Red is spreading quickly, Cooper said, pointing to figures from the security Web site DShield.org, which tracked the worm as being hosted on 27 IP addresses on July 13, resulting in 611 probes for new machines to infect. However, by July 16, DShield counts over 6,150 infected machines, resulting in over 316,000 probes. EEye's Maiffret said that one system administrator who contacted the company said he had tracked over 15,000 infected systems. Additionally, a government agency who told Maiffret that they had to remain anonymous is also tracking the worm and has found over 68,000 infected systems, he said.
Despite the vulnerability it exploits being more than a month old, the worm is able to spread to so many systems because so few systems administrators apply patches when they become available, Cooper said.
"Fewer than 5 percent of (any) software users apply any patches at all, that would be my guess," he said. "A very small fraction of people who own IIS are doing anything proactively," he said. Though there are an estimated 6 million IIS systems running Web servers worldwide, only 160,000 people subscribe to Microsoft's free security bulletin e-mail service and only 35,000 subscribe to NTBugtraq, he said.
In order to secure systems and help stop these kinds of worms from spreading, systems administrators need to do three things, Cooper said. First, they need to subscribe to Microsoft's security bulletin service, "so that they're at least aware that patches exist. They've got to start learning about these vulnerabilties to keep themselves secure," he said.
Secondly, they ought to subscribe to NTBugtraq and lastly, they need to apply patches for their systems when they become available, Cooper said.
The number of users who have yet to patch their systems indicates that "we did the right thing in handling the vulnerability the way we did," by sending out alerts, contacting customers individually and working with the press, said Scott Culp, security program manager at the Microsoft security response center.
"We make it as easy as we can for folks to get the information," he said. "We can only make it so easy," after that, customers will have to take some initiative.
Microsoft is taking steps to both help its customers deal with the Code Red worm, as well as improve its security notifications, Culp said. First, the company contacted the host of the www.worm.com Web site and has had the site taken offline, he said. Also, the company is directly contacting a number of its customers about the worm and all IIS patches are now cumulative, that is, they include all previous patches, not just the most recent one, Culp said.
"The easier we make it for people to get the patches, the more likely it is they'll use them," he said.
One issue that is out of both company and administrator hands, but is nonetheless a serious one, is the publication of tools to attack vulnerabilties, called exploits, NTBugtraq's Cooper said. Many of these exploits are published by bug finders just like eEye Digital Security, he said. EEye has published other exploits in the past, and though the company said it would do the same for the original vulnerability in this case, it never did, according to eEye's Maiffret. The company did, however, include information about how to exploit the flaw in its original security alert.
EEye has discovered a number of the flaws found in IIS in recent months, partly because they are looking for them. EEye sells a product called SecureIIS designed to heighten the security of systems running IIS. This interest in IIS, along with the publication of exploits by the company, has led to more than a few raised eyebrows in the security community.
Full disclosure is a controversial, but not uncommon, aspect of the security world. As much information as possible about worms and other security flaws should be disclosed, the thinking goes, because it is the best way to make sure that administrators
