Code Red Worm Squirms Quietly

So far, there is little evidence that the media-hyped Code Red Worm is ready
to send the Internet into meltdown, though the Computer Emergency Response
Team Coordination Center (CERT/CC), has reported increased activity from the
worm.

The worm made its first appearance on July 19, in nine hours infecting 250,000 machines
running unpatched versions of Microsoft Corp.’s IIS 4.0 or 5.0 Web server
software. On July 20, the extant worms proceeded to launch an attack on the
www.whitehouse.gov URL, though government officials had been apprised of the
possibility and moved the site before the worm could deface it.

A number of security pundits, including Ronald Dick, head of the Federal
Bureau of Investigation’s National Infrastructure Protection Center (NIPC),
have expressed the fear that the worm — which upon infection creates 100
threads that scan the Internet for other vulnerable Web servers — will
create massive latency across the Internet as it multiplies and sends out
increasing numbers of requests for information.

The worm has a cyclical nature, in that it spreads for the first 20 days of
a month and then all the worms that have been created launch a denial of
service (DoS) attack at a specific Web site. Security experts said Monday
that there was a goodchance the worm would begin to spread again on Tuesday at 8 p.m. EDT.


But Keynote, an e-commerce benchmarking and Web performance management
services firm, said its research does not really support that scenario.

Keynote said Tuesday evening that preliminary investigation of
high-performing sites — including Google.com, FedEx.com, Yahoo.com,
3Com.com, Apple.com, HP.com and IBM.com — showed no obvious performance
effect of the worm during the time it was active in early July.

“We compared the average performance of these sites for five days early in
the month during the time the worm proliferates to their averages later in
the month during the time the worm rests, as well as to averages at the end
of June,” the firm said. “There were no significant performance trends.”

As one security expert noted Tuesday, there is a greater risk of latency
when a key piece of the Internet’s backbone, like an OC-192 fiber optic
cable, is cut by a guy with a backhoe. Indeed such an event occurred just a
day before word of the worm first surfaced on July 19, when a CSX train
carrying hazardous materials, including hydrochloric acid, began to burn in
Baltimore’s Howard Tunnel. That fire melted an OC-192 cable and disrupted or
slowed the Internet around the world.

However, Web testing and performance monitoring firm Atesto Technologies said it may be too early to tell if the worm will cause latency. Atesto said it may take up to seven days to know if the worm will have the dramatic effect some have predicted or if the worst is over.

While Atesto noted that many users at the corporate level have taken steps to secure their servers, some smaller companies and educational institutions may not have put protections in place yet. And Ravi Venkatesam, Atesto’s vice president of operations, raised the specter of new strains of the worm exploiting different vulnerabilities.

“Even though people have dissected the virus to a certain extent, there might be portions that we don’t know about,” Venkatesam said. “There might be a dormant strain that might react differently and could bring the entire server down. We just don’t know.”

The Code Red worm only infects machines running Windows NT 4.0 or Windows
2000 in addition to IIS 4.0 or 5.0. Microsoft issued a patch for IIS more
than a month ago. The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and
Advanced Server is available here.

News Around the Web