Code Red Worm Attacks Expected

Internet security experts watched for Code Red's return Tuesday to see if the Internet worm would continue to infiltrate unprotected Web servers or perhaps fizzle like the overblown Y2K threat.

No one knows who created the Code Red worm or why it was set loose in cyberspace, but it appears that many potential targets have listened to the warnings and put proper defenses in place to repel the infection.

"It's easy to compare it to Y2K, which wasn't a big deal, which was good because a lot of corporations listened, looked at systems, fixed the problem, and life carried on," says Lisa Smith, product manager for McAfee Virus Scan. "I think the same thing is happening here. As corporations have listened to the threat and realized what the threat could be, they have applied the patch."

Microsoft offers a free software "patch," that can be downloaded from its technical Web site, to fix the vulnerability in its Internet Information Service (IIS) software.

McAfee also offers a free online scan that server operators can use to check their machines for Code Red vulnerabilities.

Worm Threat Is Serious

Even with the availability of patches and scans, federal agencies preach caution.

The worm is "a continued and serious threat to Internet users" and "immediate action is required to combat this threat," according to a joint alert issued by the FBI's National Infrastructure Protection Center, the Computer Emergency Response Team, the Federal Computer Incident Response Center (FedCIRC), the Information Technology Association of America (ITAA), the SANS Institute, and Microsoft.

NIPC Director Ronald Dick issued a stern warning at a Washington news conference Monday, saying users "must act quickly to mitigate damage from the worm."

Kenneth Watson, chairman of the Partnership for Critical Infrastructure Security (PCIS), joined Dick in urging swift protective action.

"We have evidence that a new variant of the worm will be unleashed tomorrow and use 'zombie' servers to mount a denial of service attack against businesses and individuals," Watson says.

Despite news headlines and Microsoft's free cure, security experts estimate the worm has infected more than 250,000 servers since it was initially identified in mid-July. Mutations of the worm could be even more malicious than the original strain.

Many users, especially at the corporate level, have likely taken the necessary steps to prevent an attack and/or remove the worm from their servers, according to Ravi Venkatesam, vice president of operations at Atesto Technologies, a Web performance monitoring company.

"This leaves some server users, mostly minor domains, small companies, and some educational institutions, which may not have a full set of controls or procedures in place, which are still vulnerable," Venkatesam says.

New Mutant Danger

It is the danger of possible new strains of the worm, which might exploit other vulnerabilities, that scares Venkatesam.

"Even though people have dissected the virus to a certain extent, there might be portions that we don't know about," he says. "There might be a dormant strain that might react differently and could bring the entire server down. We just don't know."

Code Red scans the Internet for vulnerable systems to infect. It uses those systems, in turn, to search for additional host sites on which to attach itself and continue the process.

"Whether you are infected with Code Red or not, download the patch as soon as possible and apply it to any Microsoft IIS server on your network; rebooting the system will remove the worm," says Steve Demogines, director of technical support for Panda Software, a computer security company.

Clogging the Net

While the MS software patch protects IIS servers, the bigger problem is that a barrage of extra traffic spewing into cyberspace could stall the Internet itself.

The second-wave attack expected on Tuesday is keyed to the worm's time clock. If the infected system's default language is English, Code Red defaces Web sites with the following message: "Welcome to ! Hacked by Chinese!"

Between the first and the 20th days of each month the worm targets random IP addresses and attaches itself to as many unprotected servers as possible. Between the 20th and 28th, infected systems mount a denial-of-service attack on the White House's Web site by sending large amounts of information requests to that IP address.

To protect the White House site, technicians gave it a different IP address. While that site is now safe from attack, the worm, which was dormant from the 28th to the end of the month, is still programmed to reawaken and resume the attack.

To report computer intrusions, contact the local FBI office, or the NIPC. The NIPC Watch and Warning Unit can also be reached at (202) 323-3204 /-3205 /-3206.

IDG News Service contributed to this report.