At present, more than 18,000 systems appear to be infected and, with asimple command, could be co-opted into an attack that could take down any Web site, said Dug Song, a hacker and security architect for networkprotection firm Arbor Networks. Song was speaking at the CanSecWest security conference here.
"We are mostly concerned with the potential for a major distributeddenial-of-service (DDoS) attack using the Code Red servers," Song said. A DDoSattack uses many computers to send a flood of data at a single target,overwhelming the victim's connection, effectively cutting the victim off from the Internet.
Song presented the results of Arbor Networks' seven months of monitoring a large portionof the Internet. Code Red version 2--a variant of the original Code Red worm that fixed a bug in the program's infection routines--has infected more than 18,000computers as of April, up from around 14,000 computers in December, Song said.
Code Red and its two variants use a security hole inMicrosoft's flagship Web server--the Internet Information Server--to spread to computers that don't have the vulnerability patched. As servers are infected with Code Red, the worm then scans the Internet using specially formatted data, searching for more vulnerable servers.
The original Code Red had spread slowly--until the modification--andthen flooded the Internet, reachingmore than 350,000 servers in less than 24 hours, according to data collected by the CooperativeAssociation of Internet Data Analysis.
Computer security response teams succeeded in stemming the tide, but weren't able to eradicate the worm, Song said. In total, Arbor has found more than 5 million unique Internet addresses that appear to have been infected with Code Red in the past six months and another 1.7 million thathave been infected with Nimda.
Today, Arbor's monitoring system still receives nearly 30 probes by infected Code Red servers every minute, Song said. Nimda, a worm that struck amonth after Code Red and borrowed several of its tricks, has also stuck around but appears to be slowly disappearing. The original Code Red, and the third variant known confusingly as Code Red II, have both seemingly died off.
Alfred Huger, vice president of engineering at vulnerability information firm SecurityFocus, said the company's own monitoring system also continues to detect both Nimda and Code Red.
Huger shares Song's concern that the infected machines can be used as amade-to-order attack network for malicious hackers.
"Having that many compromised machines...They are just begging to be used in an attack," Huger said.
Online vandals, even those without much technical knowledge, could listen to the "noise" on the Internet, collecting a list of infected machines attempting to send data to their computers. Then attackers would use that list and send a simplecommand to each Code Red-infected computer, and the security-compromised system would do their bidding.
Solving the problem is not easy, Song said.
"If we try to shut down the systems, when they are turned on, they will just start spreading the worm all over," Song said.