Although it has been dubbed Code Red II, the new worm bears little resemblance to its namesake. The only similarity is that they exploit the now-famous buffer overflow vulnerability in the .ida DLL in Microsoft's Internet Information Services 4.0 and 5.0 Web servers.
However, Code Red II, unlike the original worm, carries a destructive payload: a so-called "backdoor" that is planted on infected machines. The backdoor leaves the infected computer completely open to compromise and remote use by an attacker.
Security experts estimate that it has infected somewhere between 150,000 and 400,000 servers.
Once Code Red II infects a machine, it creates a Web site that has as its root drives the C: and D: drives of that computer. The backdoor gives the attacker read/write access to those drives as well as the ability to reboot the box and install any software he or she chooses, said Russ Cooper, "surgeon general" of TruSecure.
Because the new worm exploits the same vulnerability as the original Code Red, Cooper said it is likely that many people infected by Code Red II haven't been paying attention to any of the news coverage of the worms and, therefore, have no idea that they need to patch their systems.
"Whoever is infected, those boxes are going to be there and be infected forever," he said.
Security experts speculate that the worm may have been written by 29A, a notorious virus-writing group.
Faster at spreading
Unlike its predecessor, the new worm spawns 300 separate threads and also uses several other programming tricks in order to spread itself more quickly than the original Code Red, said Elias Levy, chief technology officer of SecurityFocus, the security portal that runs the popular Bugtraq mailing list.
Instead of scanning the entire Internet at random for new machines to infect, the new worm first scans those machines on its current network, which Levy says gives it a greater chance of finding vulnerable machines. It also doesn't wait nearly as long to disconnect from a machine that is not vulnerable.
Levy added that the only thing that has surprised him about the entire Code Red saga is how difficult it has been to get administrators to patch their systems. He predicts that ISPs will soon be forced to cut off traffic coming from infected IIS boxes, a practice known as "black holing" that is often used to stop spam.
Code Red II is also causing some collateral damage, TruSecure's Cooper said. Companies running transparent proxy servers are finding that the proxies are crashing at a furious rate. As the worm sends out its hundreds of threads, the proxy tries to open a TCP connection for each request that the worm makes; that, in turn, eats up all of the proxy's available resources.
This effect would be compounded if the affected network has several or even several dozen infected machines on it, all attempting to send hundreds of requests a minute. One member of Bugtraq said he saw more than 35,000 such outbound requests on Sunday.
"The proxy simply can't handle that volume of requests," Cooper said. Ironically, proxies are often used to cloak the IP addresses of machines on a network in order to prevent crackers from gathering data on them.
The original Code Red worm infected more than 500,000 IIS servers over the last three weeks.
