Page 1469 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1469
occur on the internet. Since that time, hundreds of new worms (with
thousands of variant strains) have unleashed their destructive power
on the internet. The following sections examine some specific worms.
Code Red Worm
The Code Red worm received a good deal of media attention in the
summer of 2001 when it rapidly spread among web servers running
unpatched versions of Microsoft’s Internet Information Server (IIS).
Code Red performed three malicious actions on the systems it
penetrated:
It randomly selected hundreds of Internet Protocol (IP) addresses
and then probed those addresses to see whether they were used by
hosts running a vulnerable version of IIS. Any systems it found
were quickly compromised. This greatly magnified Code Red’s
reach because each host it infected sought many new targets.
It defaced HTML pages on the local web server, replacing normal
content with the following text:
Welcome to http://www.worm.com!
Hacked By Chinese!
It planted a logic bomb that would initiate a denial-of-service
attack against the IP address 198.137.240.91, which at that time
belonged to the web server hosting the White House’s home page.
Quick-thinking government web administrators changed the White
House’s IP address before the attack actually began.
The destructive power of worms poses an extreme risk to the modern
internet. System administrators simply must ensure that they apply
appropriate security patches to their internet-connected systems as
software vendors release them. As a case in point, a security fix for an
IIS vulnerability exploited by Code Red was available from Microsoft
for more than a month before the worm attacked the internet. Had
security administrators applied it promptly, Code Red would have
been a miserable failure.
RTM and the Internet Worm
