Code Red Worm Back on the Prowl

Little impact felt thus far, but more than 100,000 computers are newly infected.

Frank Thorsberg, PCWorld.com

Code Red, the worm that security experts warn could cripple the Internet, infected more than 100,000 new computers on Wednesday, and is still spreading in preparation for a renewed attack expected later this month.

That brings the total to an estimated 350,000 infected machines since the worm was discovered. The full extent of the new infestation and its impact may not be known for days or weeks, but some U.S. military networks were apparently affected Wednesday.

"The worm is an ugly thing," U.S. Army Major Barry Venable told Reuters in a telephone interview from Colorado Springs, where the U.S. military monitors its networks. "Here at DoD [Department of Defense], we've observed several disturbances to our networks as a result of this thing working on the Internet, but we've seen no significant degradation to DoD yet."

More to Come

The more than 100,000 newly infected computers were detected halfway through Wednesday, the first day of the worm's second monthly cycle, as reported by the SANS Institute Internet Storm Center's Incidents.org and the University of California at San Diego's Cooperative Association for Internet Data Analysis.

Though that number is less than half of the more than 250,000 systems hit by the first wave of Code Red infections, the worm is expected to remain active for nearly three weeks, according to Russ Cooper, surgeon general at security company TruSecure and editor of the NTBugtraq security e-mail list.

"Unlike the last time, this isn't going to stop tonight. It will reach more hosts than it did before because it will run longer," Cooper says. "Nothing makes me believe that we're going to top out at 50,000 or 100,000 [infected systems]."

Only on the Net

The worm infects Net servers running version 4.0 and 5.0 of Microsoft's IIS software. A hole in the program that allowed the worm to slip inside can be easily corrected with a patch available on Microsoft's Web site.

Despite the patch's availability, the Computer Emergency Response Team reports increasing Code Red scanning on the Internet.

"This indicates that the worm is in the first phase of its attack cycle, in which it scans random IP addresses for systems to compromise," CERT says. "These reports indicate that the number of compromised systems is increasing exponentially, and there is a potential for a large number of machines to be affected."

Warnings Heeded

Dire warnings from CERT, the FBI's National Infrastructure Protection Center, other Net security groups, and Microsoft itself helped stimulate more than 1 million downloads of the patch, but many servers are still vulnerable to the Code Red infestation, which was first identified in mid-July.

At that time, researchers estimated that the worm spread to more than 250,000 servers in eight to ten hours.

"Based on preliminary analysis, we expect a level of worm activity comparable to the July 19th Code Red infection, which resulted in infection of over 250,000 systems. It should achieve that level of activity by this afternoon [Wednesday]," says the NIPC.

A Slight Slowdown

Keynote Systems, which monitors traffic on top Internet sites, reported a very slight slowdown in some Net connections--apparently unrelated to the worm--on Wednesday.

"This morning, we saw the normal pattern, where Web site usage picks up around 11 o'clock East Coast time. Then, we started seeing a drop off, where normally it was taking 3 to 4 seconds and we were seeing 4 to 5 seconds," explains Bill Jones, a Keynote senior director.

"Whether that's Internet rubbernecking, or attributable to the worm, it's hard to say," he says. "If I had to make an educated observation, it's not the worm, just more people getting on the Internet."

Most personal computer users are in no danger of direct infection by Code Red because the worm ignores them in the hunt for Web server machines. The worm attaches itself to vulnerable servers, which in turn, are used to hunt down other unprotected machines.

"Each newly installed worm joins the others, causing the rate of scanning to grow rapidly," the NIPC says. "We are hopeful that the many precautions taken by the public, the government, and private industry will have some effect on reducing its ability to propagate."

Simply shutting down infected computers clears the worm from their memory, but the machines can be re-infected if they are put back into operation without the recommended patch.

On Its Own Timer

The worm is on a timer that sets a month-long cycle into motion on the first of each month. For the first 20 days, the worm is in recruitment phase. Then, it spends the next week launching denial of service attacks on a target Web site before returning to hibernation to wait for the cycle to begin anew.

The initial target was the White House Web site, but technicians modified the online address to sidestep the onslaught of information requests from hundreds of thousands of infected servers.

Security experts fear the worm may mutate and choose another Web site target or targets and also could modify its attack in other ways as yet undetected.

(Reuters and IDG News Service contributed to this report.)