'Code Red' Continues to Spread
N E W Y O R K, Aug. 1, 2001 -- The Code Red computer worm has been rapidly tunneling its way around the globe today, but the FBI is hopeful that it will not cause extensive problems.
"Based on preliminary analysis, we expect a level of worm activity comparable to the July 19th Code Red infection, which resulted in infection of over 250,000 systems," says a statement released by the FBI's National Infrastructure Protection Center (NIPC) today. The statement adds that Code Red figures to "achieve that level of activity by this afternoon."
David Moore, a senior researcher at the Cooperative Association for Internet Data Analysis in San Diego estimated that nearly 130,000 computer systems around the world had been infected with the worm, as of 8 p.m. ET.
However, Moore said that the rate of infection slowed down as the day wore on.
"It actually seems to be reaching the part where it starts to level off," explains Moore "It does look like it's slowing down. And, it's getting close to infecting everyone who can be infected."
Chad Dougherty, an Internet security analyst at Carnegie Mellon University's CERT Coordination Center in Pittsburgh, said the rapid proliferation of Code Red this morning was because "The worm [was] in the first phase of its attack cycle."
Dougherty also says he is expecting "a level of worm activity comparable to the July 19th Code Red infection."
The White House Web site, the original target of the first Code Red attack last month, has been unaffected by the worm, and there have been relatively few reports of disturbances in Internet traffic due to Code Red.
"We have been monitoring it closely," White House spokesman Ari Fleischer told reporters earlier today. "At this time there has been no impact on the White House."
How to protect your computer from Code Red
First Surfaced July 19
The Code Red worm, which on July 19 first infiltrated thousands of computer systems carrying Microsoft's Windows 2000, Windows NT or Internet Information Server version 4.0 or 5.0, was programmed to attack government Web sites Tuesday evening.
For days before the scheduled attack, the NIPC, Microsoft and other government and private Internet security groups issued warnings to computer users about the worm, which is intended to create outages on major Web sites, slowing down Internet traffic in the process.
Computers using Microsoft's Windows 98 or Windows 95, or using Apple's operating systems, are not vulnerable to the worm.
Tuesday night, the FBI was pleased by the worm's almost negligible impact on the Internet, but remained guarded about its long-term effects.
"It will be some time before we can make any definite conclusions," said Ronald Dick, director of the NIPC, at a press conference Tuesday night. "The storm has not passed yet."
Officials have been urged computer owners to download a security patch from Microsoft's site intended to protect computers against Code Red. FBI officials said that more than a million people had downloaded the patch.
Still computer security experts warned that no one should breathe a sigh of relief just yet.
"There are pockets of this worm in the wild right now," says Jerry Freese, director of intelligence at Vigilinx, a digital security solutions provider in New Jersey monitoring Code Red. Freese points out that with an estimated eight million servers in operation worldwide, the majority of vulnerable machines in use have still not been protected against the worm.
On the 20th Day, Code Red Attacked
Code Red is programmed to do its damage over an extended period of time. It operates in two phases over a 20-day cycle: for the first 19 days, the worm spreads onto unprotected servers. From each of those, it attempts to latch on to 99 new servers. On the 20th day, the computers carrying the worm are instructed to bombard the target Web site.
Experts have said the worm installs the phrase "Hacked by Chinese!" on the attacked Web sites.
Two versions of the Code Red worm have observed. Both take advantage of a security flaw in some versions of Microsoft's network servers, and instructs the servers to bombard government Web sites with streams of data. The company first announced both the flaw and the patch to fix it on June 18.
Dick pointed out at a briefing in Washington on Tuesday that Code Red should not damage individual computers in the way that widespread viruses can.
"The damage from this particular worm is not necessarily from the intrusion into the systems itself," said Dick. "It doesn't go in and destroy files, it doesn't go in and alter data that we're aware of. Basically what it does is take advantage of the vulnerability of a Microsoft Internet service software and then launches on a pre-scheduled time service attack on a particular target."
More Worms on the Way?
The Code Red worm first surfaced last month when hackers tapped into hundreds of thousands of servers in the process of attacking the White House's Web site. The site's technical team managed to fend off that attack, and the FBI stressed the importance of preparing for the worm.
The FBI and other Internet security experts estimate more than 300,000 computers were infected on or soon after July 19. The Pentagon also shut down hundreds of Defense Department Web pages last week in order to install protection against the computer worm.
"We have no reason to believe any national security systems are going to be affected," added Dick.
The original attack, on the White House's site, came just one day before Attorney General John Ashcroft announced 10 new law enforcement units focusing on lawbreakers in cyberspace, declaring the teams would "prosecute vigorously those responsible for cybercrime."
But experts and Internet security specialists have not yet been able to determine who is responsible for unleashing Code Red upon the Web.
"It's unlikely that they will be found unless someone brags about it," says Moore. And other experts say similar attacks could be on the way.
"This has brought some new techniques in as far as writing a worm," says Simon Perry, vice president of security at software firm Computer Associates. "You will see copycats that use this as a propagating technique."
As Marty Lindner of the CERT Coordination Center concludes: "I think it's safe to assume that Code Red is the first of a new breed, and there will be more like it."
ABCNEWS' Bryan Robinson contributed to this report.