Code Red hits some Internet servers, threat remains
2nd August 2001 (Utusan Malaysia)

SINGAPORE Aug 2 - The Code Red worm had minimal impact on the flow of Internet traffic on Thursday, one day after reawakening to target tens of thousands of Web servers and the Pentagon's computer network.

There were few reports of worm infestation in Asia but computer security experts in the United States said it was still too early to assess the full impact of the revived bug this time round and predicted a fresh alert next month.

"We see no significant performance changes on either high- or low-bandwidth connections, or internationally,'' a statement from Internet performance monitoring firm Keynote Systems Inc said in the United States after assessing Wednesday's impact.

Code Red, named after a cherry-flavoured caffeinated soft drink favoured by programmers, first appeared on July 19 in certain Microsoft operating systems, went dormant on July 20 and was programmed to have remained that way.

It began spreading again after midnight GMT on Tuesday as a result of incorrect clock settings on some infected computers and would continue infecting vulnerable computers and spreading until August 20, experts said.

"The worm has a full 19 days to sit here and propagate, which is twice as long as last time,'' said Marc Maiffret, chief hacking officer at eEye Digital Security of Waltham, Massachusetts. "In four days we'll have a better gauge of where this thing is going.''

Computers running Windows 95, 98 and Me are not vulnerable to the worm. For infected computers, turning the machine off and then on gets rid of the worm but does not provide immunity from future infection. A free software patch is available at (http://www.digitalisland.net/codered/).

Computer security experts in the United States highlighted the potential dangers of the worm.

"This is already one of the largest automatic infections in the history of the Internet,'' said Alan Paller of the System Administration, Networking and Security Institute in Maryland.

The worm disturbed the Pentagon's computer networks on Wednesday and officials predicted it could eventually infect as many systems as it did in its first outbreak in July.

"The worm is an ugly thing,'' US Army Major Barry Venable said in a telephone interview from Colorado Springs. "Here at DoD (Department of Defence), we've observed several disturbances to our networks as a result of this thing working on the Internet, but we've seen no significant degradation to DoD.''

Overall, an estimated 80,000 Web servers were infected in the first day of the worm's renewed attack, according to Roman Danyliw, an Internet security analyst at the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

That was slower than the first outbreak, when Code Red hit an estimated 250,000 to 300,000 Web servers in less than a day.

CERT said it had detected increasing "scanning'' by Code Red over the Internet, "the first phase of its attack cycle in which it scans random IP addresses for systems to compromise''.

"We're probably going to see this worm again next month because of the cycle of the worm, coupled with the fact that there's lots of machines on the Internet that have their clocks set incorrectly,'' said Danyliw.

As the worldwide alert went into a second day, Japan's IT security office said it had still received no reports of problems from the worm in any central government computers.

"We can't necessarily say we are completely in the clear and are still monitoring the sitution, but we have yet to receive any reports of problems,'' one official said.

A spokeswoman at Trend Micro in Japan, a leading authority on anti-virus software, said that it had received no reports of damage due to Code Red. "It appears to be more linked to servers that operate in English,'' she said.

It was the same story in China, where the great majority of computers have Chinese-language operating systems, and Hong Kong.

"No users have reported it to us and we haven't received any reports from our members,'' said a spokeswoman for China's state-run Computer Virus Treatment Centre which counts more than 20 software companies among its members.

But Malaysia's officials Bernama reported some Code Red attacks at government ministries and departments. "They can be contained,'' it quoted Energy, Communications and Multimedia Minister Leo Moggie as saying.

Security experts said that despite hyped headlines, no one had anticipated a major catastrophe.

"I think a lot of people learned their lessons'' and installed patches, said Mike Corby, vice president of global security practice at Netigy Corp, an Internet performance and security firm in San Jose, California.

"It is going to be something that's a slow burn,'' Vincent Weafer, director of Symantec Corp's antivirus research centre, predicted. ``We will see increasing impact on traffic, but nothing that will block e-commerce or major sites.''

Experts said it was too early to sound an all-clear.

"We can't predict this kind of stuff, there are too many factors,'' said Bruce Schneier, chief technology officer of monitoring firm Counterpane Internet Security. "There are too many things we can't model.''

The origin of the Code Red worm remains unclear. One of the known variants of the malicious program has defaced Web sites with the message "Hacked by Chinese!'' but the Chinese government and others have said the worm probably did not come from China. - Reuters