[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] (NIPC) ADVISORY about CODE RED WORM

Greetings ALL,

With all of this RED WORM talk on the site, I thought I would pass on this FBI
NIPC Advisory.

John D. Gorena
JMG-Enterprises.com


ANSIR E-MAIL - NATIONAL INFRASTRUCTURE PROTECTION CENTER (NIPC) ADVISORY
(01-015) "Ida Code Worm"

Internet backbone providers have notified the NIPC they are witnessing
large-scale victimized web servers scanning for Microsoft Internet Information
Server  (IIS) vulnerabilities.  The activity of Ida Code Red worm has the
potential to degrade services running on the Internet. Any web server running
the Microsoft IIS versions 4.0 or 5.0 that is not patched is susceptible to a
"Buffer Overflow".  The NIPC is strongly urging consumers running these versions
of IIS 4.0/5.0 to check their systems and install the patch.

The NIPC has determined that the time for the DOS execution of the Ida Code Red
Worm is at 0:00 hours, Greenwich Mean Time (GMT ) on July 20, 2001.  This is
8:00 pm Eastern Daylight Time (EDT).

Recommendation:
The Microsoft bulletin describing this vulnerability and its patch to fix the
problem may be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Microsoft
strongly recommends that all web server administrators mitigate this
vulnerability immediately by applying the patch.  Secure Internet Information
Services Checklist:Background:

The Ida Code Red Worm, which was first reported by eEye Digital Security, is
taking advantage of known vulnerabilities in the Microsoft IIS Internet Server
Application Program Interface (ISAPI) service.  Un-patched systems are
susceptible to a "buffer overflow" in the Idq.dll, which permit the attacker to
run embedded code on the affected system.  This memory resident worm, once
active on a system, first attempts to spread itself by creating a sequence of
random IP addresses to infect unprotected web servers.     Each worm thread will
then inspect the infected computer's time clock. The NIPC has determined that
the trigger time for the DOS execution of the Ida Code Red Worm is at 0:00
hours, GMT on July 20, 2001.  This is 8:00 pm, EDT.

Upon successful infection, the worm will proceed to use the time thread and
connect to the www.whitehouse.gov domain.  This attack consists of the infected
systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov
( 198.137.240.91).

Additional sites for Details:
http://nipc.gov/warnings/advisories/2001/01-013.htmlhttp://cert.org/advisoris/CA-2001-13.htmlhttp://www.symantec.com/avcenter/security/Content/2001_06_

20a.htmlhttp://www.vil.nai.com/vil/virusSummary.asp?virus_k=99142

The NIPC considers this a significant threat and has previously issued an
advisory on Microsoft IIS vulnerability.  (See NIPC advisory 01-013 dated
6-19-01)  Additionally, based on the life cycle of such vulnerabilities, system
administrators can expect to see an increase in new exploits
targeting this service.

Recipients of this advisory are encouraged to report computer crime to their
local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to
other appropriate authorities. Incidents may be reported online at
http://www.NIPC.gov/incident/cirr.htm  The NIPC Watch and Warning Unit can be
reached at (202) 323-3204/3205/3206 or NIPC.Watch@xxxxxxxx  FedCIRC Operations
Center can be reached at 1-888-282-0870 or fedcirc@xxxxxxxxxxx

This FBI Awareness of National Security Issues and Response (ANSIR)
communication is intended for corporate security professionals and others who
have requested to receive unclassified national security advisories. Individuals
who wish to become direct recipients of FBI ANSIR communications should provide
business card information, i.e. company name, address, phone, fax, etc., to
ansir@xxxxxxx for processing, with a brief description of the product and/or
service provided by your organization.