Code Red worm stays cool
Network administrators and security experts feared that the worm would bombard Web sites with data and slow down large portions of the Internet. They braced for a slowdown shortly after 5 pm PDT, when the worm was supposed to emerge from an inactive state and flood the Internet with information.
But most Web sites seemed to be functioning normally late Tuesday afternoon, and security experts said they were pleasantly surprised by the lack of commotion.
"There's no indication yet that says there's a massive attack going on. This may be a nonevent," said Jerry Freese, director of intelligence for Parsippany, NJ-based security company Vigilinx. "It looks to me that, through a concerted effort, we've been able to divert the problem."
The FBI said it would issue a report Tuesday around 7 pm PDT on the impact Code Red was having. The newest version of the worm was originally expected to be faster spreading and potentially more harmful than the original, which began infecting computer servers on July 13.
The Code Red worm--named after a hypercaffeinated, cherry-flavored Mountain Dew drink popular with computer programmers--infected servers around the world last month and launched a massive denial-of-service attack against the White House's Web site.
Although few home PCs are vulnerable to the attack, the worm could disable some e-commerce sites or slow down the overall speed of the Internet by bombarding sites with data.
Worms have become the tool of choice among malicious vandals on the Internet, but the Code Red strain has proven especially fast and effective. Unlike other worms that hide in email attachments, such as LoveLetter and SirCam, Code Red does not require fooling an unwitting recipient into opening an email document.
Several experts said Code Red was the most nefarious worm they've seen since the Cornell Internet Worm, which overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988. The worm, which exploited flaws in Unix systems, was written and released by Robert T Morris, a Cornell University graduate student, and is also called the Morris worm.
But the lack of activity Tuesday afternoon could vindicate Rob Rosenberger, editor of the Vmyths.com news service, and others who said that the media and government had sensationalized the Code Red worm and greatly magnified its potential for disaster.
Rosenberger said the FBI's new National Infrastructure Protection Center has overhyped the worm to such an extent that many people who are not in any danger from it are rushing to install patches on their computers. He called the FBI's frenzy a "Code Red publicity tour".
As originally reported, the Code Red worm takes advantage of a hole in Microsoft's Internet Information Server. Code Red was thought to have infected as many as 359,000 systems within about six days--one of the fastest-spreading worms ever.
A new version of the worm could mean the worm will be more virulent its second time around, launching a data flood that could potentially overwhelm many servers over the next several hours or days. The original worm targeted single Internet Protocol addresses, the unique strings of numbers that identify computers on the Internet. But a second version may have a so-called random seed that could hunt down Web sites even after they've changed IP addresses, making it harder to avoid attack.
Despite its more virulent nature, it's unclear exactly how many unpatched servers are still vulnerable to the worm. Security experts say the vast majority of Fortune 1,000 companies patched their system days or weeks ago, and they're prepared for mutant worms that are stronger and more destructive than the July outbreak.
Douglas Conorich, global solutions manager for IBM's managed security services in Dallas, said that about half of IBM's corporate customers were vulnerable to the original attack. But IBM quickly alerted its customers of the patch and no customers were infected, Conorich said. He also said they've installed a patch that will guard against several new vulnerabilities likely in a second outbreak.
"They skated through, luckily," Conorich said of his customers. "But the danger was there. This was a very unusual one in that it only took the hackers a month from the time the vulnerability was discovered until they did something. Usually it takes six to seven months before a hacker comes out with an attack against a vulnerability, and that gives people some time."
Although IBM's customers are reportedly safe, small businesses and those that don't have contracts with large computer consulting companies may have more to fear.
John B. Butler Jr, president of LiveVault, estimated that 3 million Windows servers in the United States--mainly at small businesses and remote branch offices--do not have professional IT support. It's likely that a large percentage of these "stranded" servers are vulnerable, Butler said.
Code Red also can damage smaller networks by calling attention to a vulnerability in Cisco System's 600 series DSL routers. The worm could cause the router to stop forwarding traffic.
Although many small businesses may be in danger of attack, home computer users have little to fear. The worm does not connect to individual PCs running Windows 95, 98 or ME. Only Microsoft Web servers running IIS will be infected with this worm.
Although it won't infect home computers, users may experience extreme delays or malfunctioning of their favorite Web sites because of denial-of-service attacks. Because of that and the danger it poses to Microsoft Web servers, Microsoft, federal security agencies and trade groups hosted a globally televised conference Monday to urge businesses to install a software patch that prevents infection.
It's unlikely that the worm will do permanent damage. The worm doesn't destroy data, though future generations of it could be modified to do so. Only computers set to use the English language have had their Web pages defaced, typically with the message, "Hacked by Chinese". (The first Net address from which attacks emanated in the July episode was determined to apparently be from Foshan University in China, although a Chinese network safety official denied those allegations Tuesday.)
It's also unclear how long the worm will live. Guarding against the worm is a relatively straightforward matter of installing a Microsoft software patch that prevents any malicious program from taking advantage of the IIS hole.
Because Code Red is memory-resident--it lives in the server's volatile physical memory rather than a hard drive or other permanent storage--rebooting wipes out the infection. The software patch prevents re-infection.
In theory, if every server were patched, the worm would die. Otherwise, it would continue its monthly cycle of hibernation and attack. The most recent statistics from Microsoft show that more than 1 million people have downloaded the patch. Initial Microsoft estimates were that servers responsible for more than 6 million Web sites were vulnerable to the IIS hole.
The worm remains active between the first of the month and the 28th, when it goes into hibernation. While the worm does not reactivate itself automatically, any computer vandal sending a copy of the worm once the active period begins--most recently at 12:01 am GMT Aug. 1, or 5 pm PDT Tuesday--would start a new round of infections. On the 19th of the month, the worm is set to switch to attack mode and barrage the whitehouse.gov Internet domain with large packets of data.
The idea of installing a patch is simple, but many companies do not do so--sometimes because the patch ends up causing other problems to the corporate system. Conorich said it's not uncommon for servers to lose credit card or other personal data immediately after receiving a patch, causing e-commerce transactions to be erased. Microsoft last month released two faulty patches for a flaw in its Exchange email server software.