Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS

Security /
Send to a friend Feedback

Update: Code Red hits DSL routers, cable-modem networks

Cisco equipment embedded with Microsoft IIS is also vulnerable.

Related linksToday's breaking news
Send to a friendFeedback

By Ellen Messmer and Jason Meserve
Network World Fusion, 08/08/01

The Code Red worm in all its variants continues its destructive spread, not only worming its way into hundreds of thousands of Microsoft Web servers, but also having a newly noticed impact on a broad range of Cisco equipment, including DSL routers within the Qwest network.

In addition, cable Internet providers, including Time-Warner, AT&T, Cox Communications and Excite, have experienced network slowdowns as the new, rewritten version of Code Red discovered last weekend continues to spread.

Cox spokeswoman Laura Oberhelman said: "We're monitoring the network for Code Red. Because of the high volume of traffic that the Code Red worm generates, we are having a traffic slowdown, particularly with e-mail."

When Cox technical staff identifies an infected Microsoft Web server on the Cox Internet cable service, the Cox personnel contacts the subscriber in order to temporarily disconnect them from the Cox network and assist the subscriber in eliminating the Code Red worm from the infected machine.

Cox would not say exactly how many of its subscribers were affected in this way, but said it was only a small percentage.

Dubbed Code Red II, the new computer worm, which includes a dangerous backdoor Trojan, has bogged down their networks by infecting Internet-connected machines where the Microsoft Web server is running.

Many enterprises were thrown into disarray this week by Code Red II.

The global news agency Associated Press found its Internet communications curtailed a few days last week as its IT staff "scrubbed clean" the array of Microsoft IIS Web servers used internally and for news distribution, said spokesman Jack Stokes. Code Red II delayed updates on AP's Web site and affected a photo service used by smaller newspapers. Unaffected were AP's satellite communications.

Motorola found Code Red II invading its global corporate intranet, forcing the company to shut it down to disinfect its Microsoft Web servers. Motorola employees switched to fax, phone and pager in place of e-mail.

Other companies affected include FedEx and Cisco itself. Russ Cooper, editor of the NTBugTraq Web site, said that the majority of Fortune 1000 companies felt the worm's impact this week.

Ironically, Microsoft's own MSN Hotmail servers were infected by the Code Red II worm because Microsoft had failed to patch its own servers.

Time-Warner's RoadRunner service issued an advisory to its customers this week, acknowledging that customers "may experience slow network response, flashing connectivity lights on the cable modem, and other activity, such as unusual port scan log activity or increased firewall activity." Time-Warner urged its customers to install the software patch Microsoft has made available to prevent Code Red from infecting Microsoft Windows NT or the Microsoft Windows operating system.

Other cable services also had problems.

"The day before yesterday, I couldn't even use my cable-modem service, AT&T Broadband," said Dennis Treece, director of the special operations group at vendor Internet Security Systems (ISS). As Code Red II worms its way into Web servers on the cable networks, it's having a particularly strong impact because the second version of Code Red "favors the neighborhood," says Treece.

The first version of Code Red, spotted in July, used a randomizer that looked for IP addresses in a random way, often searching for addresses that weren't actually available. Code Red II scans more efficiently for IP blocks, which is probably the reason the cable-modem networks are becoming clogged.

The second version of Code Red also includes a dangerous back-door Trojan that can be used to totally commandeer a victim's machine.

The analysis ISS has done on Code Red II leads the company to believe that Code Red II may turn itself off in October. But if machine clocks in Microsoft Web servers are incorrectly set, the worm may re-awaken, as was the case with the earlier versions of Code Red.

As Code Red in its approximately four variations has spread, it has also impacted Qwest DSL customers, which saw their Cisco DSL routers knocked off-line.

The DSL routers appear to be have been knocked off-line due to a large Internet Control Messaging Protocol echo ping that can cause the router to lock up. Code Red is getting the blame for much of the damage.

Brian Allen, director of network services and operations at Streaming Media Systems, a division of Broadcast Media Systems, said he has experienced problems for about a month, but it has grown worse since Code Red II started spreading this week.

According to Allen, Qwest has attributed the Cisco DSL router problem to "older" Cisco gear, but Allen noted that his company got its Cisco DSL router just last May to provide Qwest DSL service and Internet access for a dozen employees in Seattle.

Qwest informed Allen that the Code Red virus was impacting the DSL gear, and that the Qwest call center was experiencing very high call volumes because of it. Qwest issued instructions at its Web site on how to fix the DSL routers.

In the wake of Code Red, it's becoming clear how many products have embedded the Microsoft Web server as a management interface. This equipment, though not always thought of as a Microsoft Web server, needs to receive the patch for the Code Red. The patch, available at the Microsoft Web site, prevents Code Red from exploiting a so-called buffer-overflow vulnerability to worm its way into the server.

Cisco, in its advisory issued July 31st, lists several types of Cisco equipment that are vulnerable to Code Red. These include Cisco CallManager; Cisco Utility Server; Cisco ICS7750; and Cisco Building Broadband Service Manager.

Cisco urges its customers to install the Microsoft patch for Code Red in these products.

In a more recent advisory, Cisco said that any router in the Cisco 600 family that is configured to allow Web access can be locked by sending a specific URL.

Related Links

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Contact Multimedia Editor Jason Meserve

Other recent articles by Meserve

Code Red forum
Discuss your Code Red experiences.

Creator of Nugache worm reaches plea agreement
Jun. 30, 2008

Malware vs. anti-malware, 20 years into the fray
May. 07, 2008

Blended security threats on the rise, IBM says
Feb. 12, 2008

Spreading worm hits Nokia handsets
Jan. 22, 2008

  1   2   3   4   5   6   7   8   9  10  next 
 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.