Code Red, Saphire, Blaster, et al
Code Red -- What is it, and what are the consequences?R. J. Brown, Elijah Laboratories Inc.
The Code Red and Code Red II worms, and variants, have been attacking Microsoft based servers all over the internet. Code Red was described in June, and was responsible for a failed attack on the White House (Presidential palace of the United States) in July. It re-surfaced in August, but activity started to die down by August 3rd; however, another worm, the Code Red II worm, based on the same exploit, but with an entirely different payload, surfaced on Saturday, August 4th. A less malicious but much faster propagating worm, Slammer/Saphire, appeared in January of 2003. W32.blaster appeared on Monday, August 11, 2003.
The Code Red worm attack Microsoft IIS servers versions 4.0 and 5.0 on NT and OS/2000 hosts. On NT hosts, it crashes the webserver, but leaves the OS up. On OS/2000 hosts, it succesfully infiltrates and gains total control of the machine. It plants a back door permitting future intrusions, and then starts to propagate itself to other vulnerable servers.
During this propagation process, much internet packet traffic is generated, mostly on the class A and B subnets of the compromised host, but also on the internet at large. This high volume of traffic has been responsible for slowdowns in various regions of the internet from time to time.
It must be remembered that every IP address on the internet is theoretically equally likely to receive a probe from the worm. This is because of the algorithm used to generate the target addresses by the worm propagation process. This means that for every probe received by one machine, that there were over 4 billion other probes that were not addressed to that machine! This is a truley amazing amount of traffic.
The real danger of Code Red II is the huge number of compromised machines that will be left with a back door wide open. We can certainly expect some distributed denial of service (DDoS) attacks to some high profile targets in the near future. I wouldn't be too suprised if entire countries were cut off from the rest of the internet, or large corporations forced to resort to doing business without computer networks at all. The economic cost of this would be staggering. Furthermore, a threat to the financial stability, or even the national security, of many modern nations could possibly also result.
Here are some sites to visit for more detailed information:
|Robert J. Brown Last modified: Fri Mar 7 11:41:08 CST 2003|