Code Red version 3.0 is making waves in New Zealand with reports of
thousands of hits on Web servers being attributed to the new
worm.
Code Red 3.0 uses the same buffer overflow exploit as the original
Code Red but has a different payload - it installs a backdoor on
the infected server. Confusingly, this version refers to itself as
Code Red II but has been designated version 3.0 by observers, such
as antivirus firm Symantec.
Locally, a number of network managers are reporting a large number
of hits from infected servers - at one point up to 200 a minute on
a number of sites around New Zealand. Brian Gibbons, director of
Internet solutions company Outersite Technology, said end users
might start to notice Internet traffic problems because of the
worm's proliferation. "Going to the States at the moment is pretty
slow."
He says if end users with a broadband connection get infected they
could end up with a very large bill from their Internet service
provider (ISP) for bandwidth charges.
"Code Red could easily burn bandwidth at NZ$300 (£89) per hour.
It's fairly scary to come back on Monday to find your box has burnt
NZ$15,000 over the weekend."
Gibbons says ISPs should do more to warn end users about the
dangers of an "always on" connection, but even dial-up users are at
risk.
"You've only got to put a modem into a Windows 2000 server, which
is temporarily connected to the Internet and by default you've
exposed yourself to Code Red."
Designed to attack Web servers that run Microsoft's Internet
Information Server (IIS) and haven't had the security patch
applied, Code Red infected over 300,000 machines last month. A
second wave of attacks hit around half that number in the first few
days of August.
Code Red 3.0 is not related to the original, according to security
monitoring Web site Incidents.org, but is an entirely new worm that
works along similar lines. It is far more aggressive in nature than
the first Code Red or the subsequent variation. Incidents.org
reports, "Due to the more malicious actions of this worm, patching
and rebooting an infected server is no longer sufficient to clean
the system."