MessageLabs, the email security company, is warning businesses who run Microsoft’s Internet Information Server (IIS) web server software that they must protect their systems against the malicious Code Red worm. At midnight GMT on Wednesday 1st August, the worm is due to propagate again, potentially causing problems to web servers across the world. Code Red is not a virus which uses email to distribute itself, like the recent SirCam virus outbreak, but poses a security threat to a targeted group of the IT community.
The Code Red worm will enter “re-propagation mode” on 1st August at midnight, GMT, where it will infect web servers running Microsoft’s IIS software without the latest patch downloaded. Servers with incorrect clocks may re-enter propagation mode at earlier or later times. Following this, all infected servers will attack the same designated IP address at a specific time in the future. The White House (www.whitehouse.gov) was the subject of such an attack in July and the worm will re-attack The White House on the 20th of August at midnight, GMT. It is possible that new variants of the worm will attack other IP addresses at other times. This could cause a “denial of service” attack to the chosen IP addresses – meaning business web sites and networks are inundated with requests by the worm, causing systems to overload and crash. Code Red also replaces the web page of the host with the text: Welcome to http://www.worm.com ! Hacked By Chinese !
Code Red exploits a flaw in Microsoft’s IIS web server. The flaw has been identified for some time and a patch is available to download from the Microsoft website. The reality is that very few people have downloaded the patch and could therefore be leaving themselves open to attack. According to Alex Shipp, Chief Anti-Virus Technologist at MessageLabs, “It is relatively straightforward to protect yourself against Code Red but I am sure many companies will not have downloaded the patch yet.”
MessageLabs advises businesses using Microsoft IIS web server software to download the patch immediately.