'Code Red': So long, for now

The largely unsuccessful 'Code Red' worm gives system administrators some room to fix nearly 300,000 infected machines. Newer, more effective variants may be on the horizon, however
Written by Robert Lemos, Contributor

System administrators have 10 days to fix nearly 300,000 Web servers infected by the Code Red worm before the malicious program halts its largely unsuccessful but ongoing attack on Whitehouse.gov and starts spreading again.

New research has indicated that a variant of Code Red worm, released on Thursday, likely saturated the Internet, infecting almost all the vulnerable servers before it redirected the approximately 300,000 infected computers to attack an Internet address used by the White House Web site.

By the end of Thursday, any given numerical Internet address had been attacked on average more than 20 times, said Stuart Staniford, president of security consulting firm Silicon Defence, who did a statistical analysis of the worm's spread. "It's hard to see how a vulnerable Web server could survive that onslaught," he said.

The saturation may mean that on 1 August, when the Code Red tries to infect more computers, there won't be any more to infect. But Staniford and others warned that other variants could be created to do worse damage.

Moreover, while many warned of the worm's potential to flood the Net, Cisco today acknowledged that Code Red has affected the Internet in other ways as well, including crashing some of the company's networking products.

"As a side effect, the URL used by the worm to infect other hosts causes Cisco 600 series DSL routers to stop forwarding traffic by triggering a previously published vulnerability," the company said in an advisory Friday. "Any 600 series routers scanned by the Code Red worm will not resume normal service until the power to the router has been cycled."

Reports on SecurityFocus.com's Bugtraq security mailing list indicated that some of Hewlett-Packard's JetDirect products have embedded Web servers that also may be affected by the worm's scans.

The Code Red worm is thought to have started spreading a week ago, on Friday the 13th.

The program is designed to scan the Internet between the first and 20th of the month for computers vulnerable to a Microsoft Web server flaw discovered last month by eEye Digital Security. Starting at midnight Greenwich Standard Time on the 20th, the worm attacks a specific Internet address, That was the location of the White House Web site, but system administrators moved the site to another Internet address Thursday afternoon, effectively dodging the worm.

However, some browsers may still return a "page not found" error when attempting to connect to a Whitehouse.gov address. Though administrators for the Web site updated Internet directories, known as DNS servers, that match Whitehouse.gov URLs with a specific Internet address, in some cases the change could take a day or two to propagate throughout the Web.

The actual number of computers infected is unknown, but many network administrators have been able to determine how many infected computers have attacked their particular network.

A system administrator for Lawrence Berkeley National Laboratories posted evidence of 293,000 computers attacking his network. And Mike Janke, network director for the Minnesota State Colleges and Universities, said that attacks from 185,000 unique addresses hit the edge of his network.

Janke said that surprisingly, his network remained largely unaffected. "Of course, it is summer here, and we are only at 5-percent utilisation."

The number of active attacks has now settled down to a few thousand, he added. "There are probably a couple of clowns who have their clocks set wrong," he said.

The large number of machines infected by the worm has some security experts suggesting that a program should be created to close the hole automatically.

In a discussion on the Bugtraq security mailing list, several people suggested that security experts could create an automated patching worm, which would spread around the Net, infecting vulnerable machines to install the patch.

Others suggested another alternative: an automated program that -- when attacked by a server infected with the worm -- would attack back, hacking the server, deleting the worm and finally closing the hole.

Just last month, however, security expert and hacker Max Butler, also known as Max Vision, started an 18-month term in prison for creating a worm that essentially closed security holes on vulnerable servers. The worm also left an open backdoor into the servers, casting doubt on Butler's altruistic intentions, but the lesson has been learned, said one Bugtraq writer, who dissuaded others from creating "hack-back" code.

"Ethically, it's pretty much unconscionable," he said. "Just because we can take advantage of vulnerabilities, it doesn't necessarily follow that we should. The possibility for damage or misuse far outweighs any potential benefits."

The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorised intrusion."

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards