Code Blue a possible attempt to stop Code Red

The Code Blue worm, which Chinese antivirus researchers uncovered last week, might be a “misguided attempt to protect people against the Code Red,” according to a Hong Kong-based security expert.

“It is possible that Code Blue was created to cause chaos and to change configuration of the Internet Information Server (IIS) so that Code Red can no longer spread,” said Allan Dyer, chief consultant at Yui Kee Computing Ltd., an antivirus and network security firm in Hong Kong.

The Code Blue worm takes advantage of a security vulnerability in Microsoft IIS 4 and 5 for which a patch has previously been released; however, people who have not updated their security systems are open for infection, Dyer said.

Network Associates Inc., the parent company of antivirus vendor McAfee, said that there is nothing that relates Code Blue to Code Red.

The two worms work in different ways, said Allan Bell, senior marketing manager at NAI. Code Blue uploads the worm file from another infected machine, whereas Code Red downloads and imposes itself to infect a machine. Also, Code Blue writes files to the hard disk and does not use a buffer overflow to exploit the system, he said.

“Code Blue is certainly not an antidote to Code Red,” Bell said. He said that when there was a Code Red outbreak earlier this year, a “good worm,” coined Code Green, was created by a moralistic virus writer. It was programmed to search for Code Red, replace it, and kill itself off once the task was complete.

According to Bell, in the early days of the Internet, it was possible to release an “antidote” to capture a harmful worm, but today, the Internet is too large and disconnected to cause such an approach. “A step like that could cause more havoc than good,” he said.

Code Blue has been given a low risk assessment by antivirus giants, NAI and Symantec, and they said that there have been no reports of it out in the wild.

“We’ve not paid that much attention (to Code Blue) because it’s low risk,” said David Banes, regional manager for Symantec’s Sydney-based security response team. “We get hundreds of virus samples every month in our database and they get forgotten (because they are low risk),” he said.

Banes said that he has to study what Code Blue is doing before he can confirm if the worm has characteristics of trying to stop Code Red.

Although Code Blue is listed in the low risk category, NAI said that customers should continue to take steps to protect their systems. Bell said that there is always a percentage of people who are vulnerable even though the security vulnerability, which Code Blue exploits, already has a patch.

“Virus writers rely on the fact that not everybody has updates,” Bell said.

Furthermore, threats don’t go away.

“The Love Letter virus which started back in May last year is still out there and circulating,” Bell said, adding that unless people gradually update their systems and have antivirus installed, there will be virus lurking to attack.

So far, antivirus vendors said that there have been no reports of Code Blue outside mainland China.