July 30, 2001 12:20 PM PDT
Officials sound Code Red alarm
Representatives from Microsoft, federal security agencies and various trade groups held a globally televised press conference to urge businesses to install a Microsoft software patch that prevents Code Red from infecting servers running Microsoft's server software.
"There is reason for concern that the mass traffic associated with this worm's propagation could degrade the functioning of the Internet," Ronald Dick, director of the National Infrastructure Protection Center, said during the conference.
"Because of the possibility (that) the functioning of the Internet could be degraded by the Code Red worm, government and industry have come together in an unprecedented manner."
As originally reported by CNET News.com, the worm takes advantage of a hole in Microsoft's Internet Information Server. Code Red was thought to have infected more than 350,000 systems at the height of its spread.
A new version of the worm that fixes a flaw in the way it searches for and records addresses of vulnerable servers could mean the worm will be more virulent when it is re-activated, launching a data flood that could potentially overwhelm many servers.
Further refinements in the worm are likely, said Christopher W. Klaus, founder of Internet Security Systems.
Meta Group says the Code Red and SirCam worms underline the need for vigilant corporate security policies and practices.
The worm remains active between the first of the month and the 28th, when it goes into hibernation. While the worm does not reactivate itself automatically, any computer vandal sending a copy of the worm once the active period begins-in this case at 12:01 a.m. GMT Aug. 1, or 5 p.m. PDT Tuesday--would start a new round of infections. On the 19th of the month, the worm is set to switch to attack mode and barrage the whitehouse.gov Internet domain with large packets of data.
The administrators of whitehouse.gov were able to sidestep the July 19 attack by changing the IP address of the Web site. The worm was written to barrage the original numerical address of whitehouse.gov--22.214.171.124--with enough traffic that it was effectively shut down. However, the Web site's numerical address was changed to 126.96.36.199, which rendered the worm ineffective.
Warning: Code Red ahead?
Ronald Dick, director, National Infrastructure Protection Center (NIPC)
"We are taking this worm very seriously due to its ability to proliferate at a dramatic rate," Dick said Monday, citing studies that estimate Code Red could infect 500,000 IP addresses in a single day. "We believe the proliferation of the Code Red worm could disrupt the functioning of the Internet."
Marc Maiffret, chief hacking officer at eEye Digital Security and the discoverer of the IIS hole, said Code Red is still active because a handful of infected servers with incorrect dates are still roaming the Internet. For now, servers they try to infect won't respond, but once the new month has begun, history is likely to repeat itself.
"The last we heard, there were about 2,000 systems still infected with the worm and still trying to replicate themselves because their clocks were set wrong," he explained. "Really, all it takes is one computer with its clock off to hit one vulnerable system, and then it just goes like wildfire.
"I think there's definitely potential for several thousand servers to be hit."
Guarding against the worm is a relatively straightforward matter of installing a Microsoft software patch that prevents any malicious program from taking advantage of the IIS hole. Since Code Red is memory-resident--it lives in the server's volatile physical memory rather than a hard drive or other permanent storage--rebooting wipes out the infection. The software patch prevents re-infection.
"In many cases with a worm or true virus, you've got to deal with all the mess the virus or mass-mailing worm has done," said Vincent Gullotto, senior director of antivirus software maker McAfee's AVERT Labs. "This one is pretty easy to flush out of your system."
While the most recent statistics from Microsoft show more than 400,000 copies of the patch have been downloaded, there's no way to tell how many have been installed. Initial Microsoft estimates were that servers responsible for more than 6 million Web sites were vulnerable to the IIS hole.
Gullotto said that while server professionals are no doubt aware of the problem, even installing a single patch isn't a simple matter for computer professionals responsible for maintaining whole rooms full of servers.
"If you're a guy who runs an IIS Web server, you have to have heard about this unless you've been on vacation the past month or living in a cave," he said. "But what happens in many cases is that when customers update, they have go through a testing process that can take some time. If you've got a server farm, you want to see what the effects are before putting this into your system. Even though it's just a patch, there's a lot of work to do."
Maiffret added that some system administrators are reluctant to install patches right away because of bad experiences in the past. Microsoft last month released two faulty patches for a flaw in its Exchange e-mail server software.
"A lot of times people are more afraid of the security patch than the vulnerability itself," he said. "They're afraid if they install the patch, things will just be worse than they were before. Microsoft's track record hasn't been real encouraging to some people."
Klaus applauded the uncharacteristically strong government response to what has often been viewed as a problem for private industry.
"Historically, you've never seen anything come together like this," he said. "Not only is the government getting out there and informing and educating people, but they're also starting to lead by example. Historically, their security has not been too strong on government systems."
Gullotto applauded the strong government and business response to the Code Red threat. He said warning should also emphasize that the worm is only a threat to IIS-equipped servers, not the average PC user.
"Any type of alert can cause a lot of panic, especially in the end-user community, so you want to be clear about the message you're sending," he said.