- The Washington Times - Tuesday, July 31, 2001

Government and technology officials warned organizations worldwide yesterday to protect themselves against a vicious computer worm that is expected to start tonight.
The "Code Red" worm, named for a favorite soft drink of computer programmers, has the potential to do more damage than previous computer attacks because it can slow global Internet traffic before issuing brutal attacks on file servers.
The worm, which first attacked last month, latches itself onto one server at the beginning of the month, then expands to every vulnerable system within 18 hours. Its reproduction could slow Internet traffic by at least half immediately. The worm then will start a massive attack on predetermined computers Aug. 19, flooding their systems and possibly crashing them.
"We are taking this worm very seriously. This worm is vicious in intent," Ron Dick, director of the Justice Department's National Infrastructure Protection Center, said at a packed news conference yesterday.
Computer security officials said they expect Code Red to start itself tonight by latching onto an unknown server through a security hole in Microsoft software and multiply itself through Aug. 19, when it will order a "denial-of-service" attack on a predetermined target. A denial-of-service attack essentially floods a system with information until it crashes.
The worm is expected to start at 8 p.m. EST, which is midnight Greenwich Mean Time Aug. 1.
The Code Red worm affects only Microsoft servers running Windows 2000 or NT software with Internet Information Server 4.0 or 5.0 enabled. Computer workstations and any computer running Windows 95, 98 or ME will not be affected.
So far, the only way to prevent the attack is to download a free software patch available on Microsoft Corp.'s Web site. Microsoft's Scott Culp said more than 100,000 copies of the patch had been downloaded.
Chris Rouland, a director with Internet Security Systems, an Atlanta company that has analyzed the worm, said that little else could be done to eliminate Code Red, which he expects to appear each month until the software patches are universally installed.
"This little guy will be around for a while," Mr. Rouland said.
Security experts know so much about the worm because of how it worked last month and because they can see the worm's code, which is lying dormant in computers. Because the worm attacks holes in software, the only way to guard against it is to patch the holes.
The FBI is working with Canada, Britain and Australia to fight the worm's spread. FBI legal attaches stationed overseas have sent the word to 46 other countries. Investigators don't know who wrote Code Red or where it started.
Members of government agencies including the National Coordinating Center for Telecommunications and the National Infrastructure Protection Center joined with the Internet Security Alliance and other security-related businesses to discuss the worm yesterday. The worm is a genuine threat to the well-being of the Internet, the groups said.
The Internet slowed 50 percent in some areas during the first attack of Code Red, and any larger decrease could cause applications to fail, Mr. Rouland said.
Code Red is a greater threat than recent destructive entities like the Love Bug and Melissa viruses because it has proved to slow the performance of the entire Internet, Mr. Rouland said. He added that the coding indicates that it was created by an experienced hacker.
Code Red first attacked July 19 and infected more than 250,000 systems in nine hours. It tried to attack the White House Web site, but officials quickly changed the site's Internet protocol address after a similar attack on the Pentagon's site. The Pentagon shut down its site briefly, after the worm defaced it with the words "Hacked By Chinese."
The worm goes through three stages each month. The first ranges from the first to the 19th, when it attempts to attach itself to a site to duplicate itself. From the 20th to the 27th, it enters its "flood mode" in which it starts a massive denial-of-service attack. The worm then goes dormant until the first day of the following month.
Computer security officials said they have no idea what the next target will be. The White House site is still a possibility, but security measures have been taken.
Unlike viruses, which often must be downloaded before they can infect a user's computer, a worm can spread across the Internet by searching for weaknesses and installing itself. In this instance, the worm takes advantage of a flaw found in Microsoft's Internet Information Services software, which is used on file servers. As a result, a worm can take full control of the server and eventually order denial-of-service attacks on predetermined targets.
"Worms are definitely a scarier proposition" than viruses, said Vincent Weafer, director of the AntiVirus Research Center at Symantec Corp., the Cupertino, Calif., manufacturer of Norton AntiVirus software. "They tend to be more insidious because they need less human interaction to spread than viruses."
William Glanz contributed to this report.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide