As of 1 p.m. PDT Wednesday, Code Red had infected servers responsible for at least 127,000 Web sites, according to the SANS Institute, a computer security think-tank. New infections were happening at the rate of more than 50,000 per hour, although the rate of growth had slowed markedly.
=" 2001="" i="" ne="" en="" 08="" 0802coderefer.gif"width="160" height="45" hspace="5" vspace="5" border="0" align="right" alt="see related story: Code Red: Get the Microsoft patch">Network administrators and security experts originally braced for a slowdown shortly after 5 p.m. PDT Tuesday, when the worm was set to emerge from an inactive state and flood the Internet as it searched for new servers to infect.
Most Web sites were functioning normally late Tuesday and earlyWednesday. But exactly how many servers the worm will send itself to--and therefore how fast it spreads--was still being debatedby security experts.
The Computer Emergency Response Team (CERT), a Carnegie Mellon University organization that tracks security issues, said in a statement issued Wednesday morning that it has "begunreceiving reports of increasing Code Red scanningactivity."
The FBI's National Infrastructure Protection Center (NIPC) also projected the worm to be spreading at a rapid clip.
"Based on our preliminary analysis, we expect to see the activity of this particular worm to compare to the July 19th infection," said Deborah Weierman, aspokeswoman for government's National InfrastructureProtection Center. "At the time, it resulted in over250,000 infections on systems. Today, we believe that should be achieved by this afternoon."
=" 2001="" i="" ne="" en="" 07="" 0731coderedrefer.gif"width="160" height="45" hspace="5" vspace="5" border="0" align="left" alt="Code Red: Round two">The FBI was expected to make a statement late Wednesday about whether the worm has continued to spread or had any impact in slowing down the Internet. The agency said early Wednesday that its initial impact has been minimal.
"Early reports of activity spanning the entire globe,including the United States, indicate that the wormhas gone active and is presently spreading throughoutthe Internet," the FBI said in a statementissued Wednesday morning. "We are hopeful that themany precautions taken by the public, the governmentand private industry will have some effect on itsability to propagate."
The Code Red worm--named after a hypercaffeinated,cherry-flavored Mountain Dew drink popular withcomputer programmers--infected servers around theworld last month and launched a massivedenial-of-service attack against the White House's Web site.
The worm only infects computers running the Windows NT and Windows 2000 operating systems and Microsoft's Internet Information Server (IIS) Web server software, meaning few home PCs are vulnerable to the attack. But the worm could disable some e-commerce sites or slow down the overall speed of the Internet by bombarding sites with data.
As originally reported by CNET News.com, the Code Red worm takes advantage of a hole in IIS. Code Red was thought to have infected as many as 359,000 systems within about six days during its original attack in July, making it oneof the fastest-spreading worms ever.
While Microsoft quickly released a widely distributed patch for the IIS hole, it's unclear how many system administrators have downloaded and installed the fix. Microsoft has estimated that servers responsible for some 6 million Web pages have the vulnerability.
The worm remains active between the first of the monthand the 28th, when it goes into hibernation. While theworm does not reactivate itself automatically, anycomputer vandal sending a copy of the worm once theactive period begins--most recently at midnight GMTAug. 1, or 5 p.m. PDT Tuesday--would start a new roundof infections. On the 20th of the month, the worm isset to switch to attack mode and barrage an Internet address originally associated with the White House Web site with large packets ofdata.
While many security experts warned of potential Internet outages due to the revived worm, others maintained the worm is not spreading as quickly as once feared. Instead of an exponential orlogarithmic spreading method, some say the worm isspreading at a slower, geometric rate.
Rob Rosenberger, editor of the Vmyths.comnews service, said the alarm surrounding CodeRed is largely undeserved, but he acknowledged that theInternet is not quite "out of the woods" in terms ofthe danger that Code Red could inflict on it. He saysthe next 12 to 24 hours will be key because it appearsas though the worm is spreading geometrically,infecting two computers, then four, then eight.
"What's been lost in the mix here is that Code Red isa geometric rise," said Rosenberger, who has been oneof the most outspoken critics of the FBI, Microsoftand conventional security companies in their response to the worm. "I still believethat I'm right and this never should have reached thelevel of hysteria it did. But I won't be right for 24hours."
Worms have become the tool of choice among maliciousvandals on the Internet, but the Code Red strain hasproven especially fast and effective. Unlike otherworms that hide in e-mail attachments, such asLove Letter and SirCam, Code Red does not requirefooling an unwitting recipient into opening an e-maildocument.
Several experts said Code Red was the most nefariousworm they've seen since the Cornell Internet Worm,which overloaded an estimated 3,000 to 4,000 servers,or about 5 percent of those connected to the earlyInternet, in November 1988. The worm, which exploitedflaws in Unix systems, was written and released byRobert T. Morris, a Cornell University graduatestudent, and is also called the Morris worm.
A new version of Code Red could mean it will bemore virulent its second time around, launching a dataflood that could potentially overwhelm many serversover the next few days. The original wormlooked for servers to infect by targeting a single Internet Protocol (IP) address, theunique string of numbers that identifies computers onthe Internet. But a second version may have aso-called "random seed" that could hunt down Web siteseven after they've changed IP addresses, making itharder to avoid attack.
Despite its more virulent nature, it's unclear exactlyhow many unpatched servers are still vulnerable to theworm.
Douglas Conorich, global solutions manager for IBM'smanaged security services in Dallas, said that abouthalf of IBM's corporate customers were vulnerable tothe original attack. But IBM quickly alerted itscustomers of the patch and no customers were infected,Conorich said. He also said they've installed a patchthat will guard against several new vulnerabilitieslikely in a second outbreak.
"They skated through, luckily," Conorich said of hiscustomers. "But the danger was there. This was a veryunusual one in that it only took the hackers a monthfrom the time the vulnerability was discovered untilthey did something. Usually it takes six to sevenmonths before a hacker comes out with an attackagainst a vulnerability, and that gives people sometime."
Although IBM's customers are reportedly safe, smallbusinesses and those that don't have contracts withlarge computer consulting companies may have more tofear.
John B. Butler Jr., president of LiveVault, estimatedthat 3 million Windows servers in the UnitedStates--mainly at small businesses and remote branchoffices--do not have professional IT support. It'slikely that a large percentage of these "stranded"servers are vulnerable, Butler said.
Code Red also can damage smaller networks by callingattention to a vulnerability in Cisco System's 600series DSL routers. The worm could cause the router tostop forwarding traffic.
Although many small businesses may be in danger ofattack, home computer users have little to fear. Theworm does not connect to individual PCs runningWindows 95, 98 or Me. Only Windows NT and Windows 2000 Web serversrunning IIS can be infected with this worm.
Although it won't infect home computers, users mayexperience extreme delays or malfunctioning of theirfavorite Web sites because of traffic generated by the worm.attacks. Because of that and the danger it poses toMicrosoft Web servers, Microsoft, federal securityagencies and trade groups hosted a globally televisedpress conference Monday to urge businesses to install asoftware patch that prevents infection.
It's unlikely that the worm will do permanent damage.The worm doesn't destroy data, though futuregenerations of it could be modified to do so. Onlycomputers set to use the English language have hadtheir Web pages defaced, typically with the message,"Hacked by Chinese." (The first Net address from whichattacks emanated in the July episode was determined apparently to be from Foshan University in China, although a Chinese network safety official deniedthose allegations Tuesday.)
It's also unclear how long the worm will live.Guarding against the worm is a relativelystraightforward matter of installing a Microsoftsoftware patch that prevents any malicious programfrom taking advantage of the IIS hole.
Because Code Red is memory-resident--it lives in theserver's volatile physical memory rather than on a harddrive or other permanent storage--rebooting wipes outthe infection. The software patch preventsre-infection.
In theory, if every server were patched, the wormwould die. Otherwise, it could continue its monthlycycle of hibernation and attack. The most recentstatistics from Microsoft show that more than 1million people have downloaded the patch.
The idea of installing a patch is simple, but manycompanies do not do so--sometimes because the patchends up causing other problems to the corporatesystem. Conorich said it's not uncommon for servers tolose credit card or other personal data immediatelyafter receiving a patch, causing e-commercetransactions to be erased. Microsoft last monthreleased two faulty patches for a flaw in its Exchangee-mail server software.