• PC World
• » Security

Users who thought that installing a Microsoft patch would protect their systems against problems caused by the Code Red worm may need to change their thinking following last weekend's emergence of the more aggressive Code Red II.

Microsoft's patch, available in separate versions for Windows 2000 and Windows NT 4.0, prevents computers running the software vendor's Web server software from being infected by Code Red II. But users and analysts say it can't stop servers from becoming potential targets for massive port scanning attacks being unleashed by worm-infected machines around the globe.

"There's a lot of innocent victims here," says Marty Lindner, an incident handling team leader at the Computer Emergency Response Team Coordination Center at Carnegie Mellon University in Pittsburgh.

The problem, he says, is that Code Red II is invading unpatched servers and then using them to send out huge numbers of system scans in an attempt to find other computers that are vulnerable.

Patch Is not Enough

Even though many users have patched their servers, Lindner adds, the scans are nonetheless tying up available systems resources and slowing down performance. Internet service providers have been hit particularly hard because they maintain such a large number of Internet Protocol addresses for their customers, he says.

Joe Hayes, co-chief executive officer at Media3 Technologies, a Web site hosting business in Pembroke, Massachusetts, says his company was hammered last weekend by scans coming in at a rate of thousands per second, despite having installed the patch for Microsoft's Internet Information Services software on its Windows-based servers.

"We did everything we were supposed to do," Hayes says. But he adds that the company was still hit by port scans from infected machines elsewhere, tying up its servers in a denial-of-service type of attack. UNIX and Linux servers that aren't vulnerable to the Code Red worms were also targeted by the destructive scanning probes, according to Hayes.

In a notice to its clients, Media3 says it began to feel the effects of Code Red II on Saturday, preventing Web pages from loading. With help from Microsoft, the notice states, the company "was able to deflect this attack and restore Web delivery services ... late Sunday night." But some users continued to experience anomalies in Web site performance after that, it adds.

All-New Worm

While Code Red II has been given a similar name to the worm that struck servers in two waves during the past few weeks, it isn't a variant of the first Code Red, according to an advisory posted by the SecurityFocus.com information service in San Mateo, California.

Instead, Code Red II is an all-new worm that shares some signature attributes of its predecessor and imitates the method of attack used by the original Code Red.

But security analysts view it as potentially more dangerous than the first worm for two reasons. First, Code Red II installs a backdoor program in systems that could allow attackers to easily access infected computers and take control of them. It is also more aggressive about trying to spread itself to other systems, resulting in all the scanning activity, analysts say.

Greg Shipley, director of consulting services at security vendor Neohapsis in Chicago, says Code Red II targets "neighborhoods" of IP addresses, concentrating its attacks instead of launching the random global attacks used by the first worm. The concentrated attacks create disruptive "broadcast storms" that have particularly hurt Internet access networks, he says.

So far, Lindner says, CERT has confirmed at least 150,000 Code Red II infections worldwide since last Saturday. Ironically, even Microsoft itself was affected by the worm: It confirmed this week that two unpatched servers used for its Web-based Hotmail e-mail service were infected.

• See more like this:
• Microsoft,
• Code Red,
• Code Red II,
• scan,
• server,
• worm,
• ISPs,
• patch,
• Windows