The following message from the bounce bin is a lengthy statement issued
yesterday
by Avnet, the host organisation for our List. It
is about the Code Red virus which has received much attention in the last 36
hours.
It seems unlikely that any of us have been/will
be affected (you need to be running Windows NT or Windows 2000 for a start) but
I am passing it on since such statements from our
operator are unusual and this virus is clearly regarded as a menace.
John Cliff
Europa Club List Forum minder
*****************************************************************************
Subject : Action required TODAY - Urgent Security Advisory: Code Red Worm
Dear Customer,
You may have heard about the latest piece of malicious software to be released
by so-called hackers (actually the correct term would
be crackers or virus writers - hackers can be ordinary people who write
legitimate
software!) via the national and internatinal
media. Many of you doubtless have questions, and we hope that this email will
answer
them.
We would encourage all our users to read this email fully. We have scanned our
own networks comprehensively over the last week
looking for computers vulnerable to, or infected by, this worm. Those customers
whom we discovered were infected or vulnerable were
notified immediately. However, due to the nature of dial-up connections,
firewalls,
and the fact that many computers may have been
simply turned off, it is important that our customers check themselves. We will
continue our scans this week, in case any computers
are missed.
Please be aware that action must be taken TODAY if you are vulnerable to the
worm.
The worm has already infected hundreds of
thousands of computers (including some of our customers - now clean), and is
currently
lying dormant until midnight tonight. Some
parts of the world will of course roll over to the 1st of August well before
midnight
tonight. The danger is not only that
individual machines might be infected, but that the integrity and speed of the
internet in general might be affected by the actions
of the worm.
At the end of this email, we have included verbatim the announcement made
jointly
by several organisations including Microsoft, and
several US governmental and non-profit-making computer security organisations.
First of all, here are three tips:
1. Don't panic! The worm only affects certain computers, and the fix is easy to
apply.
Only those running Windows NT and Windows 2000 are affected by this 'worm'. Of
those, only computers running the IIS webserver are
vulnerable. Novice users should not confuse Windows 2000 with Office 2000. If
you are using Windows 95, Windows 98, or Windows Me,
there is no action that you need to take in response to this alert, but please
read on. If you are not sure, please ask a friend or
a colleague who is knowledgable about computers for advice.
The fix is easy: visit http://www.microsoft.com/ and click on the link at the
top right of the page named "Code Red Worm". Please
ensure you read the information thoroughly.
In addition, please note that the worm can cause problems for peole using the
following
Cisco equipment:
* Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service
Manager
(these systems run IIS)
* Unpatched Cisco 600 series DSL routers (our ADSL service uses Alcatel routers)
Cisco Security Advisory for "Code Red"
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
Please note:
We own and operate a small number of Windows servers ourselves. These were
patched
prior to the release of the worm in accordance
with our security policies, and have not been compromised at any time. Only a
very
small number of users are hosted on these system,
as most of our infrastructure is based on a UNIX platform.
2. If you are not vulnerable to this particular worm, don't be complacent!
Maintaining your computer system (no matter whether it is running Windows,
MacOS,
Linux or any other operating sytem) and ensuring
that it is secure is a responsibility. You should ensure that you know where you
can find security updates for your system by
visiting your vendor's website, and check back regularly.
Some examples are below:
Microsoft Windows users: http://windowsupdate.microsoft.com/
(ensure you are always up to date with the 'Critical Updates' section on this
site)
Apple Mac Users: http://www.apple.com/support/security/
RedHat Linux Users: http://www.redhat.com/network/
(sign up for the RedHat Network to receive automatic security advisories via
email)
3. Make sure you understand the facts, and not the media hype!
While most of the media has been responsible in reorting this worm, newsreaders
and newspaper journalists are not trained in IT
security. Some of the information we have heard reported has not been entirely
factual. For example, there are at least two versions
of the worm, and one of those does NOT deface web pages with a message saying
"Hacked
by Chinese!".
You are not necessarily safe behind a firewall! If your firewall forwards port
80 (HTTP or WWW traffic) through to servers behind
your firewall, the worm can still attack those servers.
This worm is not to be confused with the W32/SirCam worm which spreads via
email.
Please consult the following information to make sure you have the correct
information
about the worm:
"Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/advisories/CA-2001-19.html
Continued Threat of the "Code Red" Worm
http://www.cert.org/advisories/CA-2001-23.html
If you have any further questions please email technical support:
<mailto:support@aviators.net>
Please note that we are not providing telephone support for this issue due to
the
weight of calls we would expect to receive.
Many thanks for your attention, and do not forget to read the official security
announcement below!
Best regards,
Aviators Network
http://www.aviators.net/
We the CERT/CC, along with other organizations listed below are
jointly publishing this alert about a serious threat to the Internet
A Very Real and Present Threat to the Internet: July 31 Deadline For Action
Summary: The Code Red Worm and mutations of the worm pose a continued
and serious threat to Internet users. Immediate action is required to
combat this threat. Users who have deployed software that is
vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they have not done so already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems in
just 9 hours. The worm scans the Internet, identifies vulnerable
systems, and infects these systems by installing itself. Each newly
installed worm joins all the others causing the rate of scanning to
grow rapidly. This uncontrolled growth in scanning directly decreases
the speed of the Internet and can cause sporadic but widespread
outages among all types of systems. Code Red is likely to start
it may be even more dangerous. This spread has the potential to
disrupt business and personal use of the Internet for applications
such as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable. IIS is
installed automatically for many applications. If you are not certain,
follow the instructions attached to determine whether you are running
IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows
Me, there is no action that you need to take in response to this
alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install Microsoft's patch for
the Code Red vulnerability problem:
* Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
* Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Step-by-step instructions for these actions are posted at
http://www.digitalisland.com/codered
Microsoft's description of the patch and its installation, and the
vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
Because of the importance of this threat, this alert is being made
jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
|