Search The Site
 
More options | Back issues
Home
News
Opinion & Forums
Careers
Multimedia
Chronicle/Gallup
Leadership Forum
Technology Forum
Resource Center
Campus Viewpoints
Services
/r

The Chronicle of Higher Education
Wednesday, August 29, 2001

On Campus Networks, 'Code Red' Worms Continue Causing Problems, but Most Are Minor

By FLORENCE OLSEN

Campus-computing officials say they're still seeing daily evidence of two software worms that made their way across the Internet this summer -- "Code Red" and "Code Red II" -- although network gridlock and server crashes have diminished.

"The number of attacks is down from many hundreds per hour to about 50," says Mark Berman, director of networks and systems at Williams College.

Many network-security managers were dismayed to discover that installing Microsoft's recommended software patch on infected machines did nothing to stop waves of port-scanning attacks from infected machines elsewhere on the Internet. The unusual number of port scans, or connection attempts, overwhelmed both servers and networks.

Machines infected with Code Red or Code Red II worms wreaked havoc by scanning countless Internet addresses while attempting to connect to other insecure machines running Microsoft Web-server software. Any Windows machine is vulnerable if it's running one of several combinations of Microsoft software.

"The attack comes in over the standard Web port -- Port 80 -- so you can't block it, unless you want to completely deactivate use of the Web on your campus," says Scott F. Conti, network-operations manager at the University of Massachusetts at Amherst. At least 15 computers out of 20,000 machines on the Amherst network were infected by the Code Red worm on July 19, when the worm was most active.

The port-scanning attacks still being monitored at Williams College are coming mostly from overseas, says Mr. Berman, but some of them are from universities and Internet-service providers in the United States.

Internet-security analysts at the Computer Emergency Response Team Coordination Center, operated by the Software Engineering Institute at Carnegie Mellon University, say the series of Code Red attacks has been messy but not unprecedented. "It's really an evolutionary event in computer-security history," says Shawn Hernan, a security analyst at CERT. The event that led to the creation of the CERT Coordination Center -- the Internet worm of 1988 -- "was very, very similar in many respects to this one, right down to the kind of problem that allowed the worm to propagate in the first place," he says.

Worms are badly behaved computer programs that reproduce themselves and consume excessive amounts of computer and network resources, but do not alter other program files. Neither the Federal Bureau of Investigation nor the Secret Service, which are investigating, have reported finding the source of the Code Red worms.

On July 12, a version of the Code Red worm began infecting machines on the Internet that were running Microsoft's Internet Information Server software. A second version appeared July 19 and spread more rapidly than the first. Reports of a new worm -- Code Red II, which security managers found to be more dangerous than Code Red I -- began to filter into the CERT Coordination Center on August 4. Each of the worm programs exploits a security hole in the Web-server software when it is running on hardware controlled by Microsoft's Windows NT 4.0 or Windows 2000 operating system. On August 22, another variant of Code Red II was reported.

New evidence of collateral damage from the worm attacks keeps coming to light. A CERT notice issued August 16 warned that even patched machines running a combination of Internet Information Server 4.0 and Windows NT 4.0 will crash when scanned by a Code Red worm if a Web-server feature called "URL redirection" has been turned on by the machine's administrator.

"We now know that certain Cisco routers crashed as a result of Code Red, and that certain Hewlett-Packard printers behaved incorrectly," adds Mr. Hernan, the CERT analyst. "Investigating those sorts of anomalies and patching all machines is certainly a lot of work for people."

At the University of Minnesota-Twin Cities, computing officials have patched the software on machines that they found to have the security hole, says Stephen P. Cawley, associate vice president for information technology. But he is expecting more problems when students return to campus and set up computers that may be running unpatched versions of the Microsoft software. The server software is sometimes sold as part of third-party Windows application programs, and may reside on machines without their owners' knowledge.

Unlike the earlier Code Red worms, Code Red II is not removed by rebooting a computer once it is infected. Security experts say the Code Red II worm leaves open a "back door" into the infected machine, reboots the machine, then probes the network seeking other machines running unpatched versions of Microsoft's Web-server software.

Once a back door has been left open on a Microsoft Web server, attackers can install and run any programs, usually harmful ones. A Microsoft security bulletin says that intruders could use an open back door to install software code that alters information on Web pages, or that reformats a server's hard drive, or that adds new users to the network and gives them local-administrator privileges. Microsoft has since released a Code Red cleanup tool.

Mr. Hernan says the typical behavior of intruders, as soon as they gain access to a machine, is to erase the system logs, change the operating system to hide their activity, then replace all of the system's file-searching tools -- "specifically to hide their stuff, so in effect, you can't trust anything that the computer is telling you."

Security administrators who suspect that a machine can no longer be trusted should follow CERT's guidelines, Mr. Hernan says. "Our recommendations are to isolate the machine, record any evidence, examine your backups, talk to the other sites that are involved, report to law enforcement and to incident-response groups, then rebuild the machine offline," he says. "Apply all the relevant security patches, and only then put the machine back online."

If the people running a college's central Web server are doing their jobs, no institutionally administered Web servers should have to be rebuilt, says Jesper M. Johansson, an assistant professor of management-information systems at Boston University. "The major problem is going to be individual faculty members' computers and individual student computers," he says. "You're probably looking at thousands of those across various campuses" that may have been infected with Code Red II, he adds.

Mr. Johansson says that administrators should think about using a technique called "egress filtering" to stop the excessive Web requests that spew across the campus network and the Internet from campus machines infected by worms such as Code Red or Code Red II.

"It's not difficult once we know about these worms to actually detect them going out -- and blocking them is not that hard," he says. "It's simply good network citizenship."

Background article from The Chronicle:

Print this article
 Easy-to-print version
 e-mail this article
 E-mail this article


Headlines

Average SAT scores stay even with last year's numbers
College of Southern Idaho cancels lecture after pressure from agricultural groups
Embattled president of SUNY-New Paltz leaves for Milwaukee museum
Canadian judge helps a student sue her father for support
National Academy of Engineering honors 2 men
10 new chief executives announced
On campus networks, "Code Red" worms continue causing problems, but most are minor
U. of Maryland will help Uzbekistan create a virtual university

Copyright © 2001 by The Chronicle of Higher Education