|
|
|
|
DialogueScience, Inc. informs |
"No files are required any longer", for the worm-virus known as Code Red Worm has given rise to a new method of virus distribution.
This week representatives from some American data security services, together with the speakers of the Microsoft corporation have addressed the computer society, warning the users of a new wave of plague stirred by the worm-virus Code Red Worm. The first advent of this virus is associated with the date of July 19, 2001, when in just 9 hours the virus infect 250 thousand computers in the North America and Europe. The beginning of August will see another upsurge of this worm-virus activity. At that, we may expect the appearance of new and yet more destructive modifications of Code Red Worm.
One may wonder what's so special about the Code Red virus. Well, it outstandingly differs from other viruses in a respect of being absolutely "bodiless". It neither exists in a file format in the infected computer, nor manifests itself in any file form when being distributed. Code Red Worm is the first virus in the world whose code does not require the presence of any file altogether.
The virus accommodates itself solely in the memory of the infected computer and exists as a running process. This very peculiarity presents difficulties in having the virus located and cured with the ordinary instruments. The modern anti-virus programs produce no effect on Code Red, because they check and treat only files and file handling operations, whereas this particular "worm" exists only in a format of the network packets and as a code residing in the computer memory.
Doctor Web is the only anti-virus program capable of tracing the Code Red virus in the computer memory; yet, Doctor Web can not block reappearances of the virus and is just satisfying the system administrator's curiosity, reminding him of the necessity to patch the "hole" in the system security.
Doctor Web recognises (and cures) this virus under the name of Win32.CodeRed.3569 since July 22 (DrWeb version 4.25 with the 3rd virus base add-on); it also is capable to detect virus modifications.
Previously, before Code Red Worm appeared, network viruses were getting spread in a file format through the Internet e-mail or news (News group) services, using such files for transportation of a viral code to potential victims. Besides, the viruses had to tempt the user to open the infected file, for which purposes some psychological tricks were used rather than program resources. Hybris, Matrix, Love Letter and SirCam occupied top lines in the viral hit-parades; each of them used a different approach but for the same purpose.
The Code Red virus does not need to utilize any of the above methods. To replicate and distribute itself the virus finds a "hole" in the security system of the Microsoft Internet Information Service software package, which it uses to penetrate the server assaulted and activate itself having arrived as an ordinary TCP-packet on the network. The header of this packet is modified in such a way so as to let the packet contents to get loaded into the server operating memory and to take control over the server. It is worth noting that since the times of the legendary Morris-worm no worm-virus ever attacked or corrupted servers. Code Red Worm is the first worm-virus in the last 13 years which has succeeded in assaulting Internet servers.
The virus hits only the computers with the Windows NT/2000 operational system with Microsoft Internet Information Service package 4.0 or 5.0 installed. A breach in the package protection was detected this June, and Microsoft was fast enough to respond with a patch (available at the address:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp).
Unfortunately one month later, when Code Red Worm virus appeared, too many servers kept running without the patch. That, in fact, accounts for the scale of the epidemics we face now.
Another feature makes Code Red Worm different from all other viruses. Code Red Worm runs on infected system all by its own without any exterior assistance. Basically, we already witnessed viruses capable of launching themselves on their own (take, for instance, the BubbleBoy e-mail virus that could launch itself automatically having found a breach in the MS Outlook protection during a mail receipt session the virus activated itself while you were receiving messages. It was enough just to receive an infected e-mail message). The existence of such viruses was stemming from mistakes, drawbacks and security breaches in the software. Well, today's programs are so much more sophisticated that you may unmistakingly guaranty the availability of such "loopholes" in them for the viruses to creep or squeeze in. Moreover, the greater the popularity of a certain software package, the higher probability of a "loophole" in it being located and used by some virus writers.
Let us have a look at the ways the Code Red virus manifests itself. Upon successful assault of some server the virus launches up at such server 100 processes. 99 of those continue distributing the virus through the network. For its malicious purpose each of such processes randomly generates an IP-address used for the virus attacks. Every assault hits the target built around the Windows NT/2000 system having the unpatched MIIS software package installed. Each newly infected server propagates further distribution of the virus, eventually turning the process into an avalanche. Packets with requests generated by the virus flood the network reducing its throughput capacity and overloading the servers.
According to some estimates this method of virus distribution may contaminate half a million servers (!) a day.
Process No. 100 is launched upon verification and confirmation that the system identifies itself as the English (US) version of Windows NT/2000. Should it be so, the virus replaces the homepage of some local web-server with a page containing the following text:
10
hours later the virus restores the state of the web-page it has assaulted back
to its initial condition.
Should the system differ from the English version of Windows NT/2000, process 100 will be functioning the same way as the rest 99 processes.
To cap it all, in the time interval of 20.00 to 23.59 the Code Red virus assaults the White House server (www.whitehouse.gov) attempting to overload the server with processing of virus's own packets, hence making the server inaccessible for other users (the so-called, DDoS-attack). In order to achieve all that, the virus sends 100 Kb packets addressing them to port 80 of the server - dispatching the packets directly at the port digital IP-address. With the termination of the first wave of onslaught aimed at the White House server, the address of the server has been changed, thus withdrawing the server from under the risks of direct onset.
During one month's period the virus is only active from the 1st to the 27th day of the month inclusively. Beyond this term the virus "is asleep".
According to the technical support service of DialogueScience, Inc. the record of the Code Red virus in Russia has been so far scarce.
The virus is quite harmless for the users of Windows 95/98/Me and for those who work with Windows NT/2000 but without the Microsoft Internet Information Service package installed. As far as system administrators are concerned, we strongly recommend them to install the required patch (see above).
August 02, 2001
Information Service of DialogueScience, Inc.
E-mail: Antivir@antivir.ru
http://www.antivir.ru
 |
Some other interesting viruses |