Code Red still threatens Net

Researchers worry that computers infected by the Code Red worm, which continues to slowly spread, could be used as a ready army for a cyberattack.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

May 6, 2002 7:33 a.m. PT

3 min read

VANCOUVER, British Columbia--Security researchers presented data on Friday indicating that Code Red version 2, a 9-month-old worm, continues to spread slowly across the Internet, compromising computers and leaving them easily accessible to malicious attackers.

At present, more than 18,000 systems appear to be infected and, with a simple command, could be co-opted into an attack that could take down any Web site, said Dug Song, a hacker and security architect for network protection firm Arbor Networks. Song was speaking at the CanSecWest security conference here.

"We are mostly concerned with the potential for a major distributed denial-of-service (DDoS) attack using the Code Red servers," Song said. A DDoS attack uses many computers to send a flood of data at a single target, overwhelming the victim's connection, effectively cutting the victim off from the Internet.

Song presented the results of Arbor Networks' seven months of monitoring a large portion of the Internet. Code Red version 2--a variant of the original Code Red worm that fixed a bug in the program's infection routines--has infected more than 18,000 computers as of April, up from around 14,000 computers in December, Song said.

Code Red and its two variants use a security hole in Microsoft's flagship Web server--the Internet Information Server--to spread to computers that don't have the vulnerability patched. As servers are infected with Code Red, the worm then scans the Internet using specially formatted data, searching for more vulnerable servers.

The original Code Red had spread slowly--until the modification--and then flooded the Internet, reaching more than 350,000 servers in less than 24 hours, according to data collected by the Cooperative Association of Internet Data Analysis.

Computer security response teams succeeded in stemming the tide, but weren't able to eradicate the worm, Song said. In total, Arbor has found more than 5 million unique Internet addresses that appear to have been infected with Code Red in the past six months and another 1.7 million that have been infected with Nimda.

Today, Arbor's monitoring system still receives nearly 30 probes by infected Code Red servers every minute, Song said. Nimda, a worm that struck a month after Code Red and borrowed several of its tricks, has also stuck around but appears to be slowly disappearing. The original Code Red, and the third variant known confusingly as Code Red II, have both seemingly died off.

Alfred Huger, vice president of engineering at vulnerability information firm SecurityFocus, said the company's own monitoring system also continues to detect both Nimda and Code Red.

Huger shares Song's concern that the infected machines can be used as a made-to-order attack network for malicious hackers.

"Having that many compromised machines...They are just begging to be used in an attack," Huger said.

Online vandals, even those without much technical knowledge, could listen to the "noise" on the Internet, collecting a list of infected machines attempting to send data to their computers. Then attackers would use that list and send a simple command to each Code Red-infected computer, and the security-compromised system would do their bidding.

Solving the problem is not easy, Song said.

"If we try to shut down the systems, when they are turned on, they will just start spreading the worm all over," Song said.