowing down performance. Internet service providers have been hit particularly hard because they maintain such a large number of IP addresses for their customers, he said.
Joe Hayes, co-chief executive officer (CEO) at Media3 Technologies LLC, a Web site hosting business in Pembroke, Massachusetts, said his company was hammered last weekend by scans coming in at a rate of thousands per second, despite having installed the patch for Microsoft's Internet Information Services software on its Windows-based servers.
"We did everything we were supposed to do," Hayes said. But he added that the company was still hit by port scans from infected machines elsewhere, tying up its servers in a denial-of-service type of attack. Unix and Linux servers that aren't even vulnerable to the Code Red worms were also targeted by the destructive scanning probes, according to Hayes.
In a notice to its clients, Media3 said it began to feel the effects of Code Red II on Saturday, preventing Web pages from loading. With help from Microsoft, the notice stated, the company "was able to deflect this attack and restore Web delivery services ... late Sunday night." But some users continued to experience "anomalies" in Web site performance after that, it added.
While Code Red II has been given a similar name to the worm that struck servers in two waves during the past few weeks, it isn't a variant of the first Code Red, according to an advisory posted by the SecurityFocus.com information service in San Mateo, California. Instead, Code Red II is an all-new worm that shares some signature attributes of its predecessor and imitates the method of attack used by the original Code Red.
But security analysts view it as potentially more dangerous than the first worm for two reasons. First, Code Red II installs a backdoor program in systems that could allow attackers to easily access infected computers and take control of them. It also is more aggressive about trying to spread itself to other systems, resulting in all the scanning activity, analysts said.
Greg Shipley, director of consulting services at security vendor Neohapsis Inc. in Chicago, said Code Red II targets "neighborhoods" of IP (Internet Protocol) addresses, concentrating its attacks instead of launching the random global attacks used by the first worm. The concentrated attacks create disruptive "broadcast storms" that have particularly hurt Internet access networks, he said.
So far, Lindner said, CERT has confirmed at least 150,000 Code Red II infections worldwide since last Saturday. Ironically, even Microsoft itself was affected by the worm: It confirmed this week that two unpatched servers used for its Web-based Hotmail e-mail service were infected.