Officials Caution Belated Web Worm Effects

N E W   Y O R K, July 31, 2001 -- Government officials said tonight they had no reports of the "Code Red" computer worm's return, but warned the effects of an attack may not be felt immediately.

"It will be some time before we can make any definite conclusions," Ronald Dick, director of the FBI's National Infrastructure Protection Center (NIPC), said at a press conference tonight. "The storm has not passed yet."

The Code Red worm, which first infiltrated thousands of systems almost two weeks ago, was set to resurface at 8 p.m. ET.

The NIPC as well as Microsoft and other government and private Internet security groups issued an advisory about the worm, which is intended to create outages on major Web sites, and could significantly slow down Web traffic in the process. Officials urged Web site operators to download a patch from Microsoft's site intended to protect computers against Code Red.

FBI officials said more than a million people had downloaded the patch. Though it was impossible to estimate how many computers were protected from Code Red, officials seemed optimistic.

"The world notification [of Code Red] has paid huge dividends," Dick said. "The media and its coverage of this has done a huge public service."

Government officials said there had not been any reports of mutations of the computer worm. But experts warned that no one should breathe a sigh of relief just yet.

"It's not going to start like a horse race, with everything going at once. As of yet we have no reports of interruption in service," said Jerry Freese, director of intelligence at Vigilinx, a digital security solutions provider monitoring Code Red. "There have been some reports of slowed traffic but nothing alarming. But we're still watching for slowed Web traffic, scanning and interruptions in security. We haven't heard anything, and I guess that's a good sign. But basically we have to wait and see."

A Long Cycle

Code Red's effects may not be immediately apparent because it has a long cycle. It operates in two phases over a 20-day cycle: for the first 19 days, the worm spreads onto unprotected servers. From each of those, it attempts to latch on to 99 new servers. On the 20th day, the computers carrying the worm are instructed to bombard the target Web site.

Experts have said the worm installs the phrase "Hacked by Chinese!" on the attacked Web sites.

According to Freese, it is difficult to tell whether we are in the middle of a cycle or at the beginning of one. The worm FBI officials are concerned about now, he said, is like the first one, but slightly different and perhaps more dangerous. It has been modified so that it does not deface Web sites.

"My guess is that we are in the midst of a new cycle, but it is difficult to know when this [second] Code Red worm was created," Freese said.

The worm takes advantage of a security flaw in some versions of Microsoft's network servers, and instructs the servers to bombard government Web sites with streams of data. The company first announced both the flaw and the patch to fix it on June 18.

According to the NPIC's advisory, the worm "could impact businesses and home users as the Internet slows down dramatically." Computers with Microsoft's Windows NT, Windows 2000 and Internet Information Server version 4.0 or 5.0 are vulnerable. However, according to a bulletin on Microsoft's Web site, "If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert."

Dick pointed at a briefing in Washington earlier today that Code Red should not damage individual computers in the way that widespread viruses can.

"The damage from this particular worm is not necessarily from the intrusion into the systems itself," said Dick. "It doesn't go in and destroy files, it doesn't go in and alter data that we're aware of. Basically what it does is take advantage of the vulnerability of a Microsoft Internet service software and then launches on a pre-scheduled time service attack on a particular target."

Worm Surfaced in White House Attack

The Code Red worm first surfaced July 19 when hackers tapped into hundreds of thousands of servers in the process of attacking the White House's Web site. The site's technical team managed to fend off that attack, and the FBI stressed the importance of preparing for the worm.

"The NIPC warning message coupled with the press conference [on Monday] stopped over 1,600 attempted intrusions in a 24-hour period of time," Dick said today.

The FBI and other Internet security experts estimate more than 300,000 computers were infected on or soon after July 19. Marty Lindner, a computer security expert at Carnegie Mellon University's CERT Coordination Center in Pittsburgh, said it is "impossible to say how many machines will be infected", although he is optimistic that heightened public awareness of Code Red will stem its flow.

The Pentagon also shut down hundreds of Defense Department Web pages last week in order to install protection against the computer worm.

"We have no reason to believe any national security systems are going to be affected," added Dick.

Future Code Reds?

The original attack, on the White House's site, came just one day before Attorney General John Ashcroft announced 10 new law enforcement units focusing on lawbreakers in cyberspace, declaring the teams would "prosecute vigorously those responsible for cybercrime."

But experts and Internet security specialists have not yet been able to determine who is responsible for unleashing Code Red upon the Web. And they say similar attacks could be on the way.

"I think it's safe to assume that Code Red is the first of a new breed, and there will be more like it," says Lindner.

ABCNEWS' Peter Dizikes and Bryan Robinson contributed to this report.