IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ASSESSMENT 01-018

"Code Red Reminder and Clarification"
August 16, 2001

Synopsis: The Internet threat posed by Code Red when it changes from a scanning mode to an active distributed denial of service (DDoS) mode at 8 pm (EDT) on August 19, 2001 is significantly reduced. Microsoft's Personal Web Server software does not run on Windows 2000, and is not vulnerable to Code Red or Code Red II. Furthermore, despite reports to the contrary, a third Code Red-type worm has not been discovered.

Reduction of Code Red Threat

Based on our analysis of the code and on previous experience, at 8 pm (Eastern Daylight Time) on August 19, 2001, computers infected with the original Code Red worm will launch another distributed denial of service (DDoS) attack against the White House's IP address. Because of the rapid response from the public, industry, and infrastructure providers to mitigate the potential for damage from this worm, the threat posed by the upcoming attack is significantly reduced. Although many systems remain infected by the more recent Code Red II worm, Code Red II does not engage in active DDoS attacks, and therefore does not generate the same massive volume of network traffic as the original.

Even though the overall effect of Code Red on the infrastructure of the Internet has been reduced to a great extent, all Windows 2000 Professional, Server, and Advanced Server, and Windows NT Server users are again advised to ensure that any systems under their control have been patched prior to August 19, 2001 to avoid further exploitation of the same vulnerability.

The patch and instructions are available at: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Microsoft has provided a tool for identifying vulnerable systems at: http://support.microsoft.com/support/kb/articles/q303/2/15.asp

No Personal Web Server Vulnerability

Questions have been raised by information security professionals and media sources concerning Code Red II infection of Microsoft Personal Web Server (PWS) running on Windows 2000 Professional. PWS, however, is compatible only with Windows 95, Windows 98, Windows Millennium Edition (ME) and Windows NT Workstation; it does not run on Windows 2000 Professional. This misunderstanding ostensibly stems from a "documentation error" in Windows 2000 Professional help which refers to the integrated web server as "Peer Web Services (PWS)," rather than by its correct designation of "IIS 5.0." Therefore, if users are operating the included web server on a Windows 2000 Professional system, the system is vulnerable to the Code Red and Code Red II worms, and must be immediately patched.

Download the patch:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 Although similar in some ways to IIS 5.0, PWS is not vulnerable to any version or variation of the Code Red worm. Microsoft still assures users of Windows 95, Windows 98, and Windows Millennium Edition (ME), that no intervention is necessary to protect their systems from Code Red or Code Red II.

REFERENCES:

Documentation Error: Windows Help Refers to PWS Instead of IIS 5.0 (Article ID: Q264056) http://support.microsoft.com/support/kb/articles/Q264/0/56.ASP

Run IIS 5.0 Instead of PWS on Windows 2000 Professional (Article ID: Q262632) http://support.microsoft.com/support/kb/articles/Q262/6/32.ASP

No "Code Red III"

Because of a general lack of clarity in public/industry discussion, and no overarching naming protocol, confusion remains concerning the various "strains" of the Code Red worm. This confusion is especially evident in new accounts of a previously unknown version of the worm, designated "Code Red III."

There are two distinct worms which have both been named "Code Red." The original Code Red worm currently exists in three forms, each with minimal differences, and all based on the same code. These worms are all considered variants of the original, and are named accordingly (Code Red, Code Red.A, Code Red.B). All three versions of Code Red are designed to conduct distributed denial of service (DDoS) attacks against the White House's IP address.

A second worm, named "Code Red II" because it utilizes the same methods to infect vulnerable web servers and exploits the same vulnerability as the original Code Red worm, is an almost entirely different program. Code Red II has been erroneously referred to as "Code Red III." Although Code Red II does not participate in DDoS attacks, the impact of this worm reaches far beyond that of the original Code Red by opening a "back door," enabling malicious users to gain access to the infected computer at a future date.

To date, no information exists to suggest the operation of a previously unknown variant of either the Code Red or Code Red II worms.

For more information:
http://www.nipc.gov/warnings/advisories/2001/01-017.htm http://www.incidents.org/react/code_red.php http://www.idefense.com/pages/ialertexcl/coderedfaq.htm

Even though the overall effect of Code Red on the infrastructure of the Internet has been reduced to a great extent, all Windows 2000 Professional, Server, and Advanced Server, and Windows NT Server users are again advised to ensure that any systems under their control have been patched prior to August 19, 2001 to avoid further exploitation of the same vulnerability.

The patch and instructions are available at: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Microsoft has provided a tool for identifying vulnerable systems at:
http://support.microsoft.com/support/kb/articles/q303/2/15.asp

Recipients of this assessment are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@ fbi.gov.