Two Days in the Life of a Worm
"On July 19, 2001, more than 359,000 computers were infected with the Code Red worm in less than 14 hours," says David Moore of the Cooperative Association for Internet Analysis. "At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute." Forty-three percent of all infected hosts were in the U.S., he adds. The traffic jam generated by so many computers attempting to co-opt other machines began to overload the capacity of the Net in the U.S. By midafternoon that day, the Global Internet Storm Center at incidents.org¿the computer security industry¿s watchdog for Internet health¿was reporting orange alert status, one step below its most dire condition, red alert, which signals total meltdown.
Then, at midnight, all Code Red zombies quit searching for new victims. Instead the horde of enthralled computers all focused on flooding one of the servers that hosts the White House Web site with junk connections¿threatening its shutdown. "The White House essentially turned off one of its two DNS servers, saying that any requests to whitehouse.gov should be rerouted to the other server," says Jimmy Kuo, a Network Associates¿s McAfee fellow who assisted the White House in finding a solution ("White House Dodges Massive Ddos," Shawna Mcalearney, Security Wire Digest, Vol. 3, No. 58, July 26, 2001). Luckily, Code Red couldn¿t cope with the newly altered address and waged war on the inactive site. "The public didn¿t notice anything because any requests went to the other server," Kuo says.
By the end of Friday, July 20, all Code Red had directed all of its remotely controlled thralls to go to sleep. But that might not be the end of the onslaught, for the zombies are expected to reawaken on Wednesday, August 1, and start causing havoc once more. "We believe the worm will begin propagating again on August 1, 2001, 0:00 GMT," warns the Computer Emergency Response Team (CERT) at Carnegie Mellon University, a federally funded Web watchdog organization. "Because the worm propagates very quickly, it is likely that nearly all vulnerable systems will be compromised by August 2." Fearing that occurrence, Web security volunteers are now sorting through logs to identify the infected parties, contacting their owners and providing instructions for how to release them from their secret spell.
If the hundreds of thousands of Code Red zombies can be fixed, is the problem solved? Maybe not. Code Red spread by taking advantage of a "hole," or weakness in the security system, of Microsoft¿s IIS. Estimates by Netcraft, an Internet consultancy based in Bath, England (http://netcraft.com), indicate that some 20 percent of all Internet Web servers run on IIS. As that site tracks some 28 million Web sites, the implication is that there are at least four million vulnerable IIS servers out there. A computer infected by Code Red uses a "GET" command (what you normally type into the location window of your Web browser) to inject an infected file into every Web server it finds. If the target server was running the vulnerable IIS, Code Red successfully zombified the victim. (Because home computers typically use the Microsoft Personal Web Server, most users are safe from Code Red.)
The first version of Code Red (CRv1) spread slowly, taking over only some 10,000 servers before it was discovered on July 17. Each CRv1 zombie hosting an English language Web site defaced it with the message: "Hacked by Chinese." This announcement, however, should not necessarily be taken at face value. The message suggests that Code Red may have been yet another outbreak of the U.S. vs. China hacker war that broke out after the April 1 collision between an American spy plane and a Chinese fighter.
According to the official Chinese publication People¿s Daily, "Soon after the mid-air collision was an all-out offensive on Chinese websites by U.S. hackers.... By the end of April over 600 Chinese websites had come under fire or totally broke down.... Many hackers¿ organizations known as China Honkers Union and Hackers Union of China promptly responded in an all-out cyberwar against their U.S. counterparts May 1 to 7." Clearly People¿s Daily was eager for China to take credit for attacks through May 7. But it has been silent on Code Red.