Hacker Highway

After hackers, claiming to be Chinese, exploited a construction error on the information highway recently, their mischief led to traffic jams and crashes around the world last week. Here's how their "worms" drove through a Microsoft programming hole and onto the...[Hacker Highway]

The Start

1 A security firm, eEye Digital Security, discovers an obscure defect in Microsoft's Web-server software while scrutinizing it for vulnerabilities

2 eEye notifies Microsoft, which quickly creates a patch for the flaw

3 On June 18, in joint announcements on their websites, Microsoft makes the patch available while eEye publishes a detailed blueprint of the flaw

Code Red I Pulls Out

4 Probably using eEye's blueprint, an unknown hacker writes a variation and creates a worm to infiltrate servers within a few weeks

5 Dubbed Code Red, it is coded to replicate itself the first 19 days of the month. It uses the servers to create a random list of addresses, which it tries to penetrate

6 The worm also replaces a site's main Web page with "HELLO! Welcome to http://www.worm.com Hacked by Chinese!"

Code Red Souped Up

7 On July 19, the Code Red I author tinkers with the original worm and rereleases it

8 By changing how the random-address generator works, the worm now replicates more efficiently

9 From July 20 to 27, Code Red uses the hacked servers to try to congest the White House Website with millions of bits of gibberish. Alerted, the White House circumvents the attack

10 On July 28 all copies of the worm were programmed to switch themselves off, but some infected servers with incorrect clock settings restart the infection cycle on Aug. 1

Code Red II Races Off

11 On Aug. 3, a new, more sophisticated and malicious worm is introduced, probably by a different hacker. It uses the same entry to make changes to unpatched servers' hard drives

12 This version is souped up with a replicator that is faster and more opportunistic than its predecessor

13 It creates a permanent onramp or back door and broadcasts its hacked server addresses

14 The result is exponentially escalating network congestion--slowing and even shutting down some networks

NO EASY FIX Because Code Red I and its variants are not stored on a computer's hard drive, they can be wiped out by installing the security patch and restarting the server. Removing Code Red II requires reinstalling the operating system. Microsoft's patches will fix the access point the worm uses, but experts say the Code Red problem may never be fixed completely because there are as many as 40,000 infected servers unaware of the need for a patch

Source: Steve Gibson, Gibson Research; Marc Maiffret, eEye Digital Security; Alan Paller; SANS Institute