Archvillain.com > Code Red/Nimda Activity
I haven't updated the text below for Nimda; but the
graph shows about 1500 probes a day on the second day of activity!
And, each probe is about 20 GET operations, as opposed to one
for Code Red. This worm propagates itself through a large number
of known weaknesses in Microsoft servers, including the security
hole left by a Code Red infection, which is discussed below.
I had been running a set of Python scripts which extract the code-red
probes three times a day, and send emails to a set of about 30
support addresses for IPs which can be traced to particular ISPs.
Just to let them know which of their customers are infected. I
have discontinued running this until I decide if and how to deal
with the Nimda probe. FIX YOUR MACHINES, PEOPLE! Or don't connect
them to the internet. If you are running a Microsoft Server for
your business, check out this recent (9/18) advisory: Nimda
Worm Shows You Can't Always Patch Fast Enough
Isn't it time that the ISP folks found some way to detect this sort of thing in their gateway servers, or something like that? The conventional virus-scan methodology - relying on a known database of viruses - is starting to fall apart. If you look at Symantec you will find that there has been about one new virus or worm found per day over the last 30 days. So it won't stop a new threat unless you are lucky enough to get the new database before the new threat hits you. And in many cases, these tools can't stop infection, they will just tell you it's happened, and what files you need to delete. Nothing currently in place is working - Microsoft isn't shipping secure code, people aren't applying patches (and in most cases don't know they are even running the server which needs patching). Even Microsoft had a bunch of machines get hit because they hadn't applied their own patches.
The Code Red worm infects machines running IIS 4.0 or IIS 5.0 under NT or Windows 2000. In some cases, when Windows 2000 is installed, the IIS web server is installed by default, leaving the machine vulnerable even though the user does not realize they are running a web server. This can occur with a dialup connection or broadband connection. If you have a vulnerable machine which is reachable from the internet, it is quite likely that it is already infected. I strongly recommend that if you have a Windows 2000 computer which is connected in any way to the Internet, you should check for and guard against infection as described here. Infected machines have a major security 'hole' installed by the worm, and actively infect other machines. Microsoft's information, patch, and 'cleaner' is here.
Archvillain.com is receiving probes at a rate of about one every minute or two. The server hosting Archvillain.com is not vulnerable, but the server log shows activity from infected machines all over the world.
For more information, see this information at Symantec.
The really scary thing about this worm is that it leaves a security hole in your system, and then broadcasts to the world (by means of probing other machines) that your machine is infected. A sufficiently sophisticated hacker (after detecting a probe from your machine) could use the security hole to install a further segment of malicious code, then remove the original security hole, and perhaps even fix the vulnerability. By 'fixing' the problem, this hacker may prevent you from discovering that anything is wrong, and will prevent others from using the Code Red 2 security hole. So, that hacker then 'owns' your machine and can use it to lauch DDOS attacks against other machines, for instance.
Go read this at The Register if you want to learn more. Make sure you read the second half. And, if you are running IIS on a web server, and its security its important to your livelihood, you might want to take a good hard look at the security record of IIS over the last 6 months or so. At the very least, it's clear that its popularity alone makes it a security risk. The benefit to a malicious hacker of finding a security hole is that much greater since the number of potential victims is very high. Important alternatives are things like Apache and other GPL code; at first glance, it might seem that these products are less secure because anybody can look at the source. But, they are only insecure if the holes actually exist; and holes are far more likely to be found if hundreds or thousands of people are scrutinizing the source code. And when they are found, the information is very quickly disseminated. Large software publishers have a record of keeping these things secret and delaying the remedial action.
The graph below shows the number of probes from the Code Red and Nimda worms which were recorded in the Archvillain.com server log during each day since 19 July, when the first probes occurred.
