Virus writing group denies involvement with Code Red

Virus writing group 29A denied last week that any of its members created the Code Red or the Code Red II worm. The denial came after a German media report pinpointed 29A as the brains behind the malicious Internet worms.

A Deutsche Presse Agentur (DPA) report last Tuesday said that 29A has been bragging in online chat rooms about unleashing Code Red onto the Net. DPA also described 29A as a Dutch hacker group.

“Some Chinese guy is responsible (for Code Red) not any 29A member,” said a Spanish member of 29A using the alias VirusBuster in an e-mail interview. He added that 29A is not a hacker group, but a virus-writing group. Most members are from Spain and the Czech Republic; none are Dutch, he said.

Mikko Hypponen, manager of antivirus research at anti-virus software vendor F-Secure Corp., has investigated the source of both Code Red and Code Red II and said he “is pretty confident 29A is not involved with any version of Code Red” as they lack the traditional 29A signature.

“The string 29A exists in the code of Code Red II. It is a binary reference to the number 666. The string is part of the code that is executed and not something that was set apart as a signature. In viruses created by a 29A member the signature is not part of the code, but separate and is always in a special format,” he said.

Experts and authorities worldwide are trying to determine who is responsible for Code Red and Code Red II. There is some speculation that the first version was made in China because the worm placed a message saying: “hacked by Chinese” on infected systems. The economic cost of both worms has reportedly risen to nearly US$2 billion.

F-Secure’s Hypponen thinks virus writers who believe the original Code Red came from China made Code Red II in the United States. Hypponen himself doesn’t believe the original worm was created in China, although he doesn’t have anything concrete to back that.

“This (Code Red II) is an anti-Chinese virus. It checks whether it has infected a Chinese machine and then doubles the spreading rate. We think Code Red II was made in the United States as a retaliation,” said Hypponen.

Code Red is a self-propagating worm that exploits a flaw in Internet Information Server (IIS), a part of Microsoft Corp.’s Windows 2000 and Windows NT software. It scans the Internet for vulnerable systems and infects these systems by installing itself. The amount of traffic Code Red generates can slow down the flow of information across the Internet.

The more dangerous Code Red II installs a “back door” in servers that allows attackers to access the infected computer without the usual passwords. Once logged in through the back door, attackers can gain control of the machine.

A patch for the flaw in IIS that is exploited by Code Red and Code Red II has been available from Microsoft since mid-June.

F-Secure, in Espoo, Finland can be reached at