FAQ: The Code Red threat

When will the Code Red worm strike?
The worm became active at 5 p.m. PDT Tuesday, potentially launching a new round of infections that could slow parts of the Internet.

What is Code Red?
Named after a caffeine drink favored by computer programmers, the Code Red worm takes advantage of a hole in Microsoft's Internet Information Server (IIS) Web server software. Starting on July 13 it may have infected more than 350,000 servers worldwide, launching a massive denial-of-service (DoS) attack against the White House's official Web site.

The most recent version of the worm fixes a flaw in the way it searches for and records addresses of vulnerable servers. That means the worm could be more virulent as it returns to action Tuesday, launching a data flood that could potentially overwhelm many servers and slow large swatches of the Internet.

Should everyone be worried about an infection?
No. If you are a home computer user running Windows 95, Windows 98 or Windows Me--or any non-Microsoft operating system--the worm cannot infect your system. Only computers running Windows NT or Windows 2000 and IIS can be infected with this worm. The worm doesn't destroy data, but it could be modified to do so. Only computers set to use the English language will have their Web pages defaced.

Code Red also can damage smaller networks by calling attention to a vulnerability in Cisco System's 600 series DSL routers. The worm could cause the router to stop forwarding traffic.

Although it won't infect home computers, users may experience delays or malfunctioning of their favorite Web sites because of worm-generated surges in Internet traffic. Because of that and the danger it poses to Microsoft Web servers, Microsoft, federal security agencies and trade groups hosted a globally televised press conference Monday to urge businesses to install a software patch that prevents infection.

Is there a particular target of the DoS attacks?
Yes. From the 20th of every month to the 28th, the worm targets an IP address formerly associated with the White House Web site, flooding it with data in an attempt to knock it offline.

The White House took precautions against it, changing its numerical Internet address to dodge the attack. Last week, the Pentagon shut down public access to all of its Web sites temporarily to purge and protect them. But security experts say virus writers could easily alter the worm so it could attack another address.

If most people are safe, why are the media, Microsoft and the government making such a big deal of it?
Rob Rosenberger, editor of the Vmyths.com news service, said the FBI's new National Infrastructure Protection Center has over-hyped the worm to boost its public profile, in the process prompting many people unaffected by the worm to waste time trying to download and install patches.

"Vmyths.com believes they launched a 'Code Red publicity tour' largely to improve their image," Rosenberger said of the FBI. "They suffered intense humiliation last week when (NIPC) Director Ron Dick faced an irate Senate subcommittee."

Why is the worm coming back?
Code Red remains active between the first of the month and the 28th, when it goes into hibernation. While the worm does not reactivate itself automatically, anyone sending a copy of the worm once the active period begins--in this case at midnight GMT Aug. 1, or 5 p.m. PDT Tuesday--would start a new round of infections to attack mode and barrage the whitehouse.gov Internet domain with large packets of data.

Who created the worm?
It's unclear. At first, officials suspected that the worm originated in China because some infected Web sites were defaced with the message, "Hacked by Chinese." But a Chinese network safety official denied those allegations on Tuesday.

Who's fault is it?
Many people blame Microsoft, whose server software contains a vulnerability that enables Code Red to infect servers. Microsoft has also been criticized for allowing other worms, such as those that have spread through the Outlook e-mail software by taking advantage of Microsoft's support for Visual Basic scripts. Microsoft last month botched and apologized for two patches for a flaw in its Exchange e-mail server software.

Can anyone stop the worm?
Maybe. Security experts could create an automated patching worm, which would spread around the Net and infect vulnerable machines to install the patch. Another idea is an automated program that--when attacked by a server infected with the worm--would attack back, hacking the server, deleting the worm and closing the hole. Such code is called "hack-back."

But the ethics of the hack-back approach are murky. Security expert and hacker Max Butler, also known as Max Vision, started an 18-month prison term last month for creating a worm that essentially closed security holes on vulnerable servers. The worm also left an open back door into the servers, casting doubt on Butler's altruistic intentions.

The FBI has dismissed using any hack-back tactic as well. "It is not something that we could consider," said spokeswoman Debbie Weierman. "It would basically be viewed as an unauthorized intrusion."

What has the tech industry learned from this worm and several other high-profile worms in recent months?
Many security experts are questioning the whole approach of expecting software customers to download and install fixes to prevent a particular issue--also known as the "patch and pray" technique.

Instead of fixing buggy software, the focus should be on locking down computer systems to prevent activity that could be compromising, said Randy Sandone, CEO of security software maker Argus Systems Group.

Christopher W. Klaus, founder of software and services company Internet Security Systems, advocates an approach called "vulnerability scanning" that routinely examines computer systems for possible security threats.