Original Issue Date: 30th July 2001
Further to the previous attack of the self-propagating malicious code, "Code Red", a few security organizations analysis of this code has concluded the behaviour of the infected machines when their system clocks roll over to the next month.
There is evidence by CERT/CC that tens of thousands of systems are already infected or vulnerable to re-infection at that time. Because the worm propagates very quickly, it is likely that nearly all vulnerable systems will be compromised by August 2, 2001.
Thus we would advice and urge all respective parties to take security measures to ensure all your systems are patched and secured.
1.2 Systems Affected
- Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed
- Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing services installed
- Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager (these systems run IIS)
- Unpatched Cisco 600 series DSL routers
2.0 Technical Matters
According to CERT/CC, at least two major variants of the worm, each of which exhibits the following pattern of behaviour:
Propagation mode (from the 1st - 19th of the month): The infected host will attempt to connect to TCP port 80 of randomly chosen IP addresses in order to further propagate the worm. Depending on the configuration of the host that receives this request, there are varied consequences.
How it infects:
Unpatched IIS 4.0 and 5.0 servers with Indexing service installed will almost certainly be compromised by the "Code Red" worm.
Unpatched Cisco 600-series DSL routers will process the HTTP request and trigger an unrelated vulnerability that causes the router to stop forwarding packets.
Systems not running IIS, but with an HTTP server listening on TCP port 80 will probably accept the HTTP request, return with an "HTTP 400 Bad Request" message, and potentially log this request in an access log.
Flood mode (from the 20th - 27th of the month): A packet-flooding denial-of-service attack will be launched against a specific IP address embedded in the code.
Termination (after the 27th day): The worm remains in memory but is otherwise inactive.
3.0 Possible Steps
3.1 Applying the latest patches
Step by Step patch installation and recovery is made available at http://www.digitalisland.net/codered/ provided by SANS via Digital Island which includes:
Identifying if your host is vulnerable.
Download the patch from Microsoft.
Windows NT version 4.0:
Windows 2000 Professional, Server and Advanced Server:
Install the patch.
Rebooting the system to clear the worm from RAM.
MyCERT strongly recommends the removal of the ida and idq files for systems which does not require such services.
Cisco patches available at:
3.2 Ingress filtering
Ingress filtering manages the flow of traffic as it enters a network under your administrative control. With "Code Red," ingress filtering will prevent instances of the worm outside of your network from infecting machines in the local network that are not explicitly authorized to provide public web services.
3.3 Egress filtering
Egress filtering manages the flow of traffic as it leaves a network under your administrative control. In the case of "Code Red," employing egress filtering will prevent compromised IIS servers on your network from further propagating the worm.
3.4 Updating IDS Signatures
Those using IDS and Firewalls are advised to update your signature files and firewall rules to ensure that your system will detect and block such traffic.
In order to properly secure your web server, MyCERT recommends you the following sites:
For Windows NT 4.0, IIS 4.0:
For Windows 2000, IIS 5.0:
4.0 More Information
To obtain more information on this rootkit, please refer to the following site:
4.1 CERT Advisory
4.2 Detailed technical analysis of the "Code Red" worm can be found at:
4.3 Cisco advisory
4.4 Microsoft Corporation