Manage Learn to apply best practices and optimize your operations.

How to repair and repel Code Red attacks

BindView's Scott Blake describes the problems Code Red has caused, and maps out some fixes for those who've been hit.

With $2 billion in damages under its belt thus far, the Code Red viruses seems hell-bent on topping the Love Bug's staggering $8.7 billion in losses. It's easy to blame evil hackers for this scourge, but this is one case where it's appropriate to blame the victims, said searchWindowsManageability security expert Scott Blake, director of security strategy for Houston, TX-based BindView Corp. A little prevention could have stopped the insanity weeks ago and could still end the bug's reign of terror. So why hasn't every IT manager put security patches to work? In this searchWindowsManageability interview, Blake answers that question, describes the problems Code Red has caused, and maps out some fixes for those who've been hit. Finally, he advises IT managers to patch now or forever hold their peace.

sWM: What are the most common problems caused by Code Red in enterprise server environments?

The first incarnations of Code Red caused very little trouble other than some bandwidth use. Code Red 2 on the other hand has caused some very serious problems -- fortunately these are mostly confined to non-enterprise environments. Cable, DSL, and Web hosting networks have suffered the most from Code Red 2. The worm installs a backdoor on the Web server -- whether a dedicated Web server or a Windows 2000 Professional machine running Personal Web Server doesn't matter. Hackers are scanning the Internet for a system compromised by Code Red 2 and using the backdoor to leverage additional network access and launch attacks at other sites.

sWM: Can you describe some ways that businesses have fixed the Code Red problems they experienced?

The absolute best thing they've done when any Code Red infestation has been discovered has been to immediately format the hard disks and re-install the operating system. Any other solution leaves open the possibility that someone has used the Code Red 2 backdoor to install another backdoor on the system. Recognizing that this is not always possible, many people have used utilities to scrub the infestation available from Microsoft, SANs, and other sources.

sWM: Have you seen any really unusual Code Red-related malfunctions? How were they resolved?

We've seen the gamut of possibilities, from simple infections that are trivially removed to fully-compromised networks that needed a complete rebuild to regain security.

sWM: What could Microsoft or other industry players have done to respond more quickly and efficiently to the Code Red threat?

The people who should have responded more quickly are the owners of the compromised systems. The vulnerability that Code Red and Code Red 2 use to break in was known to the public for almost 6 weeks before the worm appeared. Like most vulnerabilities, no one paid much attention until it was too late. Once the worm was loose, it was too late for many people to respond. Security patches need to be installed as soon as they are available.

sWM: Is Code Red's server focus unusual? Are hackers targeting servers more often these days?

Not unusual at all. Hackers primarily target Web servers and database servers. There is some indication that they also target Windows platforms more than Unix platforms.

sWM: IT managers tell us that patch management is their biggest headache. Why is this so hard to handle?

There are two reasons. First, there are a lot of patches. New security vulnerabilities are discovered at a rate of several per day. Microsoft has issued 43 security bulletins this year, with more to come. Typically, each bulletin references at least one patch. Second, patches don't receive the same level of QA that other software releases get. As a result, installing the patch may break something on the system. In other words, the cure may be worse than the disease. These combine to make patches a scary prospect indeed.

sWM: Are there any other issues relating to Code Red and these types of attacks that IT professionals should know about?

Despite the difficulty of installing patches, it is absolutely essential that everyone install as many security patches as quickly as they can. It is the most important thing one can do to prevent a break in of any sort.


See searchWebManagement's Featured Topic - When viruses attack (your Web server)

Discuss IIS security in our IIS Discussion Forum

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.