From: "Scott E. Harrigan" To: Subject: Code Red Worm - Distributed DOS/Buffer attack Date: Friday, July 20, 2001 10:58 AM Hello-- As many might know by now a worm named 'Code Red' has been exploiting a buffer overflow problem on unpatched Microsoft IIS servers. It does have malicious code as a payload and its behavior is malicious in general. In seeking out new unpatched IIS servers to spread to, multiple iterations of the worm on hundreds or thousands of servers can cause an 'unintentional' DOS (Denial of Service) attack as they flood some servers with attempts at the buffer overflow attack on port 80. This is due to a flaw in the random number generating code of the worm, which causes it to start in the same area of IP addresses when it starts the search. I believe we have seen reports of this on campus. Additionally, the worm attempts at a certain time to engage in an intentional distributed DOS attack on www.whitehouse.gov. This was attempted last night at 8 pm EST. The servers there were protected by changing their IP addresses and DNS entries. Finally, it will deface all web pages on the infected server with the text 'Hacked by Chinese'. The worm also exposes which machines are vulnerable to the buffer overflow attack and this information can be used by other crackers to take control of the machine since the overflow attack allows the execution of arbitrary code. This worm will continue its attack on schedule next month, so there is only a short window during which to patch servers. MS had to do complete system reinstalls in order to disinfect their machines after the MSN site and others had defaced pages. This buffer overflow exploit was discovered and patched a month ago, but was just as quickly incorporated into a vicious worm. Staying up to date with patches is critical in this fast developing area. More information can be had at: http://eeye.com/html/Research/Advisories/AL20010717.html --Scott