Virus writers deny Code Red involvement

News

Virus writers deny Code Red involvement

The virus-writing group 29A has denied that any of its members created Code Red or Code Red II, following a German media report that pinpointed 29A as the brains behind the malicious Internet worms.

A Deutsche Presse Agentur (DPA) report on Tuesday said that the group had been bragging in online chat rooms about unleashing Code Red onto the Internet. The report also described 29A as a Dutch hacker group.

"Some Chinese guy is responsible [for Code Red], not any 29A member," said a Spanish member of 29A using the alias VirusBuster. He claimed that most of the group's members are from Spain and the Czech Republic, not Holland.

Mikko Hypponen, manager of antivirus research for the antivirus software vendor F-Secure, investigated the source of both Code Red and Code Red II and said that he was "pretty confident 29A is not involved with any version of Code Red", as the worms did not have the traditional 29A signature.

"The string 29A exists in the code of Code Red II. It is a binary reference to the number 666. The string is part of the code that is executed and not something that was set apart as a signature. In viruses created by a 29A member the signature is not part of the code, but separate and is always in a special format," he said.

Experts and authorities worldwide are trying to determine who is responsible for Code Red and Code Red II. There is some speculation that the first version was made in China because the worm placed a message saying, "hacked by Chinese" on infected systems. The economic cost of both worms has reportedly risen to nearly $2bn (£1.4bn).

Hypponen thinks that Code Red II was made in the US by virus writers who believed the original Code Red came from China. "This [Code Red II] is an anti-Chinese virus. It checks whether it has infected a Chinese machine and then doubles the spreading rate. We think Code Red II was made in the US as a retaliation," he said.

Code Red is a self-propagating worm that exploits a flaw in Internet Information Server (IIS), a part of Microsoft's Windows 2000 and Windows NT software. It scans the Internet for vulnerable systems and infects them by installing itself. The amount of traffic Code Red generates can slow down the flow of information across the Internet.

The more dangerous Code Red II installs a "back door" in servers that allows attackers to access the infected computer without the usual passwords. Once logged in through the back door, attackers can gain control of the machine.

A patch for the flaw in IIS has been available from Microsoft since the middle of June.

Further information
F-Secure: www.f-secure.com

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy