- The Washington Times - Tuesday, August 7, 2001

A new worm spread yesterday to computers through the same hole in Microsoft Corp.'s software that hackers exploited last week using Code Red.
The worm named Code Red II by security specialists has little in common with its namesake, except that it attacks the same systems Code Red did and can be stopped by the same software patch.
The fast-spreading Code Red II infected an estimated 150,000 computers yesterday, though security specialists said it was difficult to know just how many systems fell victim to the new attack. More important, Code Red II left computers open to subsequent attacks from other intruders.
"This worm is definitely a lot more aggressive," said Elias Levy, chief technology officer at SecurityFocus.com, a San Mateo, Calif., computer security firm.
A worm is a self-propagating piece of destructive code.
The new worm, which started to circulate Saturday, targets systems running Microsoft's Windows 2000 software, but only if the system is installed with Internet Information Server 4.0 or 5.0. Code Red attacked servers running Windows 2000 or NT software.
There are about 6 million users of Internet Information Server.
One of the most alarming traits of Code Red II is the rate of speed at which it searches for vulnerable computers. It was spreading up to six times faster than Code Red, Mr. Levy said.
Each computer infected by Code Red II sends out 300 to 600 simultaneous attacks across the Internet searching for vulnerable computers. Code Red sent out no more than 100 simultaneous attacks.
But the number of computers infected by the newly discovered worm remained relatively low yesterday because many people downloaded software to protect them from Code Red. About 1 million freely available software patches were used by consumers, according to the FBI's National Infrastructure Protection Center.
That will prevent a massive outbreak of Code Red II, said Scott Blake, director of security strategies at Bindview Corp., a Houston computer security firm.
"All the media attention has helped mitigate the problem," Mr. Blake said.
Code Red has infected about 175,000 machines since Aug. 1, and it infected about 300,000 machines during its outbreak in July.
Despite all the warnings, Mr. Levy said it appears that about 70,000 people whose systems were infected by Code Red also got hit by the new worm because they failed to download the security patch.
Perhaps more alarming than the speed at which Code Red II propagated itself yesterday was its ability to leave computers vulnerable to future attacks by giving access to hackers through a "back door." If the entry isn't detected, hackers can scan for computers that have the new virus, enter them and load viruses onto them or steal data. The new worm will destroy itself after two days, but the back door remains in place.
"These machines are going to be pretty easy to attack," Mr. Blake said.
Matt Fearnow, an incident handler at Bethesda-based Systems Administrations, Networking and Security Institute, a computer security firm that worked with the FBI to monitor the progress of Code Red, said people connected to the Internet through high-speed cable modems appeared to be among those hardest hit by Code Red II.
The release of Code Red II soon after its namesake surprised few security experts.
"We've had quite a spate of attacks lately," Mr. Blake said. "It's probably because it's summer, school is out and the kids don't have anything to do."

Sign up for Daily Newsletters

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide