'Code Red' Creeping Worldwide
By Nicole C. Wong
The "Code Red" computer worm began spreading to systems around the world yesterday, infecting tens of thousands of machines, clogging some Internet traffic and forcing the Pentagon to shut down select military Web sites in a replay of a similar attack a month ago.
By early yesterday evening, nearly 150,000 Internet-connected computers had been infected with the worm, according to the Sans Institute, a computer security think tank that is monitoring the outbreak.
About 280,000 computers were affected the first time the worm circulated in July, but Internet security experts said many companies had taken precautions to avoid a reoccurrence this month and they were hopeful the impact would be less than before.
Only computer systems running Microsoft Windows 2000 or Windows NT 4.0 along with Microsoft Internet Information Server versions 4.0 or 5.0 are vulnerable to the worm, which takes advantage of a flaw in the software. Microsoft Corp. has developed a free patch and said more than 1 million users had downloaded a copy. There are more than 6 million computers that run on the affected operating systems. Most home computers are not vulnerable.
"The ferocity with which new machines are being infected is beginning to subside. Most likely people are applying the patch, so they're doing all the right things," said Roman Danyliw, Internet security analyst for Carnegie Mellon University's Computer Emergency Response Team.
Pentagon officials said they had installed patches on many computers. Officials took some Web sites off line to continue the work, taking the same precautions the military followed the first time the worm circulated.
The worm travels the Internet by placing software code on unprotected business computers that then send the worm on to other machines -- typically targeting the powerful computer servers that act as hubs for many computer networks. As the worm circulates it can slow other Internet traffic; the worm itself also instructs affected computers to flood certain Web sites with requests for data, overwhelming them so legitimate users cannot get through.
The first 20 servers struck by Code Red in this round were located in the United States, the United Kingdom, Russia, China and Taiwan, according to the Sans Institute. The Computer Emergency Response Team, which is collecting data on the worm, declined to disclose which private or government servers have been affected.
The attack follows widespread warnings by government and industry leaders on Monday that urged businesses and organizations to take precautions.
Dave McCurdy, executive director of the Internet Security Alliance, said he was optimistic that many had heeded the warnings but said it was too early to tell how widespread the problem would be.
"It's like an election: early returns," McCurdy said. "There's always a risk of making predictions, just as we saw in Florida with the presidential [election]. We're not declaring a winner here, but we're saying that when you look at the early samples, it's not as bad as it was on the 19th, which is good news."
Authorities do not know who launched the worm, which originally targeted the White House's Web site. The White House dodged the attack by changing its numerical Web address, but other sites were forced to shut down and defaced with the words "Hacked by Chinese."
McCurdy said this aggressive worm appears to be the beginning of "an ominous trend."
"There will be copycats. There will be more malicious versions," he said. "If you look at the trends with regard to Internet attacks, I think the conclusions are obvious -- that there's no such thing as Internet security."
© Copyright 2001 The Washington Post Company