Home & Office

FBI criticised for ignoring early Code Red warnings

The FBI was aware of a "test" Code Red worm in April, but chose to ignore the reports
Written by Wendy McAuliffe, Contributor

The security firm that discovered the destructive Code Red worm has launched an attack on the FBI for its reluctance to publicise the Microsoft vulnerability exploited by the worm.

The self-propagating worm infected an estimated 975,000 servers in July and August 2001, but the security company eEye Digital, who posted the first Code Red alert on 12 July, claims that the FBI should have been more proactive in warning people about a "test" version of the worm to which it was alerted in April.

"Had the FBI been more vigilant in its warnings, Code Red would have had less of an impact than it did," said Mark Jones, UK manager of eEye Digital.

The FBI's National Infrastructure Protection Centre (NIPC) had received earlier reports of a Code Red-like worm that affected a buffer overflow vulnerability in the .htr files of Microsoft IIS 4. It is now thought that this was a test version, as the more virulent Code Red was adapted to target a similar hole in the more widely used IIS 5 servers. The earlier worm also propagated in a manner similar to Code Red, by infecting a random list of IP addresses, and then resetting itself to attack the same machines again.

"The mechanism that the initial worm used to spread was exactly the same mechanism that was used by Code Red," said Jones. "If we had have had access to the methodology used in the previous worm, we would have been able to decode Code Red sooner," he added. According to eEye, six days were lost investigating Code Red as a result of the delay.

A US Department of Energy security research lab, known as Sandia National Laboratories, spotted the initial worm on its systems in February, March and May 2001. It handed over complete logs of the worm's activity as well as a copy of the malicious code to the NIPC in April, but the FBI ignored the warnings. It decided against publicising the .htr worm on the basis that the Computer Emergency Response Team at Carnegie Mellon University had posted a report of the .htr vulnerability when it was first detected in June 1999.

"It is key that the NIPC didn't publicise how the worm's methods were proliferating across machines," said Jones.

It is suspected that the two worms were written by the same person, but eEye is refusing to confirm this without a full investigation into the matter.

See the Viruses and Hacking News Section for the latest headlines.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards