Code Red worm set to flood Internet

More than 100,000 infected servers are programmed to flood the address with data, potentially slowing parts of the Net to a crawl.

An analysis of the fast-spreading "Code Red" computer worm reveals that infected computers are programmed to attack the White House Web site with a denial-of-service attack Thursday evening, potentially slowing parts of the Internet to a crawl.

The worm has compromised more than 100,000 English-language servers running Microsoft's Web server software as of late Thursday. In addition, each of those infected computers are expected to flood the address with data starting at 5 pm PDT, according to an analysis by network-protection company eEye Digital Security.

While the direct target of the worm's denial-of-service attack is, the indirect effect is that an avalanche of data will hit the Net. Each infection--a server can be infected at least three times--will send 400MB of data every four hours or so, possibly leading to a massive packet storm.

"That's what I mean when I say, 'Boom!'" said Marc Maiffret, chief hacking officer of eEye. "If this goes along what it's looking like, parts of the Net will go down." He noted, though, that the code could have an error that causes the worm "to screw up and not work right".

Already, there are are reports that the worm's propagation is causing performance problems for some companies connected to the Internet. According to data from Internet performance company, the root domain servers--the central databases connecting numerical Net addresses to Web names--are showing 20 percent packet loss. That indicates a substantial increase in data flowing across the Net.

At 7 am PDT Thursday, something caused the worm's rate of infection to increase, said Ken Eichman, a senior security engineer who has been tracking the worm since last Friday. Other experts confirmed the exponential increase in the worm's spread.

Eichman postulated that the someone may have modified the worm to spread faster. "I don't know what else could account for it," he said. "If it continues to grow, this is going to be an indirect DOS attack against the network. You are probably going to start to get some performance degradation."

In fact, the worm is now spreading so quickly that its efforts to infect other servers have begun to slow some networks, said Johannes Ullrich, CTO for Internet Storm Watch at the Systems Administration Networking and Security (SANS) Institute.

"Early this week it hit a plateau, but now it's taken off again," he said, adding that one SANS member stopped logging any probes by the worm, because there was just too many.

Even if the flood of data continues to increase as expected, it may go unnoticed by most Web users, said Fred Cohen, a security expert in residence at the University of New Haven and the author of the first paper on computer worms in 1984.

"If it is handled properly, it sounds like it's easily defeated," he said. "All those people (whose servers have been infected) can be notified. The Internet won't collapse; society won't end.

"Back 15 years ago, that (was) more bandwidth than the whole Internet had, but today the Internet can handle it."

Government officials on Thursday afternoon were reviewing the eEye analysis, according to sources. Calls to the White House were not immediately returned.

In June, eEye found the security vulnerability in Microsoft's Internet Information Server that is being used by the worm. Known as the index-server flaw, the security hole was detailed and patched by Microsoft more than a month ago.

Although system administrators have had more than a month to plug the hole, a large number have not.

The security hole, combined with the low priority normally given to patching systems, may cause history to repeat itself.

In November 1988, the Cornell Internet Worm overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet. The worm, which exploited flaws in Unix systems, was written and released by Robert T Morris, a Cornell University graduate student. The effects on the early Internet are still debated, but some estimate that traffic slowed by 15 percent to 20 percent on average.

That may happen again.

The Code Red worm spreads by selecting 100 IP addresses, scanning the computers associated with them for the hole and spreading to the vulnerable machines. The worm then defaces any Web site hosted by the server with the text: "Welcome to! Hacked by Chinese!"

Code Red seems to deface only English-language servers, going into hibernation on non-English versions of Microsoft's IIS software. However, many companies in other countries use the English version of Microsoft's software, said eEye's Maiffret.

"The majority of foreign companies run the English system, because updates come out first in the English," he said.

According to the eEye analysis, when the coordinated universal time hits midnight on Friday morning--5 pm Thursday--every worm infection will start sending nearly 400MB of data every four hours.

An apparent side effect of the worm seems to crash several varieties of DSL routers and higher-end network routers that direct data around the Internet, according to posts on the Bugtraq mailing list maintained by SecurityFocus. While apparently not an intended consequence of the worm, the problems could exacerbate the bandwidth problems once the data flood starts.