'Code Red' Worm Targets WhiteHouse.gov

A new Internet worm called "Code Red," which has the potential to infect millions of Net servers with a security flaw, started a denial of service attack late Thursday aimed at disabling the official White House Web site.

White House would say only that they had taken "preventative measures" to duck an attack. The White House site was offline Thursday night, but back up on Friday morning. The FBI's National Infrastructure Protection Center confirmed reports on Thursday night that Internet backbone providers were seeing large-scale victimized Web servers scanning for vulnerabilities in Microsoft's Internet Information Server, which hosts a number of Web sites.

"Upon successful infection, the worm will proceed to use the time threat and connect to the www.whitehouse.gov domain," the NIPC says in a statement. "This attack consists of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov."

In a denial of service attack, a Web site may disabled or overwhelmed by huge numbers of requests for information pouring in from servers afflicted with the worm. A recent study suggests such attacks are very common, numbering in the thousands monthly.

Microsoft offers a free patch to fix the server security flaw, which was uncovered in June.

Once the security problem was identified, Microsoft began sending out alerts, contacting customers individually, and working with the press to spread the word about how to fix it, says Scott Culp, security program manager at the Microsoft security response center.

"We make it as easy as we can for folks to get the information," Culp says.

Despite that effort, it will be hard to contact operators of the estimated 6 million ISS servers in use worldwide.

The creator of the worm is unknown. It was discovered and named by researchers at eEye Digital Security, who say the worm defaces Web pages with the text: "Welcome to http://www.worm.com! Hacked by Chinese!"

"The activity of Ida Code Red worm has the potential to degrade services running on the Internet," says the NIPC statement. "Any Web server running the Microsoft IIS versions 4.0 or 5.0 that is not patched is susceptible to a 'Buffer Overflow.' The NIPC is strongly urging consumers running these versions of IIS 4.0/5.0 to check their systems and install the patch."

Without the patch, the worm can run embedded code on the affected systems, using them as weapons in distributed denial of service attacks on unprotected Web sites. Unlike other viruses, which are passed via e-mail, a typical worm spreads from server to server. Every infected server is used to send information requests to the target URL, eventually overwhelming the site or degrading its service.

"At some point in time, somebody set this worm free. Then it just does the work on its own," says Vincent Gullotto, a senior director at McAfee AVERT, a part of Network Associates. "Somebody just set it into the ISS server environment and it just jumps from machine to machine."

The worm operates on a kind of timer that was set to trigger at 8 p.m. EDT on Thursday, and then run for one week. That seven-day run might not be the end of the problem, however.

"It might start up again next month," Gullotto says. "And the thing about this exploit, somebody could write a variant, push it around, and it could attack another site very easily."

In order to secure systems and help stop these kinds of worms from spreading, systems administrators need to do three things, says Russ Cooper, editor of the security e-mail list NTBugtraq.

First, they need to subscribe to Microsoft's security bulletin service, "so that they're at least aware that patches exist. They've got to start learning about these vulnerabilities to keep themselves secure," Cooper says. Second, he recommends they subscribe to NTBugtraq for further alerts, and last, they need to apply patches for their systems when they become available.