Earlier today, two Microsoft Web sites fell victim to a new worm making the rounds nicknamed the '.ida "Code Red" worm' because part of the worm is designed to deface Web pages with the text "Hacked by Chinese" and also because Code Red Mountain Dew was apparently the only thing that kept employees from eEye Digital Security awake all last night to be able to disassemble the worm in detail.

The worm propagates itself via Microsoft IIS Web servers through the .ida buffer overflow attack published a few weeks ago. The worm then sets itself up on the infected system and creates 99 other "threads" or instances of the virus to spread the worm to other Web servers.

Full details of the worm can be found here:

The sites hit included the Windows Update Server (www.windowsupdate.microsoft.com). According to the regular page:

Windows Update is the online extension of Windows that helps you get the most out of your computer.

Also defaced was explorer.msn.com, the MSN Explorer Web site (described as Microsoft's all-in-one software that delivers everything you need to feel at home on the Web.

This makes the 17th time a Microsoft Web site has been defaced including the corporation's global sites in Brazil, Slovenia, New Zealand, Mexico, UK, Saudi Arabia and South Africa as well as six servers from their corporate headquarters.

The full list of past Microsoft targets have included:

msrconf.microsoft.com (a supposed retired MS server and the first recorded defacement of a Microsoft server) on October 24, 1999

Microsoft Brazil by IZ corp defaced June 3, 2000

The Microsoft Events Server by someone unknown on November 7, 2000

Microsoft Slovenia (defaced twice) the first time by Furia.BR on December 14, 2000 and the second time by BoLoDoRiO 3 days later

Microsoft New Zealand was defaced by Prime Suspectz on January, 23rd of this year:

Microsoft UK, Microsoft Saudi Arabia and Microsoft Mexico were all defaced on May 3rd, 2001 by Prime Suspectz:

Microsoft's STREAMER server was defaced by Prime Suspectz on May 7th, 2001:

Microsoft Romānia was defaced by Pentaguard on May 17th, 2001:

The MSN Mobile "feeds" server was defaced by Prime Suspectz on June 21st, 2001:

The Microsoft South Africa "interface" server was defaced by the group BlackSun:

Two Microsoft RTE servers were defaced by the group Prime Suspectz:

The Windows Update Server was defaced by the 'Code Red' worm:

© 1999, 2000, 2001 Copyright Brian Martin
Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this text are not necessarily the opinion of all Attrition staff members.

To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.