*EPF411 08/09/01
Excerpts: Malicious Software Still Threatens, but Crisis Averted
(Internet security experts see damage contained, as new worm emerges) (1970)

U.S. Internet security experts are tracking a new version of a malicious software program that could compromise computer servers equipped with certain vulnerable hardware and software. In a warning first issued August 6, the Federal Computer Incident Response Center (FedCIRC), one U.S. government agency monitoring Internet threats, cautioned about the emergence of a new worm, a self-propagating code, labeled Code Red II, a mutation of Code Red I.

This latest software threat developed less than a week after similar warnings about the Code Red I worm which authorities issued in the final days of July. Both Code Red I and Code Red II attack certain brand name Internet servers, not the individual's personal computer. Once they've infected a system, the worms scan the Internet seeking other vulnerable systems so they might propagate on their own. The greatest danger is that the worms could jam the Internet with their repetitious scanning, slowing down the worldwide communications network for all users.

FedCIRC, the National Infrastructure Protection Center and other public and private entities concerned with Internet security launched a broad-based campaign to inform server operators of Code Red I, and to encourage the installation of a program "patch." This software repair kit developed by Microsoft, the manufacturer of the vulnerable programs, served to close the system "hole" that allowed the worm to infect systems. NIPC now reports that 1 million users have downloaded the patch.

Code Red II enters vulnerable systems in the same manner as Code Red I. Security experts say proper application of the patch for the first worm will have protected users from the second. Code Red II behaves differently once inside systems than its predecessor, by creating a security opening in systems it infects, leaving them open to subsequent attacks from any hacker.

Code Red I first emerged in mid-July and attacked an estimated 250,000 vulnerable systems. The August recurrence has infected about 150,000 systems, according to analyst Roman Danyliw at the CERT Coordination Center, an Internet security organization that is a partner with NIPC in the public-private coalition of telecommunications specialists managing the Code Red alert.

"Assuming everything remains the same, I think we've seen the worst," said Danyliw. Speaking in a telephone interview from CERT's Pittsburgh, Pennsylvania, headquarters at Carnegie Mellon University, Danyliw said, however, that it is not prudent to assume that circumstances will remain the same, because the malicious software program could evolve into something else -- Code Red III, for instance.

Danyliw is hopeful that most users have taken proper precautions to deflect an attack from the Code Red worms. Asked to make a longer-term prediction, however, Danyliw is certain that another malicious and damaging worm or virus will emerge in the future, exploiting some yet undiscovered software vulnerability.

Danyliw said the most important outcome of the Code Red Worm episode is that it underlines the importance of remaining constantly vigilant to protect their equipment from being compromised.

The NIPC emphasized a similar message in an August 3 statement, underscoring the importance of private-public cooperation to head off a Code Red crisis. "We believe this extraordinary effort significantly blunted the impact of this instance of the worm's infection," the statement said.

Following are excerpts from texts issued by various participants in the Internet security coalition as the Code Red situation has unfolded.

(begin excerpt)

FEDCIRC
The Federal Computer Incident Response Center
Aug. 7 2001

CODE RED ii WORM ANALYSIS UPDATE

Exploited Vulnerability And Overview

This worm uses the same mechanism as the original Code Red worm to infect vulnerable computers. That is, the worm looks for systems running IIS that have not patched the unchecked buffer vulnerability in idq.dll or removed the ISAPI script mappings. The worm exploits the vulnerability to inject itself into a system.

Note that ANY system running Microsoft Windows 2000 (any version including Professional) may have a vulnerable IIS server installed. It is often possible that an IIS server is installed without the user's knowledge. Please check the FAQ here for information on determining if a system is vulnerable:

http://www.incidents.org/react/code_red.php

In fact, due to the targeting algorithm used by this new worm, the infection is spreading wildly through ISP networks. Cable and DSL subscribers are especially at risk and many have been experiencing network outages due to the worm's "ARP Flooding" Denial of Service side-effect. Experts believe that many of the systems currently infected belong to home PC users who do not realize that they have the IIS server software installed.

Except for using the buffer overflow injection mechanism, this new worm is entirely different from the original Code Red CRv1 and CRv2 variants. In fact, Code Red II is more dangerous because it opens backdoors on infected servers that allow any follow-on remote attacker to execute arbitrary commands. Reports have already been received of attackers attempting to exploit these backdoors to wage distributed ping flooding attacks.

Most importantly, due to the more malicious actions of this worm, patching and rebooting an infected server is no longer sufficient to clean the system. If a system has been infected, or if a vulnerable system has simply been left unpatched while Code Red II has been circulating, the only real solution is to reformat the system's hard drive and reinstall all the software. For more information see the Code Red FAQ at:

http://www.incidents.org/react/code_red.php

(end excerpt)

(begin excerpt)

NATIONAL INFRASTRUCTURE PROTECTION CENTER
August 6, 2001

The National Infrastructure Protection Center (NIPC) continues to work in close coordination with its public and private sector partners regarding what has been named Code Red II. The NIPC considers Code Red II to be a serious threat because it spreads rapidly and installs a backdoor that can be accessed by anyone familiar with the exploit. Any intruder can use the backdoor compromise to make other system modifications at will. As a result, the repair of the infected system may require the reinstallation of the operating system, data files, and the Microsoft patch. As in the case of Code Red last week, the Microsoft patches can be located at the following URLs:

For Windows NT 4 machines: http://www.microsoft.com/downloads/release.asp?releaseid=30833

For Windows 2000 machines: http://www.microsoft.com/downloads/release.asp?releaseid=30800

Code Red and Code Red II exploit the same vulnerability found in Internet Information Systems (IIS) versions 4.0 and 5.0 running on Windows NT-4 and Windows 2000 operating systems.

For those already infected by Code Red II, a suggested process for repairing your system can be found at www.cert.org/tech_tips/win-UNIX-system_compromise.html.

Recipients of this Advisory are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incidents/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or [email protected].

(end excerpt)

(begin excerpt)

National Infrastructure Protection Center
Press Room
www.nipc.gov
August 3, 2001

Code Red - The Aftermath and Behind the Scenes Look at the Worm

Washington, D.C. - Over the course of the past week, government and industry groups worked together to address the threat of the "Code Red" Internet Worm and to warn the public to take necessary preventative measures to combat its further spread. What is not well known is the "behind-the-scenes" efforts by technical security experts who did everything from monitor the spread of the worm to personally answering questions from concerned users on how to protect their computers.

After a new and stronger version of the Code Red worm appeared in mid-July, industry and government organizations realized the next outbreak could have much more impact on the Internet if users did not download the software patch to inoculate their system. Going public was not an easy decision, but the impact of not going to the public to ask users for help could have had even worse ramifications, especially if business and home users of the Internet were impacted due to slow response times. There was an unprecedented level of close coordination between government and private sector organizations. Nearly everyone involved in network security or critical infrastructure protection understood the seriousness of this threat. We believe this extraordinary effort significantly blunted the impact of this instance of the worm's infection. We are still not out of the woods-it will be in the "infection" mode until late August 19, 2001, when it switches to "attack" mode. At that time, we will be better prepared to assess how well these efforts paid off.

Because over 1 million individual software patches were applied within the past week, this represents an extraordinary effort for the government/private sector partnership in battling Code Red. Since the patch can be downloaded once and installed on any number of machines, the number of systems actually patched is no doubt higher. Microsoft observed a dramatic increase in the number of downloads during the week of July 30, which suggests that the effort to heighten customer awareness appeared to pay off. Few of the major web sites were affected by the worm, because many took action after this initial release. The worm would have had far greater an impact if so much effort and cooperation from other industry and government entities had not taken place in the weeks leading up to the Washington, D.C., news conference. Hopefully, public awareness has been raised that a computer needs continual maintenance, especially where security is concerned.

Many countries have processes for handling government security, such as FedCIRC, who is responsible for the security of U.S. government systems. They polled all agencies early in the week to ensure they had secured their internal systems. Getting to small business and home users is much more difficult, as was noted during the response to thousands of inquiries from users around the world. Without the help of volunteers across the security community, it would have been difficult to address, and when these volunteers contacted the owners of infected systems, they got even more cooperation. Comments from Code Red victims included "Thank-you. This is one of our partners' systems, housed in our remote data centre." "Thanks you for the notice. Somehow this box was missed when we applied the patches." "Thanks in advance...Oh, and thanks for tracking the Code Red scanners on everyone's behalf too. That is a Good Thing you are doing." These are the ones who are now patched. Over the next several days, an attempt to notify the remaining users will be made.

Here are some of the organizations that have been together, day and night, for six days. From the Federal Government: the National Infrastructure Protection Center (NIPC) of the FBI, Critical Infrastructure Assurance Office (CIAO) of the Department of Commerce, and Federal Computer Incident Response Center (FedCIRC) of the General Services Administration. On the private sector side: Computer Emergency Response Team Coordination Center (CERT/CC) of Carnegie Mellon University, Systems Administration and Network Security (SANS) Institute, Microsoft, Internet Security Systems, Inc. (ISS), Cisco Systems, Inc., Partnership for Critical Infrastructure Security (PCIS), Information Technology Association of America (ITAA), Digital Island, Inc., Information Technology Information Sharing and Analysis Center (IT-ISAC), Internet Security Alliance (ISA), UUNet, and America Online.

Self-propagating worms that exploit vulnerabilities in commonly used software platforms will be a vector of choice by hackers as we move forward. These worms require no social engineering and require no action on the part of users, like opening an attachment. As we saw with Code Red, they can hurt us in two ways: they can consume Internet bandwidth during their propagation phase if the numbers are big enough and they can carry harmful payloads, like the instructions to launch against a chosen target. Anyone can be the next target as future worms may result in much more destructive activity.

(end excerpt)

(Distributed by the Office of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)
NNNN