SHT - Code Red keeps world guessinggreenspun.com : LUSENET : Current News : One Thread |
BBC Wednesday, 1 August, 2001, 03:28 GMT 04:28 UK Code Red keeps world guessingQuestion over how much damage the worm will do
The Code Red worm computer bug has had no immediately visible effect on the internet, security experts say.
But they have cautioned that the impact of the worm's attack, which was expected to begin as the new month started at midnight GMT on Wednesday, might become evident later.
In a bid to limit the number of machines the worm can infect, law enforcement agencies, business groups and governments urged people to check if their computers are infected and install software that can stop the malicious program taking them over.
But a company that monitors web site traffic, Keynote Systems Inc, has reported that traffic appears normal in some of the most-visited US web sites, such as Yahoo, Google and Excite.
"If the proliferation of the worm and its resulting traffic was going to effect Internet performance it would surely be seen in these sites," Keynote spokeswoman Mary Lindsay said.
"So I guess it remains to be seen...Everything is quiet."
US officials said more time was needed to determine whether the Internet had managed to escape the worm's wrath.
"It will take a while for pertinent analysis to be conducted," FBI spokeswoman Debby Weierman said.
"We're not going to get a definitive sense of what has transpired for a few hours."
Net is strong
The net is built to withstand disruption and the worm attacks only a fraction of all net-connected machines, so some have said that the threat posed by the Code Red worm was being overblown.
Governments have issued a warning about the worm because they fear that the increase in web traffic caused by all those copies of Code Red looking for vulnerable machines could severely disrupt the normal working of the net.
The worm reportedly spends two-thirds of every month looking for new machines to infect and the rest of the time using these machines to bombard the site of the White House, with bogus data packets. For the last few days of every month, it lies dormant.
The Code Red worm exploits vulnerabilities in versions 4.0 and 5.0 of Microsoft's Internet Information Server software that is bundled in with some copies of the Windows NT and 2000 operating system.
Microsoft software is used on about a quarter of all servers, so that could limit the damage the worm can do.
Microsoft has made available a patch that closes the loophole that Code Red exploits and many anti-virus companies have produced software that can find and remove the malicious program from infected machines.
Code Red differs from many recently successful viruses because it is relatively sophisticated and uses a variety of techniques to hide and do damage.
As the worm scans for up to three weeks of every month, the most compromised networks should soon become obvious.
It is not clear how much disruption the Code Red worm could cause because the net is built to withstand disruption, route around any damage to the physical links that make up the net or avoid congested net links.
The scanning is unlikely to be co-ordinated because many net-connected systems have their internal clocks set to the wrong time.
For many, the only difference it might make to their web browsing experience could be to make web pages take longer to appear and perhaps delay the delivery of e-mail messages for a short while.
-- Anonymous, August 01, 2001
Boston Globe has an on-line poll. "Did the early warnings work, or was it just hype"?http://digitalmass.boston.com/news/packages/code_red/code_red_fizzle.h tml
SOOOOooooo Y2K-ish. Let's take the pulse of the uninformed a mere few hours after the event may have hit.
-- Anonymous, August 01, 2001
BBC Wednesday, 1 August, 2001, 12:03 GMT 13:03 UK Code Red threat fizzles outIf you find the Code Red worm do not tinker with it
By BBC News Online technology correspondent Mark Ward
The threat that the Code Red worm posed to the net has passed, for now.
Detailed analysis of the virulent computer virus have shown that previously active versions of it have gone into a sleep mode and are unlikely to reawaken.
Even if malicious hackers relaunch a new wave of attacks using the old virus, it is unlikely this will have much effect because so many vulnerable computers have been patched.
But experts say new dangers could arise from novel variants of the worm that never stop attacking websites.
Red herring
The much expected wave of disruption that the Code Red worm was supposed to unleash today has not materialised.
Early reports suggest that the worm has not caused any disruption to the normal workings of the internet.
"It's really been quite boring from our side," said a spokeswoman for the London Internet Exchange (Linx) where the UK's net service providers swap data. Linx is currently handling up to 8 gigabits of data per second.
The spokeswoman said there have been no surges caused by the Code Red worm searching for new machines to infect.
"The traffic has not been affected at all," she said.
Detailed analysis of the Code Red worm has revealed why this might be.
A report by Internet Security Systems (ISS) said that concerns that infected servers will re-awaken and unleash a deluge of data were "largely inaccurate".
Code Red is a relatively sophisticated program that has three modes; scanning, flooding and sleep.
While scanning the worm searches for vulnerable servers and runs malicious computer code on those it finds to embed itself and spread. Fears that rampant scanning could slow the net prompted this week's rash of warnings.
During "flooding" mode the worm bombards the Whitehouse.gov website with bogus data packets.
Slumbering software
Experts at ISS now believe that the final "sleep" phase will last indefinitely and that infected machines will not unleash havoc on the net.
The report notes that even if the worm is re-activated manually by a hacker, many of the vulnerable machines have been patched.
Netcraft, which carries out regular surveys of web server software, estimates that around 3.5 million sites are using Microsoft IIS software.
Of these about 35% were initially vulnerable, a figure that has now dropped to 15% following the publicity about the worm.
What might also hamper the ability of the virus to spread is the relative unreliability of Microsoft web servers.
The Code Red virus lurks in the memory of a web server and is cleared when the computer is rebooted.
As Microsoft servers crash more often than many of their counterparts, this might limit the spread of the malicious code.
Virus variants
But the ISS report warns that the threat posed by the Code Red virus has not entirely disappeared.
The damage done when it struck on 19 July was caused by a variant of the virus rather than the original. Whoever tampered with the code of the worm improved its ability to propagate and made it more effective.
The original worm randomly generated network addresses and then sent data to each one to find out if they were vulnerable.
ISS estimates that the worm could scan at least 400,000 net addresses per day, and could take a long time to probe the entire net address space of 4 billion potential combinations.
But the report warns that newer variants of the worm which fix some of the remaining bugs in the malicious program could lead to disruption of the net in the future.
"If it is updated to make it more efficient we could be in for a lot more trouble " said Kenneth De Spiegeleire, manager of the ISS security assessment service, "because then it might not be so easy to patch."
-- Anonymous, August 01, 2001