Tip

How to repair and repel Code Red attacks

With $2 billion in damages under its belt thus far, the Code Red viruses seems hell-bent on topping the Love Bug's staggering $8.7 billion in losses. It's easy to blame evil hackers for this scourge, but this is one case where it's appropriate to blame the victims, said searchWindowsManageability security expert Scott Blake, director of security strategy for Houston, TX-based BindView Corp. A little prevention could have stopped the insanity weeks ago and could still end the bug's reign of terror. So why hasn't every IT manager put security patches to work? In this searchWindowsManageability interview, Blake answers that question, describes the problems Code Red has caused, and maps out some fixes for those who've been hit. Finally, he advises IT managers to patch now or forever hold their peace.

sWM: What are the most common problems caused by Code Red in enterprise server environments?
Blake:

The first incarnations of Code Red caused very little trouble other than some bandwidth use. Code Red 2 on the other hand has caused some very serious problems -- fortunately these are mostly confined to non-enterprise environments. Cable, DSL, and Web hosting networks have suffered the most from Code Red 2. The worm installs a backdoor on the Web server -- whether a dedicated Web server or a Windows 2000 Professional

Requires Free Membership to View

machine running Personal Web Server doesn't matter. Hackers are scanning the Internet for a system compromised by Code Red 2 and using the backdoor to leverage additional network access and launch attacks at other sites.

sWM: Can you describe some ways that businesses have fixed the Code Red problems they experienced?
Blake:

The absolute best thing they've done when any Code Red infestation has been discovered has been to immediately format the hard disks and re-install the operating system. Any other solution leaves open the possibility that someone has used the Code Red 2 backdoor to install another backdoor on the system. Recognizing that this is not always possible, many people have used utilities to scrub the infestation available from Microsoft, SANs, and other sources.

sWM: Have you seen any really unusual Code Red-related malfunctions? How were they resolved?
Blake:

We've seen the gamut of possibilities, from simple infections that are trivially removed to fully-compromised networks that needed a complete rebuild to regain security.

sWM: What could Microsoft or other industry players have done to respond more quickly and efficiently to the Code Red threat?
Blake:

The people who should have responded more quickly are the owners of the compromised systems. The vulnerability that Code Red and Code Red 2 use to break in was known to the public for almost 6 weeks before the worm appeared. Like most vulnerabilities, no one paid much attention until it was too late. Once the worm was loose, it was too late for many people to respond. Security patches need to be installed as soon as they are available.

sWM: Is Code Red's server focus unusual? Are hackers targeting servers more often these days?
Blake:

Not unusual at all. Hackers primarily target Web servers and database servers. There is some indication that they also target Windows platforms more than Unix platforms.

sWM: IT managers tell us that patch management is their biggest headache. Why is this so hard to handle?
Blake:

There are two reasons. First, there are a lot of patches. New security vulnerabilities are discovered at a rate of several per day. Microsoft has issued 43 security bulletins this year, with more to come. Typically, each bulletin references at least one patch. Second, patches don't receive the same level of QA that other software releases get. As a result, installing the patch may break something on the system. In other words, the cure may be worse than the disease. These combine to make patches a scary prospect indeed.

sWM: Are there any other issues relating to Code Red and these types of attacks that IT professionals should know about?
Blake:

Despite the difficulty of installing patches, it is absolutely essential that everyone install as many security patches as quickly as they can. It is the most important thing one can do to prevent a break in of any sort.

FOR MORE INFORMATION

See searchWebManagement's Featured Topic - When viruses attack (your Web server)

Discuss IIS security in our IIS Discussion Forum


This was first published in November 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.