Code Red hits a plateau

After hogging headlines and fanning computer technicians' fears for several days, the rate of infection from the fast-spreading worm had plateaued and may be tapering off. Experts who monitor the potential impact of worms and viruses said Code Red has not slowed the overall speed of the Internet at all, in contrast to initial worries it could clog vast chunks of the Net.

Security think tank the SANS Institute reported that servers responsible for 343,345 Web sites had been infected by a second wave of Code Red between Wednesday and 5 am PDT Friday. But it had only infected about 20,000 servers in the most recent few hours--a relatively pokey rate that puts Code Red on the back burner for many security experts.

"When you're talking about millions of servers...20,000 isn't a lot," said Jerry Freese, director of intelligence at Parsippany, N J-based network security company Vigilinx. "We're seeing viruses out there that are of greater concern than Code Red at this point, like SirCam."

SirCam, which distributes documents from the hard drives of infected computers to randomly selected email addresses, is potentially more dangerous than Code Red: While SirCam can distribute confidential documents, Code Red attacks Microsoft Web servers and temporarily defaces Web sites.

But that doesn't make Code Red any less annoying to those who have been bombarded with the worm's attempts to penetrate computer systems. Several information technology workers sent emails complaining that the worm has continued to try to infiltrate their computer systems at least once or twice per hour.

The Code Red worm--named after a hypercaffeinated, cherry-flavored soda popular with computer programmers--infected servers around the world last month and launched a massive denial-of-service attack against the White House's Web site.

As originally reported, the worm takes advantage of a vulnerability in Microsoft's Internet Information Server (IIS) Web server software running on Windows NT and Windows 2000 systems. Code Red was thought to have infected as many as 359,000 systems within about six days during its original attack in July, making it one of the fastest-spreading worms ever.

Microsoft immediately released a patch for the IIS hole. More than a million copies of the patch have been download, but it's unclear how many unpatched servers are connected to the Internet. Microsoft has estimated that servers responsible for some 6 million Web pages have the vulnerability.

The worm mainly infects computers running the Windows NT and Windows 2000 operating systems and Microsoft's Internet Information Server (IIS) Web server software. Most home PC users with standard dial-up Internet access are immune to the worm, as are computers running other operating systems, such as Apple's Mac or Linux.

But Code Red could damage smaller networks or home PCs with broadband Internet access by attacking a vulnerability in Cisco System's 600 series DSL routers. The worm could cause the router to stop forwarding traffic on any machine using such a router. DSL provider Qwest Communications acknowledged that some customers using the Cisco modems with specific configurations lost service, but Qwest said Code Red "did not impact the majority of DSL customers."

Although the rate of infection appears to be tapering off, Code Red may rear its head again in September. It remains active between the first of the month and the 28th, when it goes into hibernation. While the worm does not reactivate itself automatically, any computer sending a copy of the worm once the active period begins--at midnight GMT on the first day of the month--would start a new round of infections.

On the 20th of the month, the worm is programmed to switch to attack mode and barrage an Internet address originally associated with the White House Web site with large packets of data.