July 19, 2001 1:30 PM PDT
Code Red worm set to flood Internet
The worm, which is thought to have compromised more than 15,000 English-language servers running Microsoft's Web server software, will cause every infected computer to flood the Whitehouse.gov address with data starting at 5 p.m. PDT, according to an analysis by network-protection company eEye Digital Security.
While the direct target of the worm's denial-of-service attack is Whitehouse.gov, the indirect effect is that an avalanche of data will hit the Net. Each infection--a server can be infected at least three times--will send 400MB of data every four hours or so, possibly leading to a massive packet storm.
"That's what I mean when I say, 'Boom!'" said Marc Maiffret, chief hacking officer of eEye. "If this goes along what it's looking like, parts of the Net will go down." He noted, though, that the code could have an error that causes the worm "to screw up and not work right."
Already, there are are reports that the worm's propagation is causing performance problems for some companies connected to the Internet. According to data from Internet performance company Matrix.net, the root domain servers--the central databases connecting numerical Net addresses to Web names--are showing 20 percent packet loss. That indicates a substantial increase in data flowing across the Net.
Even if the flood of data continues to increase as expected, it may go unnoticed by most Web users, said Fred Cohen, a security expert in residence at the University of New Haven and the author of the first paper on computer worms in 1984.
"If it is handled properly, it sounds like it's easily defeated," he said. "All those people (whose servers have been infected) can be notified. The Internet won't collapse; society won't end.
"Back 15 years ago, that (was) more bandwidth than the whole Internet had, but today the Internet can handle it."
Government officials on Thursday afternoon were reviewing the eEye analysis, according to sources. Calls to the White House were not immediately returned.
In June, eEye found the security vulnerability in Microsoft's Internet Information Server that is being used by the worm. Known as the index-server flaw, the security hole was detailed and patched by Microsoft more than a month ago.
Although system administrators have had more than a month to plug the hole, a large number have not.
The security hole, combined with the low priority normally given to patching systems, may cause history to repeat itself.
In November 1988, the Cornell Internet Worm overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet. The worm, which exploited flaws in Unix systems, was written and released by Robert T. Morris, a Cornell University graduate student. The effects on the early Internet are still debated, but some estimate that traffic slowed by 15 percent to 20 percent on average.
That may happen again.
The Code Red worm spreads by selecting 100 IP addresses, scanning the computers associated with them for the hole and spreading to the vulnerable machines. The worm then defaces any Web site hosted by the server with the text: "Welcome to http://www.worm.com! Hacked by Chinese!"
Code Red seems to deface only English-language servers, going into hibernation on non-English versions of Microsoft's IIS software. However, many companies in other countries use the English version of Microsoft's software, said eEye's Maiffret.
"The majority of foreign companies run the English system, because updates come out first in the English," he said.
According to the eEye analysis, when the coordinated universal time hits midnight on Friday morning--5 p.m. Thursday--every worm infection will start sending nearly 400MB of data every four hours.
An apparent side effect of the worm seems to crash several varieties of DSL routers and higher-end network routers that direct data around the Internet, according to posts on the Bugtraq mailing list maintained by SecurityFocus. While apparently not an intended consequence of the worm, the problems could exacerbate the bandwidth problems once the data flood starts.