Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Cisco all but kills Cius tablet computer
Windows 8 Update: Steve Ballmer's 80-inch Windows 8 tablet
Gartner: Don't trust cloud provider to protect your corporate assets
Take me out to the ballgame, with 4G
Most OpenOffice users run Windows
Smartphones with quad-core chips and 4G LTE coming soon
Government alarm over cyberattacks validated by terrorists
Lawmakers call on DOJ to reopen investigation into Google Wi-Fi spying
Researchers propose TLS extension to detect rogue SSL certificates
IaaS: Renting on-demand technology
Yahoo Axis may be game changer for search and the troubled company
Android, Apple Own 80% of Global Smartphone Market; Microsoft's Share, 2.2%
Managing Mobile Mania
Proposed New York Legislation Would Ban Anonymous Online Comments
Supercomputer to connect to 400PB of storage via Ethernet


/
Send to a friend Feedback

Code Red wakes up with a whimper

Related linksToday's breaking news
Send to a friendFeedback

By James Niccolai
IDG News Service, 08/01/01

The Code Red worm emerged from its slumber Tuesday night to begin a second wave of attacks on the Internet. Security experts said it could be days before the extent of any damage is known, but there were early signs that efforts to avert a much-talked-about meltdown of the Internet had been successful.

"We haven't seen much overall impact," said Keith Peer, president and CEO of Medina, Ohio-based computer security firm Central Command. "There have been a few thousand infections (of servers) that we're aware of ... but nowhere near the catastrophic levels that had been predicted."

Matrix.Net, an Austin, Texas-based company that offers products for measuring Web performance, also was optimistic.

"Right now, our graphs are not showing any change in latency, packet loss or reachability across the Internet as a whole," said Joi Chevalier, a Matrix.Net marketing manager, about two hours after the worm relaunched itself. "It looks pretty quiet out there."

In fact, popular Web sites in the U.S., Europe and Asia could be accessed as normal late Tuesday night, suggesting the worst fears had yet to materialize.

Code Red exploits a security hole in Versions 4.0 and 5.0 of Microsoft's Internet Information Server, which is included with Windows 2000 and Windows NT 4.0 and is widely used to run Web sites. It made headlines last month when it infected more than 250,000 servers in 9 hours on July 19, defacing many of them with graffiti and launching a denial-of-service attack that slowed the Internet and disabled the White House Web site.

The program has a built-in timer that caused it to relaunch itself when the clocks ticked past midnight Greenwich Mean Time Wednesday (8 p.m. Tuesday in New York). The Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC), along with Microsoft and several other security groups, urged businesses worldwide Monday to install a free patch from Microsoft that fixes the hole. Failure to do so could allow the worm to propagate and clog the Internet to a crawl, they warned.

Users don't have a glowing reputation for installing patches quickly, but Monday's unusual press conference may have spurred them to action and helped avert a crisis. A Microsoft spokeswoman said Tuesday that more than 1 million copies of the patch had been downloaded since the security hole was discovered in June. About 200,000 of those downloads occurred over a 24-hour period starting Sunday afternoon, said David Radoff, a spokesman for Digital Island, which hosts the Web site for Microsoft where the patch is available.

That rate had increased as much as fivefold Tuesday, he said, suggesting that as many as 1 million additional copies of the patch may have been downloaded by the end of the day. An estimated 6 million servers worldwide run Microsoft's Internet Information Server. Microsoft said the number of downloads doesn't necessarily correspond to the number of servers that have been fixed, since some administrators may have downloaded the patch once and applied it to several servers.

On the other hand, some home users may have downloaded the patch in error, thinking they needed it for their home PCs.

"We got calls from home users running Windows 98 who were trying to download the patch and said it's not working," said Marc Maiffret, chief hacking officer at eEye Digital Security, who is credited with identifying the worm. Code Red doesn't attack computers running Windows 95, 98 or ME, and home users are unlikely to be affected unless performance of the Web slows.

Maiffret noted that a variant of the worm identified last week does not deface Web sites, making it harder for companies to know when they have been affected. It also scans the Web more efficiently for unprotected servers, making it potentially far more virile.

That's partly what prompted government officials to issue their dire warnings Monday that the worm poses "a serious and continued threat to Internet users." They feared that when the worm re-awoke it would spread rapidly, scanning the Internet for unprotected servers and in the process flooding the Web with unwanted packets of data, causing it to slow.

If that were to happen it is likely it would have become apparent "a couple of hours" after the worm re-awoke, Maiffret said. That didn't appear to be the case late Tuesday evening.

Perhaps more damaging, the worm is also programmed to launch another denial-of-service attack Aug. 20. Such attacks flood a Web site with fake requests for data, causing the site to grind to a halt or crash. The target earlier this month was the White House Web site at http://www.whitehouse.gov, but a version of the worm may have been adapted to launch attacks at other popular Web sites that may not be prepared to defend themselves, said Russ Cooper, surgeon general of TruSecure and editor of the security e-mail list NTBugtraq.

Cooper said it would probably be well into Wednesday before the extent of any damage can be assessed properly. "It'll take that long to do its work," he said. "Remember, it's starting from scratch again."

If the worm does manage to identify hundreds of thousands of unprotected servers, as it did July 19, it could have a noticeable impact on the performance of the Internet, said Peter Salus, Matrix.Net's chief knowledge officer. The slowdown would be most apparent to people who use applications that are heavy on graphics and other data, such as online games or bulk file transfers, he said.

However, Salus said he thinks it unlikely the disruption will be widespread, in part because administrators appear to have patched their servers just in time. "I feel that by and large this will not be noticeable to most people except for a few things that may be specifically targeted, like whitehouse.gov was targeted last time."

Network Associates said it had completed a scan of more than 20,000 systems on the Internet earlier Tuesday, and discovered that 1,230 of them remained unprotected against Code Red.

Ravi Venkatesam, vice president of operations at Atesto Technologies, another Web performance monitoring company in Fremont, Calif., agreed.

"How much effect it will have depends on how many servers are still not patched," he said. "I feel most large corporations would have already taken care of this."

There were no indications Tuesday that the FBI or law enforcement groups overseas with which it is working in concert had come any closer to finding the author of Code Red.

"My guess is, like so many of the disruptive things on the Internet over the last three or four years, this is almost a teenage prank kind of thing," said Salus of Matrix.Net. "There are a lot of bright kids out there; unfortunately, some of them are bored."

Microsoft's patch is available at http://www.digitalisland.net/codered/

The NIPC's advisory about Code Red is on the Web at http://www.nipc.gov/warnings/alerts/2001/01-016.htm/

Related Links

The IDG News Service is a Network World affiliate.

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.