"Compared to last week's (Code Red) attacks, this one is hitting harder," said Matt Fearnow, a security expert who tracks computer viruses and hacking incidents for the Systems Administration, Networking and Security Institute (SANS).
The new worm, which was discovered Friday, does more than just overwhelm networks. After it infects a computer server, it reboots the computer and leaves behind a "back door" that could allow a hacker to gain control of or access the infected systems, Fearnow said.
SecurityFocus.com has posted an alert on the new bug, warning that it is potentially more damaging than the relatively benign original that infected hundreds of thousands of systems beginning July 11.
The original Code Red worm prompted the White House to move the address of its Web site and led to government warnings from the FBI. But the reactivated worm was seen as having tapered off by the end of last week.
The new worm, which some are calling Code Red II, attacks the same vulnerability--originally reported by CNET News.com in June--in Windows 2000 and Windows NT servers running Microsoft's Internet Information Service (IIS) Web server software.
The two major differences between the original Code Red worm and the new variant is the way the latest bug spreads itself and the establishment of the back door.
Security experts said the new worm has the potential to spread faster and consume more network bandwidth.
"Whether it is attacking more systems than the one last week, I don't know for sure," said Jerry Freese, director of intelligence at Vigilinx, a New Jersey-based network security company. "But I do know that this one can spread a little quicker based on its addressing scheme."
Marc Maiffret, chief hacking officer with eEye Digital Security, the company that found the IIS flaw, said the same techniques will prevent infection with the new bug, including installing Microsoft's patch for the IIS hole. But once a computer is infected with the latest strain, there are several additional files that must be deleted to remove the back door.
The new strain is also busier. Whereas the original Code Red looked for 100 systems at a time to infect, the new strain looks for 300 at a time, unless the infected computer is running a Chinese-language version of Windows NT or Windows 2000, in which case it looks for 600 computers at a time, Maiffret said.
The new bug also uses the attacked computer's Internet Protocol (IP) address to look for nearby systems to infect, operating on the theory that if there is one vulnerable computer, there could be others nearby, Maiffret said.
The appearance of the variant confirms worries that the Code Red bug would lead to other, more damaging infections, Maiffret said.
"Even this, it's more malicious but it is not nearly as bad as it could have been," Maiffret said. But while an even worse bug could be in the offing, Maiffret said more and more people are installing the patch that protects against the original Code Red and the new strain.
"Each one of these, in a way, is helping to secure things," Maiffret said.
Fearnow said SANS is working on posting instructions for removing the back door created by the new worm.
Bruce Pennypacker, who works for an Internet search company in Massachusetts, said that at last check his personal system had 939 probes by the two Code Red worms, with 793 coming from the new variant.
"I'm seeing an average of about 10 to 50 scans per hour at this point, mostly from RoadRunner (cable modem) IP addresses," Pennypacker said in an email interview.
Play video
There are currently no comments for this post.