July 19, 2001 10:20 PM PDT
Web worm targets White House
As previously reported, servers infected by the so-called Code Red worm--estimated to be at least 225,000 computers--were scheduled to flood a specific Internet address representing the White House Web site with a deluge of data starting at 5 p.m. PDT.
However, administrators for Whitehouse.gov apparently moved the site to an alternate address. In addition, a flaw in the worm's design caused the tactic to fool the program into sending a much-reduced amount of data.
White House spokesman Jimmy Orr said the White House took precautions, but would not confirm whether Internet addresses were switched.
"We have taken preventative measures aimed at minimizing the impact of any computer virus," he said Thursday night.
Marc Maiffret, chief hacking officer for eEye Digital Security, said Whitehouse.gov administrators "blackholed" the original address--meaning that any data sent to the address would disappear into the Internet. eEye originally found the flaw that the worm exploits.
Computer worms are programs that have the ability to spread across the Internet and execute instructions. In this case, the worm sought out vulnerable Web servers using Microsoft software. As for the instructions, the Code Red worm was written to flood the Whitehouse.gov site with a massive amount of data, overwhelming it to the point where it could not be accessed.
Before Thursday, anyone who tried to view Whitehouse.gov in a browser would be directed to a specific numeric address, 126.96.36.199. Because of Thursday's change, however, people who went to Whitehouse.gov were automatically redirected to a new address, 188.8.131.52. Computers infected with the worm--hard-wired to spam the original address with data--weren't redirected to the new location.
Maiffret, who warned earlier Thursday that the White House site was the target of the worm, also noted that the flood of data flowing across the Internet during the attack could degrade the overall performance of the Net.
However, the data flood never occurred because the worm checked for a valid connection before sending data--what could be considered a design flaw on the part of the author. Because the site's address was switched, the worm never established a connection and therefore did not begin sending data.
"You might have overload on the local networks where the worm was trying to get out, but the actual Web site looks okay," Maiffret said.
Others besides Maiffret warned of the potential for worm problems Thursday as well.
The Computer Emergency Response Team (CERT) Coordination Center issued an advisory predicting that the worm could cause performance problems on the Net.
"In addition to Web site defacement, infected systems may experience performance degradation as a result of the scanning activity of this worm," CERT stated in its advisory. "Non-compromised systems and networks that are being scanned by other hosts infected by the 'Code Red' worm may experience severe denial of service."
Belatedly, the National Infrastructure Protection Center--the FBI agency responsible for protecting critical components of the U.S. intrastructure, such as the Internet--released an advisory warning companies of the worm Thursday evening, after the incident at Whitehouse.gov.
After slowing down earlier in the week, the Code Red worm spread wildly Thursday, possibly because of someone modifying the code.
In addition to making the code spread faster, the person who changed the code may have made another important modification.
The original creator of Code Red apparently created the worm to stop spreading at midnight Friday morning coordinated universal time (UTC), or 5 p.m. PDT Thursday, and to attack the Whitehouse.gov site with a distributed denial-of-service attack. At that time the worm would stop spreading.
Yet Thursday evening, early reports indicated that some infected machines continued to spread the worm.
Even Microsoft, which recently issued a patch to prevent the worm from infecting servers using its software, failed to protect all of its servers. On Thursday, the company acknowledged that a "small number of servers" were infected by Code Red.
"We have investigations going on to look at other reports," said Scott Culp, security program manager for Microsoft's security response center.
Culp stressed that although there may be a lull in probes from the worm, customers still need to patch the servers.
"Our recommendation now is the same as our recommendation a month ago," he said. "If you haven't patched your software, do so now."
Until July 20, the worm is programmed to spread to new servers, according to eEye's analysis. From July 20 to July 28, the worm will attack the now-outdated address for the White House Web site.
If system administrators don't patch their systems Aug. 1, they could be reinfected with the worm, starting the whole process over again.