Digg this story   Add to del.icio.us  
Watch this worm
Shane Coursen, 2001-07-30

The Code Red worm is dangerous because it uses a hacker's technique.

The 'Code Red' worm that hit the Internet last week is different from the type of threat that I am accustomed to tracking.

Worms are technically a subset of computer viruses and traditionally have originated in the form of a physical file-- when the file is launched, the worm initiates. Code Red has no such file, it exists only in memory. As intangible as bytes of data stored on a digital medium, Code Red is truly a ghost in terms of worms.

Code Red takes advantage of a known buffer overflow vulnerability. Systems susceptible to this exploit will be found running Microsoft's Index Server version 2.0, Windows NT 4.0 and Windows 2000 running an unpatched version of Microsoft's Internet Information Server.

Still, short of the worm's ability to successfully propagate itself, it isn't unique. Code Red is a typical buffer overflow exploit, and can be avoided by applying the patch discussed in the "Unchecked Buffer in the Index Server ISAPI Extension Could Enable Web Server Compromise" advisory.

If we set aside the details requiring a more advanced technical knowledge of the topic, a buffer overflow exploit is somewhat analogous to overcrowding a room and not having a Fire Marshall to prevent the transgression.

By stuffing too many characters into a HTTP request, Code Red is able to overcrowd its assigned space and spill into the next room. It does this by exploiting a known vulnerability in the Microsoft's Indexing Service ISAPI filter: the flawed ISAPI filter fails to perform proper bounds checking on the length of a user input HTTP request.

Due to this failure, the body of the request spills in to the room where program instructions are processed.

Hackers meet virus writers
Code Red is also interesting because it has components of both a hack and a virus

File and script based worms have been appearing with increased prevalence in the wild for some time now. Writing this type of virus has become very popular, due to its rapid rate of propagation and the apparent ease of writing one.

Hacking, too, has remained popular throughout the years, but for the most part the activities hackers performed on compromised systems have been relatively benign.

But hackers generally haven't been virus writers, and virus writers generally haven't been hackers. Code Red may set off a change in the balance of what becomes more commonplace. Discovering and exploiting vulnerabilities in software may become a trend in virus writing.

Buffer overflow exploits require knowledge in areas that many people are not currently adept. Do not expect this to be a deterrent to the average virus writer. Incidents of this scale always draw the attention of would-be copycats. The worm method has gained an unusually quick increase in popularity over the past year.

In this case, blocking the virus requires only a simple update of the server's mission-critical software. Future cases may involve similar patches, so make sure to have server update processes in place. Just as with antivirus software, the number one rule of thumb is to have a good understanding of the update process (it isn't difficult). Make sure to apply patches promptly and religiously.

Buffer overflow exploits aren't the only popular method of hacking systems. Overflow vulnerabilities are found quite often, several recently receiving widespread attention. Even with the best defenses, successful incursions of corporate networks take place everyday. No software is perfect.

To play devil's advocate for a moment, in this sense we can not rely completely on Microsoft to provide for 100% security. In my experience 100% security simply isn't possible. To increase protection, use an Internet-facing point product. Be aware, however, that even software packages such as these are susceptible to attacks.

One can, and usually will, find yet another way to exploit any piece of software.

Shane Coursen has worked in the field of antivirus research since 1992. He is currently CEO of WildList Organization International.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus