Skip to main content /TECH with /TECH

New 'Code Red' worm entices Web hijackers

Home users running Windows 95, 98 or Me not vulnerable

Home users running Windows 95, 98 or Me not vulnerable

By Richard Stenger

(CNN) -- A malicious cousin of the "Code Red" computer worm that gives hackers the ability to take over Web sites has entered a second and more alarming phase of infiltration on the Internet, computer experts warned Monday.

The rogue application, which disappears from computer memory after one or two days, secretly installs a backdoor on infected Web servers and makes them vulnerable to hijacking.

"It gives anyone on the Internet who comes in as a browsing user the ability to take control of your site. Instead of looking at Web pages, they can make your computer do whatever they want," said Alan Paller, director of research for the System Administration, Networking, and Security (SANS) Institute, a computer security think tank monitoring the Net infiltration.

The so-called "Code Red II" could allow hackers to steal sensitive information like passwords or credit card numbers, particularly if infected Web sites handle e-commerce, said Elias Levy, chief technical officer of, which tracks computer security issues.

MORE STORIES Why worms like 'Code Red' are good for you  
Message board: 'Code Red' worm  

Once inside, a high-tech outlaw could wreak even more havoc.

"The hacker could leverage that computer to break into other machines" connected to the same network, essentially using it as a gateway, said Levy, who also moderates the BugTraq mailing list.

The National Infrastructure Protection Center, a government task force responsible for monitoring the safety of the Internet, said it "considers Code Red II to be a serious threat because it spreads rapidly and installs a back door that can be accessed by anyone familiar with the exploit."

"Any intruder can use the back door compromise to make other system modifications at will. As a result, the repair of the infected system may require the reinstallation of the operating system, data files, and the Microsoft patch," the NIPC said in a written statement.

The second wave

Such subversive attempts to infiltrate crippled machines might be taking place now, although it remains too early to determine with certainty.

"There is a wave of people looking for infected machines. We are getting into the second wave of infections," said Paller on Monday. "We haven't figured what they are doing. But we are seeing a very big wave of scanning."

First noticed this weekend, Code Red II has infected an estimated 150,000 to 400,000 machines, according to anti-virus companies. The assault is reminiscent of the original Code Red, which launched attacks on the Internet in mid-July and the first week of August.

The two are composed of different code, but both exploit the same security flaw in Microsoft operating systems and software.

Some business and government servers are at risk of infection, but virtually no home computers are. The original Code Red worm affects computers running Internet Information Services (IIS) software and Windows NT 4.0 or Windows 2000 operating systems.

Code Red II seems to infect only machines running IIS and Windows 2000. Servers using Windows NT crash when Code Red II attempts to infect, SANS said. Machines with Windows 95, 98 or Me are not vulnerable to either worm.

But individual Web surfers could encounter major online slowdowns if hackers going through the backdoor unleash massive denial-of-service attacks, Net security experts said.

"That could be a real wave of traffic that the Internet has not dealt with," Paller said.

Patching the problem

A Microsoft patch designed to protect against Code Red should protect against Code Red II as well, according to a task force of government and industry computer security heavyweights in the United States.

Last week, more than one million patches were downloaded to ward off Code Red. Those measures should help protect against the new bug too.

"It would have been terrible (without the widespread patching). That got a lot of systems fixed," Paller said.

The covert characteristics of the new worm make it more difficult to detect and remove. Computers infected with Code Red II should be reformatted to remove all trace of the worm and the backdoor, said Levy, and any software will need to be reinstalled.

For the original Code Red, rebooting an infected system was sufficient to remove it from memory.

Source of code a mystery

Levy also said that there are few clues pointing to the author or authors of either Code Red worm.

"The way the worm is coded doesn't tell us much," said Levy. "But it's fairly sophisticated and certainly wasn't written by a 'script kiddie,'" a reference to an unsophisticated hacker.

A computer worm is a program that independently spreads and infects by copying itself onto other machines. In contrast, a conventional computer virus must be activated by a user's response after the virus arrives, usually in an e-mail file.

When the Code Red worm made its debut last month, it swept through more than 250,000 computers in nine hours, forced the White House to change its numerical IP Web address, and prompted the Pentagon to take its public Web sites off-line temporarily.

Code Red II, which spreads across nearby servers rather than randomly like Code Red, is designed to stop spreading on October 1.

-- Sci-Tech Editor Daniel Sieberg contributed to this report.

• Riptech
• Microsoft Security Patch
• Code Red technical data
• National Infrastructure Protection Center
• Spread of the Code Red worm, (UC San Diego)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top