When you listen to the news, you hear about many different forms of electronic infection. The most common are:
The infections in the news right now are worms, so let's take a look at worms and then go into the details on all of the different types of infection.
- Viruses - A virus is a small piece of software that piggy-backs on real programs. For example, a virus might attach itself to a program like a spreadsheet program. Each time the spreadsheet program runs, the virus runs too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
- Email viruses - An email virus moves around in email messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's email address book.
- Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there as well.
- Trojan Horses - A trojan horse is simply a normal computer program. The program claims to do one thing (e.g. - it claims to be a game) but instead does damage when you run it (e.g. - it erases your hard disk). Trojan horses have no way to replicate automatically.
A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could clog the Internet so effectively that things would completely grind to a halt. The Code Red worm attacks Windows NT 4.0 and Windows 2000 servers running Microsoft IIS (Internet Information Server) 4.0 or IIS 5.0. Microsoft has released a simple patch that fixes the security loophole used by the Code Red worm that you can access here.
What's a "Worm"?
A worm is a computer program that has the ability to copy itself from machine to machine. Worms normally move around and infect other machines through computer networks. Using a network, a worm can expand from a single copy incredibly quickly. For example, the Code Red worm replicated itself over 250,000 times in approximately nine hours on July 19, 2001.
Worms use up computer time and network bandwidth when they are replicating, and they often have some sort of evil intent. The Code Red worm slowed down Internet traffic (but not nearly as badly as predicted) when it began to replicate itself. Each copy of the worm scans the Internet for Windows NT or Windows 2000 servers that do not have the security patch installed. Each time it finds an unsecured server, the worm copies itself to that server. The new copy then scans also for other servers to infect. Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies.
The Code Red worm is designed to do three things:
- Replicate itself for the first 20 days of each month
- Replace Web pages on infected servers with a page that declares Hacked by Chinese
- Launch a concerted attack on the White House Web server in an attempt to overwhelm it
The most common version of Code Red is a variation, typically referred to as a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001. According to the National Infrastructure Protection Center: ALERT 01--016:
The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permit the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. The NIPC has determined that the trigger time for the DOS execution of the Ida Code Red Worm is at 0:00 hours, GMT on July 20, 2001. This is 8:00 PM, EST.
Upon successful infection, the worm waits for the appointed hour and connects to the www.whitehouse.gov domain. This attack consists of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov (126.96.36.199).
The U.S. government changed the IP address of www.whitehouse.gov to circumvent that particular threat from the worm and issued a general warning about the worm advising users of Windows NT or Windows 2000 Web servers to ensure that they have installed the security patch.