Code Red II turns nasty

Users who installed the protective Microsoft patch in response to the original Code Red worm may have to take further steps to...

Users who installed the protective Microsoft patch in response to the original Code Red worm may have to take further steps to protect against Code Red II.

The new worm uses infected computers to unleash massive port-scanning attacks on systems which aren't themselves vulnerable to either of the worms.

Microsoft's patch prevents computers which are running the software vendor's Web server software from being infected by the worms. But users and analysts said it was incapable of preventing servers from becoming potential targets for the system scans which are produced by Code Red II.

"There are a lot of innocent victims here," said Marty Lindner, an incident-handling team leader at the CERT Coordination Centre in the US. "Even though many users have patched their servers, the scans are tying up their available system resources and slowing down performance."

Joe Hayes, CEO at the Web-hosting business Media3 Technologies, said his company had utilised the protective patch but was still being badly affected by scans, which were occurring at a rate of thousands every second.

"We did everything we were supposed to do," said Hayes, who added that port scans from infected machines had tied up Media3's servers in a denial-of-service-type attack. "Even Unix and Linux servers that aren't threatened by the Code Red worms are being affected by the scanning probes."

In a notice posted on its Web site, Media3 said that it began to feel the effects of Code Red II on 4 Aug, when the worm prevented Web pages from loading. With help from Microsoft, the notice stated, the company was able to restore service the following day, in spite of some users continuing to experience "anomalies" in performance.

While Code Red II was given a similar name to the worm that struck systems in two waves last month, it isn't a variant of the first Code Red but rather an all-new worm which tries to exploit the same vulnerability in IIS.

Security analysts view Code Red II as potentially more dangerous than the first worm for two reasons. First, it installs a backdoor program in systems that could allow attackers to take control of infected computers. Second, Code Red II is more aggressive about trying to spread itself to other systems.

Greg Shipley, a consultant at the security services firm Neohapsis, said Code Red II was targeting "neighbourhoods" of IP addresses and was concentrating its attacks instead of launching random global ones.

CERT had reported over 150,000 Code Red II infections by last Thursday. Microsoft confirmed that two unpatched servers used for its Hotmail e-mail service were infected by the new worm.

Read more on Antivirus, firewall and IDS products