IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-015

"Ida Code Red Worm "
July 19, 2001

Internet backbone providers have notified the NIPC they are witnessing large-scale victimized web servers scanning for Microsoft Internet Information Server (IIS) vulnerabilities. The activity of Ida Code Red worm has the potential to degrade services running on the Internet. Any web server running the Microsoft IIS versions 4.0 or 5.0 that is not patched is susceptible to a "Buffer Overflow." The NIPC is strongly urging consumers running these versions of IIS 4.0/5.0 to check their systems and install the patch.

The NIPC has determined that the time for the DoS execution of the Ida Code Red Worm is at 0:00 hours, Greenwich Mean Time (GMT ) on July 20, 2001. This is 8:00 pm Eastern Daylight Time (EDT).

Recommendation:

The Microsoft bulletin describing this vulnerability and its patch to fix the problem may be found at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Microsoft strongly recommends that all web server administrators mitigate this vulnerability immediately by applying the patch.

Secure Internet Information Services Checklist:

Background:

The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permit the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. The NIPC has determined that the trigger time for the DoS execution of the Ida Code Red Worm is at 0:00 hours, GMT on July 20, 2001. This is 8:00 pm, EDT.

Upon successful infection, the worm will proceed to use the time thread and connect to the www.whitehouse.gov domain. This attack consists of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov ( 198.137.240.91).

Additional sites for Details:

http://nipc.gov/warnings/advisories/2001/01-013.htm
http://www.cert.org/advisories/CA-2001-19.html http://www.symantec.com/avcenter/security/Content/2001_06_20a.html
http://www.nai.com/other/jump/codered.asp

The NIPC considers this a significant threat and has previously issued an advisory on Microsoft IIS vulnerability. (See NIPC advisory 01-013 dated 6-19-01) Additionally, based on the life cycle of such vulnerabilities, system administrators can expect to see an increase in new exploits targeting this service.

Recipients of this advisory are encouraged to report computer crime to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov. FedCIRC Operations Center can be reached at 1-888-282-0870 or fedcirc@fedcirc.gov.