The Code Red worm made a quiet comeback Wednesday, with no signs yet of a predicted traffic surge that could affect the functioning of the Internet.
As of 1 pm PDT Wednesday, Code Red had infected servers responsible for at least 127,000 Web sites, according to the SANS Institute, a computer security think-tank. New infections were happening at the rate of more than 50,000 per hour, although the rate of growth had slowed markedly.
Network administrators and security experts originally braced for a slowdown shortly after 5 pm PDT Tuesday, when the worm was set to emerge from an inactive state and flood the Internet as it searched for new servers to infect.
Most Web sites were functioning normally late Tuesday and early
Wednesday, but security experts said there were new signs the worm was gathering speed. But exactly how many servers the worm will send itself to--and therefore how fast it spreads--was still being debated
by security experts.
The Computer Emergency Response Team (CERT), a Carnegie Mellon University organization that tracks security issues, said in a statement issued Wednesday morning that it has "begun
receiving reports of increasing Code Red scanning
activity." CERT experts believe the worm is spreading
The FBI's National Infrastructure Protection Center (NIPC) also projected the worm will be spreading at a rapid clip.
"Based on our preliminary analysis, we expect to see the activity of this particular worm to compare to the July 19th infection," said Deborah Weierman, a
spokeswoman for government's National Infrastructure
Protection Center. "At the time, it resulted in over
250,000 infections on systems. Today, we believe that should be achieved by this afternoon."
The FBI was expected to make a statement late Wednesday about whether the worm has continued to spread or had any impact in slowing down the Internet. The agency said early Wednesday that the worm has spread but
its initial impact has been minimal.
"Early reports of activity spanning the entire globe,
including the United States, indicate that the worm
has gone active and is presently spreading throughout
the Internet," the FBI said in a statement
issued Wednesday morning. "We are hopeful that the
many precautions taken by the public, the government
and private industry will have some effect on its
ability to propagate."
The Code Red worm--named after a hypercaffeinated,
cherry-flavored Mountain Dew drink popular with
computer programmers--infected servers around the
world last month and launched a massive
denial-of-service attack against the White House's Web site.
The worm only infects computers running the Windows NT and Windows 2000 operating systems and Microsoft's Internet Information Server (IIS) Web server software, meaning few home PCs are vulnerable to the attack. But the worm could disable some e-commerce sites or slow down the overall speed of the Internet by bombarding sites with data.
As originally reported, the Code Red worm takes advantage of a hole in IIS. Code Red was thought to have infected as many as 359,000 systems within about six days during its original attack in July, making it one
of the fastest-spreading worms ever.
While Microsoft quickly released a widely distributed patch for the IIS hole, it's unclear how many system administrators have downloaded and installed the fix. Microsoft has estimated that servers responsible for some 6 million Web pages have the vulnerability.
The worm remains active between the first of the month
and the 28th, when it goes into hibernation. While the
worm does not reactivate itself automatically, any
computer vandal sending a copy of the worm once the
active period begins--most recently at midnight GMT
Aug. 1, or 5 pm PDT Tuesday--would start a new round
of infections. On the 20th of the month, the worm is
set to switch to attack mode and barrage an Internet address originally associated with the White House Web site with large packets of
While many security experts warned of potential Internet outages due to the revived worm, others maintained the worm is not spreading as quickly as once feared. Instead of an exponential or
logarithmic spreading method, some say the worm is
spreading at a slower, geometric rate.
Rob Rosenberger, editor of the Vmyths.com
news service, said the alarm surrounding Code
Red is largely undeserved, but he acknowledged that the
Internet is not quite "out of the woods" in terms of
the danger that Code Red could inflict on it. He says
the next 12 to 24 hours will be key because it appears
as though the worm is spreading geometrically,
infecting two computers, then four, then eight.
"What's been lost in the mix here is that Code Red is
a geometric rise," said Rosenberger, who has been one
of the most outspoken critics of the FBI, Microsoft
and conventional security companies in their response to the worm. "I still believe
that I'm right and this never should have reached the
level of hysteria it did. But I won't be right for 24
Worms have become the tool of choice among malicious
vandals on the Internet, but the Code Red strain has
proven especially fast and effective. Unlike other
worms that hide in email attachments, such as
Love Letter and SirCam, Code Red does not require
fooling an unwitting recipient into opening an email
Several experts said Code Red was the most nefarious
worm they've seen since the Cornell Internet Worm,
which overloaded an estimated 3,000 to 4,000 servers,
or about 5 percent of those connected to the early
Internet, in November 1988. The worm, which exploited
flaws in Unix systems, was written and released by
Robert T Morris, a Cornell University graduate
student, and is also called the Morris worm.
A new version of Code Red could mean it will be
more virulent its second time around, launching a data
flood that could potentially overwhelm many servers
over the next few days. The original worm
looked for servers to infect by targeting a single Internet Protocol (IP) address, the
unique string of numbers that identifies computers on
the Internet. But a second version may have a
so-called "random seed" that could hunt down Web sites
even after they've changed IP addresses, making it
harder to avoid attack.
Despite its more virulent nature, it's unclear exactly
how many unpatched servers are still vulnerable to the
Douglas Conorich, global solutions manager for IBM's
managed security services in Dallas, said that about
half of IBM's corporate customers were vulnerable to
the original attack. But IBM quickly alerted its
customers of the patch and no customers were infected,
Conorich said. He also said they've installed a patch
that will guard against several new vulnerabilities
likely in a second outbreak.
"They skated through, luckily," Conorich said of his
customers. "But the danger was there. This was a very
unusual one in that it only took the hackers a month
from the time the vulnerability was discovered until
they did something. Usually it takes six to seven
months before a hacker comes out with an attack
against a vulnerability, and that gives people some
Although IBM's customers are reportedly safe, small
businesses and those that don't have contracts with
large computer consulting companies may have more to
John B Butler Jr, president of LiveVault, estimated
that 3 million Windows servers in the United
States--mainly at small businesses and remote branch
offices--do not have professional IT support. It's
likely that a large percentage of these "stranded"
servers are vulnerable, Butler said.
Code Red also can damage smaller networks by calling
attention to a vulnerability in Cisco System's 600
series DSL routers. The worm could cause the router to
stop forwarding traffic.
Although many small businesses may be in danger of
attack, home computer users have little to fear. The
worm does not connect to individual PCs running
Windows 95, 98 or Me. Only Windows NT and Windows 2000 Web servers
running IIS can be infected with this worm.
Although it won't infect home computers, users may
experience extreme delays or malfunctioning of their
favorite Web sites because of traffic generated by the worm.
attacks. Because of that and the danger it poses to
Microsoft Web servers, Microsoft, federal security
agencies and trade groups hosted a globally televised
press conference Monday to urge businesses to install a
software patch that prevents infection.
It's unlikely that the worm will do permanent damage.
The worm doesn't destroy data, though future
generations of it could be modified to do so. Only
computers set to use the English language have had
their Web pages defaced, typically with the message,
"Hacked by Chinese". (The first Net address from which
attacks emanated in the July episode was determined apparently to be from Foshan University in China, although a Chinese network safety official denied those allegations Tuesday.)
It's also unclear how long the worm will live. Guarding against the worm is a relatively straightforward matter of installing a Microsoft software patch that prevents any malicious program from taking advantage of the IIS hole.
Because Code Red is memory-resident--it lives in the server's volatile physical memory rather than on a hard drive or other permanent storage--rebooting wipes out the infection. The software patch prevents re-infection.
In theory, if every server were patched, the worm would die. Otherwise, it could continue its monthly cycle of hibernation and attack. The most recent statistics from Microsoft show that more than 1 million people have downloaded the patch.
The idea of installing a patch is simple, but many companies do not do so--sometimes because the patch ends up causing other problems to the corporate system. Conorich said it's not uncommon for servers to lose credit card or other personal data immediately after receiving a patch, causing e-commerce transactions to be erased. Microsoft last month released two faulty patches for a flaw in its Exchange email server software.