SANS makes its "recommendation" for getting rid of CodeRed II - We don't agree
The uproar surrounding the CodeRed Internet worm and its variants continues to generate new and sometimes confusing rumors and opinions. On the 7th of August, SANS, the US-based Institute for System Administration, Networking, and Security, published details concerning the Code Red II worm, recommending that users format hard disks and re-install the operating system and all software.
"Reformatting disks for the sake of defending against CodRed II is the same as cutting off your head in order to fight a cold," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Lab. "In addition, simply re-installing the software not only doesn't thwart a worm, it gives users a false sense of security."
As is known, what differentiates the CodeRed II worm from its other two previous variants is the placing of a Trojan program in an infected computer for the purpose of unauthorized control by an outside intruder. In order to perform this, malicious files are created on the disk and the some Windows system registry keys are modified, and it is by this same method that virtually all Trojan programs operate. Therefore, in order to neutralize the Trojan, it is only necessary to delete all malicious files and restore the original contents of the system registry. We recommend visiting the Kaspersky Virus Encyclopedia and learn more about how to remove the CodeRed II Trojan, which takes no more than ten minutes, differing substantially from the several hours or days necessary for the reformatting of your hard drive and reinstalling the operating system.
It is important to note that hard drive reformatting and operating system reinstalling does not guarantee that the CodeRed II worm cannot once again penetrate a computer - Windows 2000 distribution simply does not contain the necessary Service Packs and patches for blocking the breach in the Internet Information Server (IIS) defense that the CodeRed worm exploits.
The most effective means for combating CodeRed and similar "fileless" worms is installing the special IIS filtration module that checks everything incoming to the Web server. These functions are performed by special firewalls and other Intrusion Detection Systems (IDS). Although this may seem financially prohibitive, installing and using these functions demands in-depth user knowledge of computer technology.
"Most users don't have the knowledge to deal with IDS software, and are not prepared to spend a lot of money on this. However, defending against CodeRed-style worms is imperative for all users," added Eugene Kaspersky.
Kaspersky Lab offers free-of-charge software, Kaspersky® Anti-Virus for IIS, which, unlike IDS, takes up only several kilobytes of disk space, doesn't have any noticeable effect on the Web server operation, and only requires a few minutes to install. Furthermore, Kaspersky Anti-Virus for IIS is more effective, inasmuch as it is utilized as the system filter, which allows for the interception and checking of all incoming requests to the Web server. This is performed on the lowest level of the IIS architecture, meaning that it is done well before processing direct requests.
The other advantage of Kaspersky Anti-Virus for IIS is that it can be effectively updated immediately after a new malicious code is detected providing users with defense against even the latest CodeRed-style worms. In this way, a user doesn't have to wait for Microsoft to release a patch for the recently discovered breaches in IIS.
Kaspersky Lab is currently developing a heuristic technology especially for defending against "fileless" malicious programs such as CodeRed. This will enable users to successfully thwart the attacks of not only the current "fileless" worms, but also thwart any that may appear in the future.