Code Red: Is This the Apocalypse?

If you do nothing else today, make sure you patch your computer system against the Code Red worm.

Code Red, which reportedly has infected about 300,000 computers this month, may begin to wreak more havoc on the Internet when the time-conscious worm begins propagating again on Wednesday at midnight Greenwich Mean Time (July 31 at 8:00 p.m. EDT).

Then again, Code Red might just deface some Web pages, cause a lot of extra work for systems administrators and slow the Internet down a tad, just like it did through the month.

Microsoft, the FBI’s National Infrastructure Protection Center, the CERT Coordination Center, SANS Institute and several other groups issued a joint alert Sunday evening, warning that the Code Red worm is a “very real” threat to the Internet, and setting July 31 as the deadline to protect systems against the worm.

“If there’s even one infected computer out there it will start infecting other computers again,” Steve Trilling, director of research at Symantec’s antivirus center, said in a press release.

But Rob Rosenberger, webmaster of a site devoted to debunking myths about computer viruses, believes that mass e-mail warnings about the worm are more likely to gum up the works than the worm itself.

“I’ll make a simple prediction. E-mail servers will clog up on Monday and Tuesday with warnings about this ‘horrifying’ worm,” Rosenberger said in his article about the worm.

Rosenberger is happily planning to study the hysteria that he believes will be spawned by worm alerts this week. Overwrought alert or not, the patch that prevents against infection by Code Red should be applied by anyone who runs Windows NT or Windows 2000 and Microsoft’s Internet Information Server (IIS) Web server software on their system.

The worm’s effects during its first run of infections were not as debilitating as some security experts predicted they would be. But machines should be patched anyway. The vulnerability that the worm takes advantage of also leaves systems open to attack by malicious hackers, allowing them to remotely control an infected system.

Applying the patch is an easy download, can’t hurt systems, and helps fight the spread of the worm.

Those who are unsure if they are running IIS can launch Task Manager by pressing the Control-Alt-Delete keys at the same time. Click on Task Manager in the dialog box, and select the Processes tab.

To rid your machine of the worm, simply reboot your computer. To protect your system from new symptoms or re-infection, install Microsoft’s Code Red vulnerability patch for Windows NT or Windows 2000 Professional.

Step-by-step instructions for applying the patch and purging systems of the worm have been posted by Digital Island Net.

Since around July 13, several variants of the Code Red worm have been wiggling their way across the Internet, attacking servers and slowing traffic.

Security company eEye Digital Security discovered the flaw in IIS that Code Red exploits on June 18, and warned that an exploit would soon be created to take advantage of the vulnerability. EEye also provided the first complete analysis of the worm after it was released on the Internet on or around July 13th.

The worm was named in honor of a super-caffeinated soft drink, Code Red Mountain Dew, which the eEye crew drank during an all-night work session as they struggled to understand what the worm was capable of doing.

At least two new versions of the worm are also loose on the Net, and appear to be spreading more quickly than the original version of Code Red, said Marc Maiffret, chief hacking officer at eEye.

After infecting a system, the worm scans the Internet, identifies other vulnerable systems, and then infects these systems by automatically installing itself through Port 80. Each newly installed worm then joins all the others in their search for more systems to infect.

CERT’S new advisory on the Code Red worm states that tens of thousands of systems are already infected or vulnerable to re-infection.

Because the worm propagates so quickly, CERT experts believe it is likely that nearly all vulnerable systems will be compromised by Aug. 2, during the anticipated next run of infections.

Infected machines have the potential to disrupt business and personal use of the Internet by slowing servers’ ability to process information, and perhaps bringing some systems to a complete halt.

The first version of the worm was coded so that each infected machine would eventually return to and attack the machine that originally infected it. EEye suspects this may allow the coder to track the infections.

Using this feature of the worm, security experts at eEye were able to accurately track the initial spread of the worm. Every machine that was infected would eventually “call home,” which allowed compromised systems to be logged and tracked. New versions of Code Red do not contain that coding error.

The worm is coded to be time sensitive; its activity occurs based on the date (day of the month) of an infected system’s clock.

The worm is in “propagation mode” from the first through the 19th of the month. During that time, an infected computer attempts to send the worm out to other randomly chosen IP addresses using one of the computer’s communication ports (TCP Port 80).

The worm goes into “flood mode” from the 20th through 27th of the month, launching a denial-of-service attack against a specific IP address that is embedded in the worm’s program code. With current versions of the worm, the attack is launched against the White House’s website.

Last month the White House dodged the attack without going offline by redirecting all Internet traffic to an IP address that the worm was not programmed to recognize, and blocking all requests to the address that the worm was coded to attack.

Clearing the worm from systems can be time-consuming. Last week, the Pentagon temporarily shut down public access to all of its websites to purge and patch its networks, an action that some security experts felt was a bit of overkill.

The worm enters “termination” or “hibernation mode” after the 27th day of the month, remaining in infected systems but otherwise staying inactive until the first day of each month.

The first version of the worm, if it infects a Web server, also defaces the contents of a website with the words “Hello! Welcome to! Hacked by Chinese!”

The defaced page will stay in place for 10 hours, and then revert to normal. New variants do not deface websites hosted by infected computers, but are more apt to crash servers since they infect computers multiple times, eEye’s Maiffret said.

Microsoft’s “” site displayed that message for a few hours on June 20, an obvious sign that the company did not update all of its own servers with its own security patches.

Steve Lipner, head of Microsoft’s security response center, said the company is looking for new ways to distribute its security patches more efficiently.


Share this post:

Share on facebook
Share on twitter
Share on pinterest