'Code Red' Worm Targets WhiteHouse.gov
A new Internet worm called "Code Red," which has the potential to infect millions of Net servers with a security flaw, started a denial of service attack late Thursday aimed at disabling the official White House Web site.
White House would say only that they had taken "preventative measures" to duck an attack. The White House site was offline Thursday night, but back up on Friday morning. The FBI's National Infrastructure Protection Center confirmed reports on Thursday night that Internet backbone providers were seeing large-scale victimized Web servers scanning for vulnerabilities in Microsoft's Internet Information Server, which hosts a number of Web sites.
"Upon successful infection, the worm will proceed to use the time threat and connect to the www.whitehouse.gov domain," the NIPC says in a statement. "This attack consists of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov."
Once the security problem was identified, Microsoft began sending out alerts, contacting customers individually, and working with the press to spread the word about how to fix it, says Scott Culp, security program manager at the Microsoft security response center.
"We make it as easy as we can for folks to get the information," Culp says.
Despite that effort, it will be hard to contact operators of the estimated 6 million ISS servers in use worldwide.
The creator of the worm is unknown. It was discovered and named by
"The activity of Ida Code Red worm has the potential to degrade services running on the Internet," says the NIPC statement. "Any Web server running the Microsoft IIS versions 4.0 or 5.0 that is not patched is susceptible to a 'Buffer Overflow.' The NIPC is strongly urging consumers running these versions of IIS 4.0/5.0 to check their systems and install the patch."
Without the patch, the worm can run embedded code on the affected
systems, using them as weapons in distributed denial of service attacks on
unprotected Web sites. Unlike other viruses, which are passed via e-mail,
"At some point in time, somebody set this worm free. Then it just does
the work on its own," says Vincent Gullotto, a senior director at
The worm operates on a kind of timer that was set to trigger at 8 p.m. EDT on Thursday, and then run for one week. That seven-day run might not be the end of the problem, however.
"It might start up again next month," Gullotto says. "And the thing about this exploit, somebody could write a variant, push it around, and it could attack another site very easily."
In order to secure systems and help stop these kinds of worms from
spreading, systems administrators need to do three things, says Russ Cooper,
editor of the security e-mail list
First, they need to subscribe to Microsoft's security bulletin service, "so that they're at least aware that patches exist. They've got to start learning about these vulnerabilities to keep themselves secure," Cooper says. Second, he recommends they subscribe to NTBugtraq for further alerts, and last, they need to apply patches for their systems when they become available.