Skip to main content /TECH with /TECH

Net braces for stronger 'Code Red' attack

(CNN) -- A computer worm that proliferates on Microsoft operating systems and causes widespread Internet slowdowns could unleash a second and more virulent epidemic on Tuesday, government and corporate anti-virus experts warned.

The "Code Red" bug infiltrated hundreds of thousands of computers within hours of its first identified outbreak on July 19. The attack forced the White House to take evasive action and the Pentagon to halt briefly public access to its Web sites.

The worm is designed to spread the first 20 days of each month. On the 20th, it begins targeting the White House Web site in an attempt to knock it off the Internet. Computers harboring the virus are expected to start a new cycle of mass infections of other machines Tuesday at 8 p.m. EDT.

CNN's Tim O'Brien explains how the fast spreading computer worm 'Code Red' works (July 30)

Play video
(QuickTime, Real or Windows Media)
In Focus: 'Code Red': Will the patch work?  
On the Scene: Sieberg: 'Code Red' could create 'traffic jam' on the 'Net  
Message Board: 'Code Red' virus  
 Need Protection? Use the Patch
Those with a computer that requires inoculation should reboot the machine and install the appropriate Microsoft software patch.

For Windows NT 4.0:
Download here

For Windows 2000 Professional, Server and Advanced Server:
Download here

Detailed instructions to use the patches are posted at:
Download here

Ron Dick -- the director of the National Infrastructure Protection Center, a multi-agency task force that works under the auspices of the FBI and Justice Department -- said the government and industry representatives are doing everything they can to alert computer users.

"We are taking this worm most seriously due to its ability to proliferate at a dramatic rate," he said. "If users act quickly, we could mitigate much of the potential damage from this worm, but it is up to those running the software to act now."

Dick also said an attacker can gain control over Web servers and "alter or steal critical corporate or private data."

The worm was first reported in mid-July. On July 19 alone, the worm infected more than 250,000 systems in nine hours, officials said.

"Based on analysis of the worm, there will be a tremendous surge in the worm," Dick said. "There is reason for concern that the mass traffic associated with the worm's propagation could degrade the overall functioning of the Internet and impact ordinary users."

Digital secrets at risk?

The first wave of the worm did not destroy computer files. But computer security experts fear the new version could prove more dangerous.

A worm can propagate itself without user assistance, unlike a more conventional computer virus.

The epidemic could affect business and personal use of the Internet, disrupting electronic commerce and e-mail, warned the Computer Emergency Response Team, or CERT, a federally funded Internet security research center at Carnegie Mellon University.

"This worm is vicious in intent. The Code Red worm has infected hundreds of thousands of systems worldwide. The worm scans the Internet, identifies vulnerable systems and infects these systems by installing itself," said Ken Watson, the head of the Partnership for Critical Infrastructure Security, a government-industry collaboration run by industry executives.

He said the worm is a "potentially significant threat to our nation's critical infrastructure and global e-commerce."

Hacker message a mystery

In the latter part of July, when the worm reared its ugly head, it defaced Web sites with the phrase, "Hacked by Chinese." But it had spread so quickly that computer virus experts remain puzzled about its origin.

"It's really unclear. There's a good chance we will never know where it came from," said Marc Maiffret, an officer of eEye Digital Security, which in June discovered the security flaw that the worm would later exploit.

Despite warnings from Microsoft, eEye and computer security authorities, who made an inoculation patch available on the Internet, many computers were susceptible during the first Code Red attack.

The rogue application takes advantage of a defect in Microsoft's Internet Information Services software. It affects only computers with the IIS Web server software and Window's NT or 2000 operating systems. Windows 95, Windows 98 and Windows Me are immune. Therefore, most home PCs cannot be infected.

Officials and industry experts are urging computer users to download the free patch from Microsoft to protect them from the worm.

Also, if a computer is infected, simply turning the machine off and back on removes the worm from memory.

The worm scans the Internet, locates vulnerable systems and infects these systems by installing itself. Each newly installed worm joins the others, causing the rate of scanning to rise exponentially.

Pentagon mounts a defense

Officials said there are three known variants of the worm. The initial one would leave behind the message "Hacked by Chinese" on Web sites if the user of the infected computer ran a Web page from that computer. The other two variants leave no such messages behind.

Last week, the Pentagon cut off public access to its Internet sites to remove the bug and protect against future outbreaks. The White House avoided a direct onslaught by changing its numerical Internet address.

A similar attack is expected later in August. And although the White House site has moved out of harm's way, the offensive could again disrupt Internet traffic, authorities warn.

The worm can also affect smaller networks using certain Cisco Systems-made Internet routers for data traffic flow, and a handful of Hewlett-Packard network printers, Maiffret said.

-- Sci-Tech writer Richard Stenger contributed to this report.

• Microsoft Security Patch
• Code Red technical data
• National Infrastructure Protection Center
• Spread of the Code Red worm, July 19-20 (UC San Diego)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top