'Code Red' Unleashed on the Web

‘Code Red’ Unleashed on the Web

By CHARLES PILLER

Aug. 1, 2001 12 AM PT

TIMES STAFF WRITER

SAN FRANCISCO —

Fears that a malicious computer program dubbed “Code Red” would cripple the Internet had not materialized by Tuesday evening. The program, known as a worm, was programmed to attack server computers that manage Web sites beginning at 5 p.m. But some security analysts and federal officials warned that Code Red still may cause massive disruption over the next hours or days.

Operating like an invisible chain letter, Code Red causes infected computer systems to search for other vulnerable systems over the Internet, and in turn infects those. Experts fear that the snowballing pattern of infections might swamp the capacity of Internet service providers.

“We estimate that it will take 36 hours until maximum impact,” said Chris Rouland, research director for Internet Security Systems, a company that has been monitoring the spread of the worm. “We expect to see a slow growth curve.”

Federal and corporate security experts concurred.

On Monday, officials from the FBI and private industry strongly urged Web administrators to fix the software vulnerability that allows Code Red to operate. They were able to offer advance warning because the worm was programmed to remain dormant until just after midnight Tuesday Greenwich mean time (which in Pacific time was 5 p.m.), at which time it was set to propagate wildly.

An earlier version of Code Red emerged July 19 and hit an estimated 350,000 computers before becoming dormant July 20. It programmed those computers to send a torrent of electronic data to the White House Web site in an effort to overwhelm that site and cause it to shut down. The White House used technical means to fend off the attack.

The worm also caused Web server computers to deface the sites they operated, displaying the message: “Hacked by Chinese.” That led to speculation that the attack was launched from China. In May, Chinese hackers defaced numerous U.S. government and corporate Web sites in response to the collision between a Chinese military jet and a U.S. surveillance plane.

The current worm does not deface Web sites. Experts say it is programmed to self-propagate through Aug. 20. From Aug. 20 to 27, it may direct an attack on the former White House Web address--but as that site has been given a new address, it will be unaffected. Beginning Aug. 28, the worm goes into a permanent inactive mode, during which it neither spreads nor attacks.

However, because the internal clock of many computers is set incorrectly, that sequence will not be uniform for computers. A hacker also could reintroduce the worm and begin the cycle anew.

Code Red exclusively targets computers that use the Windows 2000 or Windows NT operating systems and a Microsoft product known as IIS Web server software--leaving most home and office PCs unaffected.

Even so, up to several million Web server computers may suffer from this weakness. Microsoft issued a software correction for the vulnerability more than a month ago and has distributed some 1 million copies. But many computer administrators have failed to install the patch.

“There’s still a target-rich environment for this worm or any variant to spread again,” said Brian Dunphy, director of managed services analysis for Riptech Inc., a security monitoring firm.

The security landscape changes so rapidly that some 50 to 60 new vulnerabilities appear and 20 to 30 patches are issued every week, said Bruce Schneier, a noted cryptographer with Counterpane Internet Services. But network administrators may not update their software because patches often break other software features. And they can even create new security flaws.

“Your security depends on the security of every one else, and you can’t control that,” Schneier said.