Code Red: Alive again and kicking

Security experts say the Code Red worm made a quiet comeback Wednesday, with no signs yet of the predicted traffic surge that could slow traffic surge to a crawl.
The Code Red worm made a quiet comeback Wednesday, with no signs yet of a predicted traffic surge that could affect the functioning of the Internet.

As of 1 pm PDT Wednesday, Code Red had infected servers responsible for at least 127,000 Web sites, according to the SANS Institute, a computer security think-tank. New infections were happening at the rate of more than 50,000 per hour, although the rate of growth had slowed markedly.

Network administrators and security experts originally braced for a slowdown shortly after 5 pm PDT Tuesday, when the worm was set to emerge from an inactive state and flood the Internet as it searched for new servers to infect.

Most Web sites were functioning normally late Tuesday and early Wednesday, but security experts said there were new signs the worm was gathering speed. But exactly how many servers the worm will send itself to--and therefore how fast it spreads--was still being debated by security experts.

The Computer Emergency Response Team (CERT), a Carnegie Mellon University organization that tracks security issues, said in a statement issued Wednesday morning that it has "begun receiving reports of increasing Code Red scanning activity." CERT experts believe the worm is spreading exponentially.

The FBI's National Infrastructure Protection Center (NIPC) also projected the worm will be spreading at a rapid clip.

"Based on our preliminary analysis, we expect to see the activity of this particular worm to compare to the July 19th infection," said Deborah Weierman, a spokeswoman for government's National Infrastructure Protection Center. "At the time, it resulted in over 250,000 infections on systems. Today, we believe that should be achieved by this afternoon."

The FBI was expected to make a statement late Wednesday about whether the worm has continued to spread or had any impact in slowing down the Internet. The agency said early Wednesday that the worm has spread but its initial impact has been minimal.

"Early reports of activity spanning the entire globe, including the United States, indicate that the worm has gone active and is presently spreading throughout the Internet," the FBI said in a statement issued Wednesday morning. "We are hopeful that the many precautions taken by the public, the government and private industry will have some effect on its ability to propagate."

The Code Red worm--named after a hypercaffeinated, cherry-flavored Mountain Dew drink popular with computer programmers--infected servers around the world last month and launched a massive denial-of-service attack against the White House's Web site.

The worm only infects computers running the Windows NT and Windows 2000 operating systems and Microsoft's Internet Information Server (IIS) Web server software, meaning few home PCs are vulnerable to the attack. But the worm could disable some e-commerce sites or slow down the overall speed of the Internet by bombarding sites with data.

As originally reported, the Code Red worm takes advantage of a hole in IIS. Code Red was thought to have infected as many as 359,000 systems within about six days during its original attack in July, making it one of the fastest-spreading worms ever.

While Microsoft quickly released a widely distributed patch for the IIS hole, it's unclear how many system administrators have downloaded and installed the fix. Microsoft has estimated that servers responsible for some 6 million Web pages have the vulnerability.

The worm remains active between the first of the month and the 28th, when it goes into hibernation. While the worm does not reactivate itself automatically, any computer vandal sending a copy of the worm once the active period begins--most recently at midnight GMT Aug. 1, or 5 pm PDT Tuesday--would start a new round of infections. On the 20th of the month, the worm is set to switch to attack mode and barrage an Internet address originally associated with the White House Web site with large packets of data.

While many security experts warned of potential Internet outages due to the revived worm, others maintained the worm is not spreading as quickly as once feared. Instead of an exponential or logarithmic spreading method, some say the worm is spreading at a slower, geometric rate.

Rob Rosenberger, editor of the Vmyths.com news service, said the alarm surrounding Code Red is largely undeserved, but he acknowledged that the Internet is not quite "out of the woods" in terms of the danger that Code Red could inflict on it. He says the next 12 to 24 hours will be key because it appears as though the worm is spreading geometrically, infecting two computers, then four, then eight.

"What's been lost in the mix here is that Code Red is a geometric rise," said Rosenberger, who has been one of the most outspoken critics of the FBI, Microsoft and conventional security companies in their response to the worm. "I still believe that I'm right and this never should have reached the level of hysteria it did. But I won't be right for 24 hours."

Worms have become the tool of choice among malicious vandals on the Internet, but the Code Red strain has proven especially fast and effective. Unlike other worms that hide in email attachments, such as Love Letter and SirCam, Code Red does not require fooling an unwitting recipient into opening an email document.

Several experts said Code Red was the most nefarious worm they've seen since the Cornell Internet Worm, which overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988. The worm, which exploited flaws in Unix systems, was written and released by Robert T Morris, a Cornell University graduate student, and is also called the Morris worm.

A new version of Code Red could mean it will be more virulent its second time around, launching a data flood that could potentially overwhelm many servers over the next few days. The original worm looked for servers to infect by targeting a single Internet Protocol (IP) address, the unique string of numbers that identifies computers on the Internet. But a second version may have a so-called "random seed" that could hunt down Web sites even after they've changed IP addresses, making it harder to avoid attack.

Despite its more virulent nature, it's unclear exactly how many unpatched servers are still vulnerable to the worm.

Douglas Conorich, global solutions manager for IBM's managed security services in Dallas, said that about half of IBM's corporate customers were vulnerable to the original attack. But IBM quickly alerted its customers of the patch and no customers were infected, Conorich said. He also said they've installed a patch that will guard against several new vulnerabilities likely in a second outbreak.

"They skated through, luckily," Conorich said of his customers. "But the danger was there. This was a very unusual one in that it only took the hackers a month from the time the vulnerability was discovered until they did something. Usually it takes six to seven months before a hacker comes out with an attack against a vulnerability, and that gives people some time."

Although IBM's customers are reportedly safe, small businesses and those that don't have contracts with large computer consulting companies may have more to fear.

John B Butler Jr, president of LiveVault, estimated that 3 million Windows servers in the United States--mainly at small businesses and remote branch offices--do not have professional IT support. It's likely that a large percentage of these "stranded" servers are vulnerable, Butler said.

Code Red also can damage smaller networks by calling attention to a vulnerability in Cisco System's 600 series DSL routers. The worm could cause the router to stop forwarding traffic.

Although many small businesses may be in danger of attack, home computer users have little to fear. The worm does not connect to individual PCs running Windows 95, 98 or Me. Only Windows NT and Windows 2000 Web servers running IIS can be infected with this worm.

Although it won't infect home computers, users may experience extreme delays or malfunctioning of their favorite Web sites because of traffic generated by the worm. attacks. Because of that and the danger it poses to Microsoft Web servers, Microsoft, federal security agencies and trade groups hosted a globally televised press conference Monday to urge businesses to install a software patch that prevents infection.

It's unlikely that the worm will do permanent damage. The worm doesn't destroy data, though future generations of it could be modified to do so. Only computers set to use the English language have had their Web pages defaced, typically with the message, "Hacked by Chinese". (The first Net address from which attacks emanated in the July episode was determined apparently to be from Foshan University in China, although a Chinese network safety official denied those allegations Tuesday.)

It's also unclear how long the worm will live. Guarding against the worm is a relatively straightforward matter of installing a Microsoft software patch that prevents any malicious program from taking advantage of the IIS hole.

Because Code Red is memory-resident--it lives in the server's volatile physical memory rather than on a hard drive or other permanent storage--rebooting wipes out the infection. The software patch prevents re-infection.

In theory, if every server were patched, the worm would die. Otherwise, it could continue its monthly cycle of hibernation and attack. The most recent statistics from Microsoft show that more than 1 million people have downloaded the patch.

The idea of installing a patch is simple, but many companies do not do so--sometimes because the patch ends up causing other problems to the corporate system. Conorich said it's not uncommon for servers to lose credit card or other personal data immediately after receiving a patch, causing e-commerce transactions to be erased. Microsoft last month released two faulty patches for a flaw in its Exchange email server software.

Editorial standards