New variant of Code Red worm found

The same company that discovered the original Code Red worm that has been wreaking havoc worldwide this week said late Friday it has identified a variant of the worm, which is harder to track.

The variant of the Code Red worm has been modified in subtle but important ways that make it harder to identify and track, said eEye Digital Security Inc. chief hacking officer Marc Maiffret in a message to the Bugtraq security e-mail list. The variant worm no longer contacts hosts early in the sequence of IP (Internet Protocol) addresses that the original worm scanned, which will make the worm harder to track, Maiffret said. Also, the variant does not deface the pages of infected host systems the way the original worm did, making it more difficult to know if a system is compromised, he said. The worm does still send attack traffic to the White House Web site.

The new worm has only had about 13 bytes of code changed from the original, and is employing capabilities that were always in the original worm, Maiffret said. Though the code that enables the new functions of the worm has always been there, Maiffret believes that the new worm is a re-release of the original, rather than part of a natural progression.

“This is the worst security event in Internet history,” said Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq (which is distinct from BugTraq). “We haven’t seen a worm that involves this many hosts and is this complex.”

If the systems affected by the worm continue to go unpatched, “the impact, we predict, is a meltdown.” The Internet will be so bogged down with traffic from infected systems that many Web sites will become unavailable, including, possibly, the very sites that would provide information on how to patch the vulnerability or defeat the worm, he said. Additionally, the worm is crashing infrastructure devices, like routers, which has the potential to take many more systems offline, he said.

The variant of Code Red has infected as many systems in one day in the wild as the original worm did roughly a week, Cooper said.

Administrators and the computer security community have a 10 to 11 day window of opportunity to fix the vulnerability in Microsoft Corp. IIS (Internet Information Server) servers before the worm begins scanning for new victims again, Cooper said. Variants could shrink this window even smaller, as variants may include new code, he said.

Stuart Staniford, president of Silicon Defense and another security expert who has been tracking the spread of the variant, posted a follow-up e-mail to Maiffret’s to the Bugtraq list later Friday.

“There’s no doubt a great deal of it still (lying) dormant,” he wrote. “This was definitely a big bad worm. I imagine the worm writers can improve significantly on 1.8 compromises/hour though (the rate at which the worm is infecting servers, according to Staniford), so it’s only going to get worse.”

NTBugtraq’s Cooper is working on code to help stem the spread of the worm and said that he would be publishing a script that will patch the vulnerability with a single click. The script will be available on the NTBugtraq Web site ( later Friday, he said. He also said that he would be willing to help any administrator patch their system either by e-mail or the phone.

The original Code Red is a worm that attacks Microsoft IIS systems vulnerable to a certain type of buffer overflow attack discovered in mid-June. The worm spreads itself by infecting a system and then running through 100 nearly random IP addresses looking for other vulnerable machines. When it finds them, it infects them and repeats the process. The worm also makes infected systems send 100k-bytes of traffic to the Web site from July 20 to July 27.

EEye Digital Security, in Aliso Viejo, Calif., can be reached at Microsoft Canada, in Mississauga, Ont., can be reached at

More information on the IIS Indexing Service DLL and patches that close the vulnerability are available on Microsoft’s Web site at