More about CODE RED : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Washington sounds alarm over 'Code Red' worm virus

Source: AAP|Published: Monday July 30, 11:17 AM

WASHINGTON, July 29 AP - In an unprecedented show of force against an extremely virulent Internet attack, government and private officials will tomorrow implore worldwide organisations to protect themselves from the “Code Red” worm.

Representatives from the White House, FBI, Microsoft and others have decided to take the step in the face of one of the largest ever dangers to the Internet. The worm, similar to a virus, could cause widespread slowdowns and sporadic outages.

“The Internet has become indispensable to our national security and economic well-being,” said Ron Dick, head of the National Infrastructure Protection Centre, an arm of the FBI. “Worms like Code Red pose a distinct threat to the Internet.”

Along with posting various warnings on their web sites, government officials and representatives from Microsoft are to hold a news conference tomorrow afternoon to publicise their efforts.

The government routinely works with private companies to issue warnings about new hack attacks and viruses, but never before have they made such a high-profile stand.

While the actual infection rate is unknown, it is believed to be in the hundreds of thousands of Internet-connected computers. In just the first nine hours of its July 19 outbreak, it infected more than 250,000 systems.

The officials are frustrated that even though a software inoculation was made available over a month before the worm's first attack, many computers are still defenceless. The patch, which will protect computers, can be found on Microsoft's web site.

The worm defaces web sites with the words “Hacked by Chinese”. While it doesn't destroy data, it could be modified to do so. At least two mutations have already been found.

Code Red exploits a flaw discovered in June in Microsoft's Internet Information Services software used on Internet servers. It is found in Windows' NT and 2000 operating systems.

Only computers set to use the English language will have their web pages defaced. From the first through to the 19th of every month, the worm spreads. From the 20th on, it attacks the White House web site, trying to knock it offline.

The White House took precautions against it, changing its numerical Internet address to dodge the attack.

Even though the target has moved, the infected computers will still launch their attack. This, officials said, could slow down the Internet causing sporadic but widespread outages.

Last week, the Pentagon was forced to shut down public access to all of its web sites temporarily to purge and protect them from the Code Red worm.

Because Code Red spread so quickly, security companies have not been able to figure out who wrote and released it.

Code Red can also damage smaller networks by affecting a certain type of Internet router, made by Cisco Systems, used for data traffic control.

Steve Lipner, head of Microsoft's security response centre, said the company was looking for new ways to distribute patches more efficiently.

The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems.

“The protection of the Internet requires a partnership with the government, private companies and the public as a whole,” Dick said.

-- Martin Thompson (, July 29, 2001


Code Red: Is This the Apocalypse? By Michelle Delio 6:09 a.m. July 30, 2001 PDT

If you do nothing else today, make sure you patch your computer system against the Code Red worm.

Code Red, which reportedly has infected about 300,000 computers this month, may begin to wreak more havoc on the Internet when the time- conscious worm begins propagating again on Wednesday at midnight Greenwich Mean Time (July 31 at 7:00 p.m. EDT).

Then again, Code Red might just deface some Web pages, cause a lot of extra work for systems administrators and slow the Internet down a tad, just like it did through the month.

Microsoft, the FBI's National Infrastructure Protection Center, the CERT Coordination Center, SANS Institute and several other groups issued a joint alert Sunday evening, warning that the Code Red worm is a "very real" threat to the Internet, and setting July 31 as the deadline to protect systems against the worm.

"If there's even one infected computer out there it will start infecting other computers again," Steve Trilling, director of research at Symantec's antivirus center, said in a press release.

But Rob Rosenberger, webmaster of a site devoted to debunking myths about computer viruses, believes that mass e-mail warnings about the worm are more likely to gum up the works than the worm itself.

"I'll make a simple prediction. E-mail servers will clog up on Monday and Tuesday with warnings about this 'horrifying' worm," Rosenberger said in his article about the worm.

Rosenberger is happily planning to study the hysteria that he believes will be spawned by worm alerts this week. Overwrought alert or not, the patch that prevents against infection by Code Red should be applied by anyone who runs Windows NT or Windows 2000 and Microsoft's Internet Information Server (IIS) Web server software on their system.

The worm's effects during its first run of infections were not as debilitating as some security experts predicted they would be. But machines should be patched anyway. The vulnerability that the worm takes advantage of also leaves systems open to attack by malicious hackers, allowing them to remotely control an infected system.

Applying the patch is an easy download, can't hurt systems, and helps fight the spread of the worm.

Even if your computer is not used as a server, IIS is installed automatically by many applications.

Those who are unsure if they are running IIS can launch Task Manager by pressing the Control-Alt-Delete keys at the same time. Click on Task Manager in the dialog box, and select the Processes tab.

Look for Inetinfo.exe in the image name column. If Inetinfo.exe appears, you are running IIS and need to install the necessary patches. If not, you are not running IIS and don't need to patch your system.

To rid your machine of the worm, simply reboot your computer. To protect your system from new symptoms or re-infection, install Microsoft's Code Red vulnerability patch for Windows NT or Windows 2000 Professional.

Step-by-step instructions for applying the patch and purging systems of the worm have been posted by Digital Island Net.

Since around July 13, several variants of the Code Red worm have been wiggling their way across the Internet, attacking servers and slowing traffic.

Security company eEye Digital Security discovered the flaw in IIS that Code Red exploits on June 18, and warned that an exploit would soon be created to take advantage of the vulnerability. EEye also provided the first complete analysis of the worm after it was released on the Internet on or around July 13th.

The worm was named in honor of a super-caffeinated soft drink, Code Red Mountain Dew, which the eEye crew drank during an all-night work session as they struggled to understand what the worm was capable of doing.

At least two new versions of the worm are also loose on the Net, and appear to be spreading more quickly than the original version of Code Red, said Marc Maiffret, chief hacking officer at eEye.

After infecting a system, the worm scans the Internet, identifies other vulnerable systems, and then infects these systems by automatically installing itself through Port 80. Each newly installed worm then joins all the others in their search for more systems to infect.

CERT'S new advisory on the Code Red worm states that tens of thousands of systems are already infected or vulnerable to re- infection.

Because the worm propagates so quickly, CERT experts believe it is likely that nearly all vulnerable systems will be compromised by Aug. 2, during the anticipated next run of infections.

Infected machines have the potential to disrupt business and personal use of the Internet by slowing servers' ability to process information, and perhaps bringing some systems to a complete halt.

The first version of the worm was coded so that each infected machine would eventually return to and attack the machine that originally infected it. EEye suspects this may allow the coder to track the infections.

Using this feature of the worm, security experts at eEye were able to accurately track the initial spread of the worm. Every machine that was infected would eventually "call home," which allowed compromised systems to be logged and tracked. New versions of Code Red do not contain that coding error.

The worm is coded to be time sensitive; its activity occurs based on the date (day of the month) of an infected system's clock.

The worm is in "propagation mode" from the first through the 19th of the month. During that time, an infected computer attempts to send the worm out to other randomly chosen IP addresses using one of the computer's communication ports (TCP Port 80).

The worm goes into "flood mode" from the 20th through 27th of the month, launching a denial-of-service attack against a specific IP address that is embedded in the worm's program code. With current versions of the worm, the attack is launched against the White House's website.

Last month the White House dodged the attack without going offline by redirecting all Internet traffic to an IP address that the worm was not programmed to recognize, and blocking all requests to the address that the worm was coded to attack.

Clearing the worm from systems can be time-consuming. Last week, the Pentagon temporarily shut down public access to all of its websites to purge and patch its networks, an action that some security experts felt was a bit of overkill.

The worm enters "termination" or "hibernation mode" after the 27th day of the month, remaining in infected systems but otherwise staying inactive until the first day of each month.

The first version of the worm, if it infects a Web server, also defaces the contents of a website with the words "Hello! Welcome to! Hacked by Chinese!"

The defaced page will stay in place for 10 hours, and then revert to normal. New variants do not deface websites hosted by infected computers, but are more apt to crash servers since they infect computers multiple times, eEye's Maiffret said.

Microsoft's "" site displayed that message for a few hours on June 20, an obvious sign that the company did not update all of its own servers with its own security patches.

Steve Lipner, head of Microsoft's security response center, said the company is looking for new ways to distribute its security patches more efficiently.,1294,45681,00.html

-- Martin Thompson (, July 30, 2001.

Code Red comin 'back ---------------------------------------------------------------------- ---------- posted 10:12am EST Mon Jul 30 2001 NEWS The Code Red worm that caused major trouble on July 19th may show up again tomorrow night. The potential for even more trouble across the Internet is so great that Microsoft, the CERT Coordination Center, the Federal Computer Incident Response Center, and others issued a joint alert urging users to protect themselves and their systems against Code Red immediately. The title of CERT/CC's advisory puts it succinctly: "A Very Real and Present Threat to the Internet: July 31 Deadline For Action."

Code Red affects Microsoft IIS (Internet Information Server) webserver software versions 4 and 5, and users running Windows NT or 2000 with those IIS versions are vulnerable to tomorrow's 8:00 P.M. EDT re-emergence. Internet security groups are nervous about Code Red because it infected 250,000-300,000 systems in just 9 hours back on the 19th and has mutated into potentially more powerful forms since then. The Code Red worm scans the Internet, finds vulnerable systems, infects those systems, then replicates the process. What does this mean to you? "This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. ... This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email, and entertainment."

The tremendous implications of another Code Red outbreak mean that everyone who has WinNT or Win2K and IIS 4 or 5 must install the available patches before tomorrow night at 8 P.M. Eastern. If you qualify for trouble, please read the CERT/CC Advisory and follow the detailed instructions at Digital Island. You can also check the Reuters item for an overview of the worm and the trouble it caused.

SAM'S OPINION It's always dangerous when a nasty worm resurfaces after the initial hype dies down, since many people think they've escaped the trouble and don't apply patches or watch out for mutations. Another thing that makes Code Red particularly nasty is that IIS often installs automatically when other Microsoft programs are being installed. Thus, there are still many systems out there that may be vulnerable to infection whose sysadmins don't even realize what's coming. As the CERT/CC advisory points out, Win95, 98, or Me users don't have to worry about system security, but most businesses are using NT or 2K to run their webservers, and that's where the trouble lies.

It's not 100% clear that Code Red will re-emerge tomorrow night, but it's a chance that sysadmins should not take. Plus, since Microsoft quickly had a patch available, it definitely doesn't hurt to apply that patch and make your system secure, especially since there are sneaky virus/worm writers out there who write a virus or worm after a known hole is exposed by a previous virus or worm.

My e-mail had major trouble last week because of the SirCam virus/worm (I didn't get it, but I got LOTS of extraneous e-mail), and if Code Red actually starts plugging up bandwidth across the 'Net things will really slow down ... and what Geek can be happy about that? (There's no such thing as a Luddite Geek, is there?)

So, if you know the sysadmin at your company and/or favorite website, send them a note to make sure the Win2K/NT servers are patched doesn't use IIS, so you don't have to let us know. :) And keep your fingers crossed that not too many folks are on vacation and missing this news.

-- Martin Thompson (, July 31, 2001.

Tuesday, July 31 10:48 PM SGT Code Red computer virus hits Switzerland

BERNE: July 31 (AFP) - The "Code Red" computer virus which affected thousands of computer users in the United States in July has now reached Switzerland, hitting numerous well-known companies, a government spokesman said on Tuesday.

Claudio Frigerio from the Federal Office of Information and Telecommunications told AFP at least 10 webservers and their homepages had been infected.

Frigerio said the virus had attacked Internet addresses using the suffix ".ch".

He said the virus also tried to infiltrate the Swiss government's system but did little damage because an anti-virus system had already been installed.

On Monday the FBI warned US computer users the virus could strike again.

Ronald Dick, director of the FBI's National Infrastructure Protection Centre said the new attack could affect around 1.5 million Internet addresses. s=asia/headlines/010731/technology/afp/Code_Red_computer_virus_hits_Sw itzerland.html

-- Martin Thompson (, July 31, 2001.

Martin, my net service has been faster tonight than it usually is!


TORONTO -- Reports that a computer "worm" currently spreading on the Internet could lead to economic chaos have been greatly exaggerated, high-tech experts said Tuesday. --------

But on Tuesday, computer specialists scoffed at suggestions that Code Red would wreck the economy.

"I think Shakespeare said it best: 'This is much ado about nothing,"' said Iain Grant, the Canadian managing director for the Yankee Group, a technology consulting firm with offices around the world. ------

"There has been an amazing effort to ensure that the public and private sector proofed their computers against (Code Red)," said Ronald Dick, director of the FBI's National Infrastructure Protection Center.

"As of now, the Internet is operating normally."

Officials said, however, it could be a day or two before any effects of the latest attack are noticed, as the worm -- or possible variants -- take hold.

The original Code Red worm took seven days to hit its stride, said Alan Paller, director of research at the SANS Institute, a computer security think-tank.

"We don't know yet whether we are safe and we won't know for sure until seven days pass with no major disruptions" said Paller, who was helping the FBI monitor the Internet.

"We never expected to know whether there was a problem today."


Personal computers that are not servers cannot be infected. Neither can Apple machines.

"Those of us who use Macintosh are not losing sleep over this," said Grant.

And even if a computer is infected, "it's relatively easy to fix," said Prof. Randy Goebel, chair of the computing science department at the University of Alberta.

Because Code Red resides only in a computer's memory, rather than a permanent storage space like a hard drive, a simple reboot wipes away the infection. The worm causes no damage to a computer's permanent files.


Statements that the worm could bring down the Internet, Goebel said, are "completely out of proportion."

So if the worm is not likely to unleash havoc on the business world, why did Microsoft, the FBI, Ottawa and Washington make such a big deal about Code Red?

"It's a risk-management issue," said David Woelfle of EDS Canada, an information-technology services company.

"Do people think that the bomb will drop? No. Could it drop? Yes."

"So they want to make sure they do everything that they can" to get the word out.

This sounds so familiar!

-- Rachel Gibson (, August 01, 2001.

Bill for Code Red: $1.2 billion and rising By Reuters August 1, 2001 5:56 AM PT URL: The Code Red worm that hit the Internet as global clocks roll over to Aug. 1 has already cost an estimated $1.2 billion in damage to networks, a research organization said Tuesday.

The cost of cleanup, monitoring and checking systems for the self- propagating worm, which has infected about 395,000 servers, is $740 million, said Michael Erbschloe, vice president of research at Computer Economics, an independent research organization in Carlsbad, Calif.

The loss of productivity associated with the worm is estimated at $450 million, Erbschloe said.

"Information technology people are not cheap," he said. "A lot of companies have outsourced this and they have to pay sometimes $300 an hour to have people come in and look at their servers."

An estimated 6 million servers are still at risk, he said.

Microsoft has reported more than 1 million downloads of its patch to plug the hole in its Internet Information Server. The worm affects computers running Windows NT and Windows 2000 operating systems, but not those running Windows 95, 98 or ME.

The economic cost of Code Red will not be fully tallied until the worm finishes its cycle, experts said. The worm, which has several known variants, was first recognized in mid-July and is programmed to infect other computers the first 20 days of the month and then lie dormant indefinitely.

However, infected computers with incorrect internal time and date settings are likely to keep it going into August, experts said.

Erbschloe had estimated the economic impact from last year's Love Bug virus to be $8.7 billion and the economic damage from the Melissa virus in 1999 to be about $1 billion.

While some people have questioned his figures, Erbschloe said that Lloyds of London put the estimate for Love Bug at $15 billion.

"In my opinion, $8.7 billion is not ludicrous," he said. "Some companies reported 7 million Love Bug messages and 10 days to clean up.",6061,5095028-2,00.html

-- Martin Thompson (, August 02, 2001.

There are a multitude of articles on the Code Red problem. Everything from its just HO HUM to its a complete disaster. Whats a person to believe?

-- Martin Thompson (, August 02, 2001.

I agree martin. I give up... with all the flip flopping concerning c red in the media what are we to believe?

-- Tess (, August 02, 2001.

Moderation questions? read the FAQ