The new variant has been dubbed CodeRed.d, and exploits the same Index Server flaw in Microsoft's Internet Information Server (IIS) software as the initial Code Red. According to Roger Thompson, technical director of malicious code research at anti-virus firm TruSecure, who detected the variant, the appearance of a new worm indicates that we are stuck with the Code Red problem "forever."
"This is pretty much noise level for Code Red II and CodeRed.d--it's not going to get any better or worse, and will stay like this forever," said Thompson. "Those machines that have not yet been patched never will be, meaning that the worm is here to stay."
CodeRed.d is nearly identical to its predecessor, except for two minor pieces of code that make it slightly more malicious. Code Red II used a self-recognition string of code that prevented it from re-infecting the same machine--but in the new variant, the string of code is replaced with underscore characters, meaning that both Code Red II and CodeRed.d can re-infect the same machine at once. "People won't notice, but it will be banging out twice as many attempts to attack other PCs," said Thompson. "It randomly selects a range of addresses to attack other machines--each worm will be churning out 300 threads to try and infect 300 different addresses at any one time."
And CodeRed.d can target a greater spread of IP addresses than could earlier versions of Code Red, said, added Thompson. "But this is mitigated by those who have patched their machines."
Thompson discovered CodeRed.d after writing his WormCatcher program, which monitors for traffic on a Web server's port 80, and immediately detects any unknown worm variants. The first report of the new Code Red II permutation came from New Zealand, followed by a second from the US. "I am now getting 10 hits an hour of reported catches--but I suspect that this figure would have been much higher last month when few people has installed the Microsoft patch," said Thompson.
According to Thompson, four to five new worms are created by accident on the Internet every day--but CodeRed.d was intentional. "This didn't happen by accident--someone was trying to get Code Red to go again, and we will be seeing more variations of this worm," Thompson warned.
