Who is to blame for the Code Red worm?

If your Internet connection is slow over the next few weeks, you can blame the Chinese or maybe blame Microsoft, says security expert Robert Vamosi. But you probably should really blame IIS administrators who still have haven't patched their software.
Written by Robert Vamosi, Contributor

COMMENTARY--You may have noticed some extra Internet traffic this morning. As I write this column on Monday afternoon, July 30, dire predictions are being made about the Code Red worm and what it will do to the Internet on Wednesday morning, August 1. Call me an optimist, but I predict you'll be reading this column just fine. That's not to say we should take this whole Code Red event lightly. Not at all.

Analysis has concluded that the worm was launched on July 13 from Foshan University in Guangdong, China. Of course, the Chinese take exception to that. A Chinese network safety official said that Code Red is too sophisticated for China. The official further stated that if the worm did originate in Guangdong, then how come there haven't been more infections in China?

I think that's beside the point. Remember the recent media-inflated United States-Chinese hacker war? The Chinese, especially the students, really wanted to retaliate for their downed fighter jet pilot, so why would they engage in a wimpy Internet war? Why not wait and make a really big statement instead?

Perhaps the Chinese students got their break on June 18, when eEye Digital Security first reported the .ida vulnerability in IIS servers. Microsoft promptly issued its own stern warning that this was indeed serious, and offered a patch. Of course, not everyone got around to patching their IIS servers, and on July 13, less than one month later, the first few infections of Code Red were reported. (For an excellent history of the Code Red worm, see ZDNN's Code Red: What went wrong?)

I'm willing to concede that picking a Microsoft vulnerability (of all things), then choosing only English (U.S.) versions of Windows servers to deface, and attacking no less than the White House, could all just be red herrings. Certainly the message "Hacked by Chinese!" is a little too obvious. But on the other hand, if you have a group of pissed-off students at a university such as Foshan, then Code Red is a brilliant response. I, for one, do not agree with the Chinese network safety official who said he's "never heard of anything so powerful in China." I think that statement belittles Chinese intelligence and skill.

Fortuantely, the first incarnation of Code Red is flawed. The random IP address generator uses the same "seed" address, so eventually the spawn of the original worm will begin generating the same IP addresses over again, attacking the same Web sites, creating little motes of denial-of-service attacks during the first 19 days of the month. Had the code been truly random, more sites on the Internet would have been infected before July 19.

What has everyone wondering now is if newer, better variations of Code Red will infect more systems. Or perhaps Code Red would do more than deface English (U.S.) Web servers, or even launch a more successful denial-of-service attack against some target other than the White House. Unfortunately, we'll just have to wait and see.

If your Internet connection is slow over the next few weeks, you can blame the Chinese, blame Microsoft, or even Washington, D.C., but you probably should blame those IIS administrators who still have haven't patched their software.

Have you been hit by Code Red? What you think are its origins? Will we see more worms like it? TalkBack to me below.

Editorial standards