Skip to main content /TECH with /TECH

'Code Red II' slows parts of the Net

By Richard Stenger

(CNN) -- A new computer worm that leaves computers open to hijacking has caused sporadic outages and slowdowns on the Internet, anti-virus experts said Tuesday.

The bug, known as "Code Red II," could easily permit hackers to take control of hundreds of thousands of infected machines, according to Net security analysts.

The malicious code, which first scans computers on the nearby networks in search of new victims, has caused major headaches for some businesses with many connected machines.

Message board: 'Code Red' worm  

"The network disruption is significant enough to warrant heightened awareness," cautioned the SANS Institute on Tuesday. The institute is a computer security think tank working with the FBI and other authorities to monitor assaults on the Internet.

Since its debut Saturday, Code Red II has managed to infiltrate internal networks of Internet service providers and other major companies. The proliferating worm can flood nearby machines with enough traffic to force Web sites offline, Net authorities said.

Collateral damage not taken lightly

"It's something we call collateral damage, but I don't mean that lightly," said Alan Pallers, director of research for the SANS Institute. "This thing creates traffic inside a subnet, creates traffic in addition to what comes in from the outside."

"An awful lot of traffic is being sent, clogging the bandwidth. The worm has this magnifying effect" during attacks on internal networks, said Russ Cooper, owner and moderator of NTBugtraq, an electronic mailing list that discusses Windows security bugs.

In Virginia, one regional ISP affiliated with Cox Interactive Media suffered service outages on Monday and Tuesday. Callers trying a customer service phone number were greeted with a taped recording saying service would be restored Wednesday.

Code Red II is a possible culprit for that and other sporadic outages, computer security experts said. Cox Interactive representatives did not return numerous phone calls.

Hijacking epidemic in the making?

The rogue application, which disappears from computer memory after one or two days, secretly installs a backdoor on infected Web servers, making them vulnerable to hijacking.

"I think there are enough hackers in the world that will look for machines they can own. It's not difficult to find them. It is very easy to control a large number of machines," Cooper said.

The infection gives high-tech outlaws the ability to take control of tainted machines, steal any data they contain -- be it credit card numbers or sensitive passwords -- and even launch additional attacks on the Net, computer security experts said.

"This is going to cause the meltdown of the Internet, the vulnerability that this worm is exploiting," said Cooper.

Code Red II has infected an estimated 150,000 to 400,000 machines, according to anti-virus companies. The assault is reminiscent of the original Code Red, which launched attacks on the Internet in mid-July and the first week of August.

The two worms are composed of different code, but both take advantage of the same security flaw in Microsoft operating systems and software. The original Code Red worm affects computers running Internet Information Services (IIS) software and Windows NT 4.0 or Windows 2000 operating systems.

Home machines not at risk

Code Red II seems to infect only machines running IIS and Windows 2000. Servers using Windows NT crash when Code Red II attempts to infect, SANS said. Virtually no home computers are at risk of infection, as machines with Windows 95, 98 or Me are not vulnerable to either worm.

Last week, users downloaded more than 1 million patches from Microsoft to ward off Code Red. The patch protects against Code Red II as well.

Those measures should help protect against the new bug, too. But computers infected with the latter worm should be reformatted entirely, security experts advised. The reason is that a hacker might have stealthily entered an infected machine and done more hidden damage.

When the Code Red worm made its debut last month, it swept through more than 250,000 computers in nine hours, forced the White House to change its numerical IP Web address and prompted the Pentagon to briefly take its public Web sites off-line.

The origin of Code Red II remains a mystery, but it is designed to stop spreading on October 1.

• The SANS Institute

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top