Worm attacks Microsoft Web server software

A vulnerability in Microsoft's Internet Information Services (IIS) Web servers leaves the system wide open to the worm, which partly defaces Web site homepages with the text "Hacked by Chinese" in bright red lettering.

According to a posting made by Marc Maiffret, of eEye Digital Security, on the network security newslist BugTRAQ, the bug appears to exploit a buffer overflow flaw in IIS that was first discovered by eEye Digital last month.

The worm spawns one hundred threads on the infected system, which randomly scan for other vulnerable IIS Web servers to infect.

The posting also says that each new infected host starts at the same IP and will in turn continue scanning further down the same track of IPs as previously infected hosts. The ramifications of this are severe as hosts early in this "randomised" IP sequence will be hit over and over as new hosts are infected, creating the potential for a denial of service against early IP addresses in the sequence.

"What makes the Code Red worm so dangerous, is that it can be used by anyone with access to the worm itself, who uses the worm to take over a vulnerable server," technical executive at Vectra Corporation Damon Wynne, told ZDNet.

Preliminary analysis also suggests that hosts can be infected multiple times, therefore creating a drain on system resources.

-Hosts early in the IP sequence will be hit with a traffic based denial of service and those hosts vulnerable to this worm will most likely grind to a halt," the posting says.

"This is the type of software that may have been created by someone quite skillful in what they do, but once in the hands of someone less skillful, it becomes just any piece of software which they use to test a targetted server's vulnerabilities," Wynne added

Microsoft has a patch for the vulnerability at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/

• Related stories

• Alerts

Add your opinion

I got hit by this virus over t ...Anonymous -- 19/07/01

I got hit by this virus over the weekend, and have since applied the microsoft patch. However I've been experiencing other problems since installing the patch which have caused the website to crash every 8-10 hours...

• Reply to comment
• Reply to story
• Report offensive content

I wonder what is the worst - t ...NB -- 19/07/01

I wonder what is the worst - the virus itself or the patch from Microsoft...:-)

• Reply to comment
• Reply to story
• Report offensive content

I started noticing my servers ...Anonymous -- 20/07/01

I started noticing my servers being attacked Sat 15th. To date I have logged over 1400 different servers trying to hack my machines. The problem with the exploit is that it is on port 80, block this from attack and presto no web sites visible to world. Just another evil microsoft bug and they now want to include shells in their new operating system, God help us all!!!

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials