Gast Geplaatst: 31 juli 2001 Geplaatst: 31 juli 2001 Information on "Code Red" IIS worm virus<P>Please be aware that the impacts of this worm will not only effect our web<BR>servers if not protected, but the performance of the Internet. "There is reason<BR>for concern that the mass traffic associated with this worm's propagation could<BR>degrade the functioning of the Internet," according to Ronald Dick, director of<BR>the National Infrastructure Protection Center.<P>We have taken every precaution internally with servers that we have control<BR>over. There are, however department web servers which could become infected and<BR>propagate the worm to other servers.<P>The worm remains active between the first of the month and the 28th, when it<BR>goes into hibernation. While the worm does not reactivate itself automatically,<BR>any computer vandal sending a copy of the worm once the active period begins-in<BR>this case at 12:01 a.m. GMT Aug. 1, or 5 p.m. PDT Tuesday would start a new<BR>round of infections. On the 19th of the month, the worm is set to switch to<BR>attack mode and barrage the whitehouse.gov Internet domain with large packets of<BR>data.<P>A malicious piece of code, operating as a computer worm, is exploiting unpatched<BR>IIS Web servers on the Internet. This worm, dubbed "Code Red", exploits a<BR>security vulnerability in the Windows NT4 and Windows 2000 Index Services, and<BR>may result in one of several outcomes, including web site defacement and<BR>installation of Denial of Service tools. A patch for this vulnerability was<BR>released on June 18th, 2001, and is discussed in Microsoft Security Bulletin<BR>MS01-033.<P><BR>Analysis of the Code Red worm shows that it will infect unpatched IIS servers -<BR>first defacing the web page, and then loading malicious code that could be used<BR>in launching Distributed Denial of Service (DDOS) attacks. The defaced web page<BR>may contain the words "Hacked by Chinese!" and a link to <A HREF="http://www.worm.com," TARGET=_blank>http://www.worm.com,</A> <BR>while the DDOS code appears to prepare the system to launch an attack against <A HREF="http://www.whitehouse.gov." TARGET=_blank>www.whitehouse.gov.</A> Upon compromising the system, the worm attempts to propagate<BR>itself to other unpatched IIS systems on the Internet.<P>The patch provided Microsoft Security Bulletin MS01-033 eliminates the<BR>vulnerability exploited by the worm, and systems that have applied the patch are<BR>not vulnerable to this attack.<P><BR>Thank You,<BR>Client Services<BR>
Aanbevolen berichten