The self-propagating worm infected an estimated 975,000 servers in July and August 2001. But representatives of eEye Digital Security, which discovered the flaw in Microsoft's Internet Information Server (IIS) exploited by the worm, say the FBI should have been more proactive in warning people about a "test" version of the worm to which it was alerted in April.
"Had the FBI been more vigilant in its warnings, Code Red would have had less of an impact than it did," said Mark Jones, U.K. manager of eEye Digital.
FBI representatives could not immediately be reached for comment.
The FBI's National Infrastructure Protection Center (NIPC) had received earlier reports of a Code Red-like worm that affected a buffer overflow vulnerability in Microsoft IIS 4. It is now thought that this was a test version, as the more virulent Code Red was adapted to target a similar hole in the more widely used IIS 5 servers.
In a buffer overflow, an attacker floods a field, typically an address bar, with more characters than it can accommodate. The excess characters in some cases can be run as "executable" code, effectively giving the attacker control of the computer without being constrained by security measures.
The earlier worm also propagated in a manner similar to Code Red, by infecting a random list of Internet addresses and then resetting itself to attack the same machines again.
"The mechanism that the initial worm used to spread was exactly the same mechanism that was used by Code Red," Jones said. "If we had had access to the methodology used in the previous worm, we would have been able to decode Code Red sooner."
According to eEye, six days were lost investigating Code Red as a result of the delay.
Sandia National Laboratories spotted the initial worm on its systems in February, March and May 2001. It handed over complete logs of the worm's activity as well as a copy of the malicious code to the NIPC in April, but the FBI ignored the warnings. It said it decided against publicizing the worm on the basis that the Computer Emergency Response Team at Carnegie Mellon University had posted a report of the vulnerability when it was first detected in June 1999.
"It is key that the NIPC didn't publicize how the worm's methods were proliferating across machines," Jones said.
It is suspected that the two worms were written by the same person, but eEye would not confirm this without a full investigation into the matter.
Staff writer Wendy McAullife reported from London.