Code Red slows spread, risks remain

The rate of infection from the dreaded Code Red worm and related mutations is slowing, but security experts say some computers may still be at risk.
Written by Rachel Konrad, Contributor on
The rate of infection from the dreaded Code Red worm and related mutations is slowing, but security experts say some computers may still be at risk.

The worm had infected servers responsible for more than 280,000 Web sites as of 10 am PDT Thursday, according to security trackers at the SANS Institute. But the number of computers that the worm infects each hour appeared to be declining steadily after an initial burst on Tuesday, according to SANS.

By Thursday morning, the rate of infection had slowed to such an extent that the National Infrastructure Protection Center (NIPC) had issued a news release stating that agents were "cautiously optimistic" about the worm's demise. They said the impact of the worm's second attack on computer servers worldwide "has been minimized".

Despite the worm's seeming sluggishness, virus experts warn that it could still wreak havoc on vulnerable servers. The worm works on a monthly cycle and will not go back into hibernation for several weeks.

Also of concern to security experts are potentially new variants of Code Red. Vincent Weafer, director of the Semantic AntiVirus Research Center, said he has seen several mutations of the original worm, which defaces Web sites with the message "Hacked by Chinese".

"We're still looking into this to see if this is an actual variant or if it's just someone messing around," Weafer said Thursday afternoon.

As originally reported, the Code Red worm takes advantage of a hole in Microsoft's Internet Information Server (IIS) Web server software running on Windows NT and Windows 2000 systems. Code Red was thought to have infected as many as 359,000 systems within about six days during its original attack in July, making it one of the fastest-spreading worms ever.

The worm remains active between the first of the month and the 28th, when it goes into hibernation. While the worm does not reactivate itself automatically, any computer vandal sending a copy of the worm once the active period begins--most recently at midnight GMT Aug 1, or 5 pm PDT July 31--would start a new round of infections. On the 20th of the month, the worm is set to switch to attack mode and barrage an Internet address originally associated with the White House Web site with large packets of data.

Experts credited massive downloading of a security patch that fixes the IIS vulnerability for hampering the worm's spread this time. The worm only infects computers running the Windows NT and Windows 2000 operating systems and Microsoft's Internet Information Server (IIS) Web server software, meaning few home PCs are vulnerable to the attack.

"The large number of machines that are now patched (has) changed the playing field, but we still anticipate increasingly rapid growth worldwide in the coming days," according to a statement on the Web site of security services company Internet Security Systems (ISS).

"We anticipate remaining at (high alert) through early August but will watch the situation closely and adjust the threat level accordingly."

Editorial standards