RealTime IT News

Code Red Worm Squirms Quietly

So far, there is little evidence that the media-hyped Code Red Worm is ready to send the Internet into meltdown, though the Computer Emergency Response Team Coordination Center (CERT/CC), has reported increased activity from the worm.

The worm made its first appearance on July 19, in nine hours infecting 250,000 machines running unpatched versions of Microsoft Corp.'s IIS 4.0 or 5.0 Web server software. On July 20, the extant worms proceeded to launch an attack on the www.whitehouse.gov URL, though government officials had been apprised of the possibility and moved the site before the worm could deface it.

A number of security pundits, including Ronald Dick, head of the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC), have expressed the fear that the worm -- which upon infection creates 100 threads that scan the Internet for other vulnerable Web servers -- will create massive latency across the Internet as it multiplies and sends out increasing numbers of requests for information.

The worm has a cyclical nature, in that it spreads for the first 20 days of a month and then all the worms that have been created launch a denial of service (DoS) attack at a specific Web site. Security experts said Monday that there was a goodchance the worm would begin to spread again on Tuesday at 8 p.m. EDT.

But Keynote, an e-commerce benchmarking and Web performance management services firm, said its research does not really support that scenario.

Keynote said Tuesday evening that preliminary investigation of high-performing sites -- including Google.com, FedEx.com, Yahoo.com, 3Com.com, Apple.com, HP.com and IBM.com -- showed no obvious performance effect of the worm during the time it was active in early July.

"We compared the average performance of these sites for five days early in the month during the time the worm proliferates to their averages later in the month during the time the worm rests, as well as to averages at the end of June," the firm said. "There were no significant performance trends."

As one security expert noted Tuesday, there is a greater risk of latency when a key piece of the Internet's backbone, like an OC-192 fiber optic cable, is cut by a guy with a backhoe. Indeed such an event occurred just a day before word of the worm first surfaced on July 19, when a CSX train carrying hazardous materials, including hydrochloric acid, began to burn in Baltimore's Howard Tunnel. That fire melted an OC-192 cable and disrupted or slowed the Internet around the world.

However, Web testing and performance monitoring firm Atesto Technologies said it may be too early to tell if the worm will cause latency. Atesto said it may take up to seven days to know if the worm will have the dramatic effect some have predicted or if the worst is over.

While Atesto noted that many users at the corporate level have taken steps to secure their servers, some smaller companies and educational institutions may not have put protections in place yet. And Ravi Venkatesam, Atesto's vice president of operations, raised the specter of new strains of the worm exploiting different vulnerabilities.

"Even though people have dissected the virus to a certain extent, there might be portions that we don't know about," Venkatesam said. "There might be a dormant strain that might react differently and could bring the entire server down. We just don't know."

The Code Red worm only infects machines running Windows NT 4.0 or Windows 2000 in addition to IIS 4.0 or 5.0. Microsoft issued a patch for IIS more than a month ago. The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and Advanced Server is available here.