Skip to main content /TECH with /TECH

'Code Red' worm spreads, Pentagon reacts

Rate of outbreak believed to be subsiding

Rate of outbreak believed to be subsiding

By Richard Stenger

(CNN) -- A resilient computer worm infected nearly 150,000 computers worldwide and forced the Pentagon to take down a number of its Web sites on Wednesday, convincing some Internet authorities to predict the bug would unleash an epidemic comparable to the original one in July.

Two weeks ago, the "Code Red" worm swept through more than 250,000 network computers within nine hours, prompting the White House to change its numerical "IP" address and the Pentagon to take its Web sites offline temporarily.

The U.S. Department of Defense again took evasive action on Wednesday.

"The DOD has taken measures to mitigate affects of the worm, which includes installing patches and other measures that we don't want to discuss for operational reasons," said U.S. Army Major Barry Venable, a spokesman for the U.S. Space Command, which oversees military Web traffic.

Critics want software makers, like Microsoft, to protect consumers from computer bugs. CNN's David George reports (August 1)

Play video
(QuickTime, Real or Windows Media)

Despite minimal reported damage, officials warn that danger from the computer virus is far from over. CNN's James Hattori reports (July 31)

Play video
(QuickTime, Real or Windows Media)
In-Focus: 'Code Red': Will the patch work?  

'Code Red' latest in series of nasty Net bugs  
On the Scene: Daniel Sieberg: 'Code Red' worm inches along  

Message board: 'Code Red' worm  

An unnamed military official, however, said that the steps included removing some Pentagon Web sites from public access.

Designed to reawaken on August 1, the rogue code spread exponentially across the entire world within hours. But the rate of new infections appeared to be subsiding as time progressed, according to Internet security analysts.

The worm had infected more than 150,000 machines since 8 p.m. EDT, Tuesday, estimated the System Administration, Networking and Security (SANS) Institute, a computer security think tank monitoring Code Red. As of 5 p.m. Wednesday, CERT Coordination Center experts said the number of infected computers was in the "tens of thousands."

"Based on preliminary analysis, we expect a level of worm activity comparable to the July 19 Code Red infection," read a joint statement from the SANS Institute, the FBI and other federal agencies watching the worm. It could achieve that level of activity by the end of Wednesday, the group said.

Ronald Dick, head of the National Infrastructure Protection Center, has warned that powerful mutations of the worm could slow Internet traffic, disrupt electronic commerce and possibly spur electronic espionage.

But has the new infection wave slowed the Net? Matrix.Net, which monitors Web traffic worldwide, said the Internet weathered a slight and brief drop performance early Wednesday.

"At this point, it's hard to attribute to Code Red. But this is the early stage. I think it will take another few hours or days to see what the full effect was," said Joi Chevalier, a spokesperson for the Austin, Texas-based organization.

Get the patch

The worm might need as long as a week to muster enough momentum to really rattle the Internet, anti-virus experts said. But that may never happen.

Internet security experts said international efforts to prevent another epidemic may be helping stem the tide. More than 1 million protective patches had been downloaded, most within the past several days, according to software giant Microsoft.

Computer authorities urged network administrators with vulnerable machines to continue downloading the software fix.

The worm, which takes advantage of a defect in Microsoft's Internet Information Services software (IIS), affects only computers with that IIS Web server software and Window's NT or 2000 operating systems. Windows 95, Windows 98 and Windows Me are not vulnerable.

Some business and government Web sites and servers are at risk of infection, but most personal computers are not. Should the worm proliferate exponentially as it scans for new victims and attacks unprotected servers, however, computer users could experience slowdowns when they surf the Net or use e-mail.

$1.2 billion in damages?

Named for a high-caffeine soft drink popular with computer programmers, Code Red is designed to spread for the first 19 days of each month. Then for about a week, infected computers inundate the White House Web site with data in an attempt to knock it off-line. Code Red then remains inactive until the following month.

The presidential site avoided the attack because webmasters changed its numerical Internet address.

Some infected Web sites were defaced with the phrase, "Welcome to! Hacked By Chinese!" But eEye Digital Security, which discovered the Microsoft flaw the worm later exploited, said the malicious code spread too quickly for online investigators to determine its origin.

Code Red has already cost about $1.2 billion in damages and lost work time, according to Computer Economics in California.

The expense was incurred "in time spent cleaning infected systems, downloading patches, and preparing for another round of attacks," said Computer Economics' Michael Erbschloe. "And lost productivity on the part of organizations that had to recover their server functionality." In contrast, the 2000 "Love Bug" virus rang up almost $9 billion in damages.

Despite a ferocious reputation, Code Red might have done less damage on the Web than it was given credit for when it first reared its ugly head.

"The slowdown on July 19 was very clearly due to the train wreck and resulting fire in the Baltimore tunnel," said Mary Lindsay of Keynote Systems, which measures the performance of the Internet.

The explosive accident in Maryland on July 18 most likely damaged fiber-optic cables that carried high-speed Internet connections through the tunnel, she said.

Unlike conventional computer viruses, which need the assistance of humans to spread, worms can self-replicate across the Internet.

• Riptech
• Microsoft Security Patch
• Code Red technical data
• National Infrastructure Protection Center
• Spread of the Code Red worm, July 19-20 (UC San Diego)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top