Kaspersky Lab Releases a Code Red Antidote

06 Aug 2001
Business News

The world's first active defense against all of Code Red's modifications

Kaspersky Lab, an international data-security software developer, announces the release of the very first active defense system for Web servers operating on the Internet Information Server (IIS), combating all of the Code Red modifications.

It was unfortunate that the anti-virus industry was unprepared for the infectious attack perpetrated by the new generation of "fileless" Internet-worm, Code Red. The standard means of defense, such as anti-virus scanners, monitors and even special anti-virus filtration modules for firewalls, simply are not capable of neutralizing the attacks carried out by Code Red-style malicious programs. Monitors and scanners are only able to establish the fact that malicious code is present in a computer's system memory, but are powerless to remove it; and even if they could, Code Red would simply repeat the attack, once again infecting the computer.

As is known, Code Red exploits a security breach in IIS that is classed as a "Buffer Overflow" allowing a malefactor to run unwanted code on a Web server. Instead of the standard requests for viewing specific Web pages, a hacker sends a special binary code that overwrites the memory buffer designated for this request, and then causes the server to execute the malicious code presented as a part of the request.

The only way to prevent such an attack is to install the corresponding patch available form Microsoft. However, many network administrators have ignored and continue to ignore this, because they believe these patches can cause more harm than the viruses themselves. In addition to this, large companies with underdeveloped computer infrastructures could require a week to install such patches, thus interfering with regular day-to-day functioning. Most importantly, there is always a lag between the detection of a breach and the patch thwarting it, during which time users are virtually left defenseless.

"We predict that in the very near future, such -fileless' worms as Code Red will become one of the most widespread forms of malicious programs, and an anti-virus' ineffectiveness in the face of such a threat simply invites danger," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Lab.

This situation demands that the development of special filter modules for IIS servers be given top priority - filters cleansing the requests and treating those containing malicious code.

"The current IIS-server anti-virus-filtration version reliably defends computers against all known versions of the Code Red worm, and does not require the Microsoft patch," added Eugene Kaspersky. "Soon, the program will have built-in heuristic technology capable of detecting and neutralizing the attack of even an unknown virus using the "Buffer Overflow" similar to Code Red. Unlike the hundreds of megabytes required by the Microsoft Service Pack containing the Code-Red patch, Kaspersky Anti-Virus for IIS Servers takes up all of a few dozen kilobytes of disk space, and doesn't interfere with a Web server's performance. The current program's anti-virus database is quickly updated following the detection of the latest "fileless" worm in such a way that users don't need to wait for the release of the corresponding patch. In closing, the filtration module is capable of being downloaded by everyone free of charge.