Continued from page 1
The bug is something commonly known as a "buffer overflow", which simply means you can send more characters to web server than it is capable of receiving. When a program receives characters it writes them to memory in a place called a buffer. If a poorly written program receives more characters than it is designed to handle, it will, under special conditions, cause extra characters to be executed with privileges.
To put it very simply, it was discovered that you could cause Indexing Service to "overflow it's buffers" and execute selected code as a privileged user. This allows a special hacker program (which is reported to have required all of a half hour to write) to gain control of a server.
You have to understand that buffer overflows are nothing new to world of computing. In fact, I am sure that first programmer is also first person to experience this condition. This is well known to competent quality control departments, programmers, designers and, of course, hackers.
To put it bluntly, buffer overflows should not occur in any program written by any programmer who has passed "programming 102". In addition, any quality assurance person who has taken "quality control 101" should be able to check for and spot problem from a mile away. All right already, so what is infamous Code Red worm?
Code Red is a clever little program which takes advantage of this gaping hole in Index Server. What program does is search for systems with flaw. It's easy to find those systems and Code Red is very good at it's job. So good, in fact, that in early August 2001 it is estimated that it infected over 300,000 machines!
Once worm finds a machine, it executes buffer overflow condition and causes itself to be installed on machine. Remember Wrath of Kahn movie where beetle with big pincers crawled into Checkov's ear? It's something like that.
Once bug got into his brain, oh sorry ... once worm has installed itself it does a number of different things depending upon day of month. Some days near beginning of a month it will search for new systems to infect. Towards middle worms will all launch an attack against Whitehouse web site. At end of month, all of these malicious little programs will sleep, waiting for next month.
Interestingly, Code Red worm has a couple of small flaws. First, it's attack is directed at a single IP address. Thus, during first waves of attacks in July Whitehouse "dodged bullet" by simply changing their address.
Second, worm only installs itself in memory. This means it's simply a matter of rebooting server to rid it of pesky infection. Of course, if you don't install patch (a fix to repair problem, conceptually like piece of rubber used to patch a hole in a tire), it's just a matter of time until your system gets infected again.
Naturally, a new worm called "Code Red II" worm has been reported in wild, and almost certainly does not include these flaws. Hopefully system administrators will comply and install their patches so their systems will not be assimilated into Code Red and Code Red II attacks.
Richard Lowe Jr. is the webmaster of Internet Tips And Secrets at http://www.internet-tips.net - Visit our website any time to read over 1,000 complete FREE articles about how to improve your internet profits, enjoyment and knowledge.