A day after it threatened to grind the Internet to a standstill, Code Red had been downgraded to caution yellow.
According to warnings from Microsoft Corp. and government agencies around the world, the Code Red worm was itching to glut the Internet by spreading wildly Tuesday at 8:00
Jim Harlick, assistant deputy minister for the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP), an arm of Canada’s Department of National Defence, said the worm is still around and still propagating. But its effects have been limited since Tuesday evening, in part because of vigilant efforts of the Internet community.
“”It certainly didn’t happen the way we feared,”” Harlick said. “”There are indications the worm is still there. (But) in terms of the feared impact on the Internet, it has not had that. We’re breathing a little easier.””
Warnings from a number of American security agencies suggest the danger of infection is still very real, however. On Wednesday, The Computer Emergency Response Team (CERT) at Carnegie Mellon University reported increasing Code Red scanning activity.
“”This is indicative of the first phase of operation for the worm, in which it scans random IP address for systems to compromise,”” read a release on CERT’s Web site. “” These reports indicate that the number of compromised systems is increasing exponentially.””
The worm, thought to have been first unleashed in the middle part of July, infected 250,000 users on July 19th alone. On Wednesday, the Washington-based National Infrastructure Protection Center said the worm was expected to match that level of infection by Wednesday afternoon.
Code Red works on a monthly cycle, spreading from the first to the 19th of the month, launching denial-of-service attacks against an IP address imbedded in the worm’s code between the 20th and 27th, and then hibernating before beginning the cycle again on the first day of the next month. The denial-of-service target in July was the White House’s Web site, which reportedly avoided the attack by switching its IP address.
Harlick said the danger posed by Code Red would increase dramatically should the worm mutate. While the current worm does not do any damage to infected systems, future versions could be more malicious. Three variants of the worm have so far been identified. The first loudly called attention to itself by defacing infected Web sites with the words “”Hacked By Chinese,”” while subsequent versions of the worm have invaded unannounced. The origin of the worm has yet to be confirmed.
The Code Red worm works by seeking out a vulnerability in Microsoft’s Internet Information Server (IIS) that Microsoft made public in mid-June. Anyone running both IIS (4.0 or 5.0) and Windows NT or Windows 2000 is susceptible to the Code Red worm. Once present on the newly-infected system, the worm seeks out other unprotected systems and so on. Unlike viruses, worms do not need to infect files in order to spread.
On Monday representatives from Microsoft and United States security agencies held an emergency press conference urging vulnerable users to download a patch available from the software giant. Ronald Dick, director of the National Infrastructure Protection Center (NIPC), labeled the act of downloading the patch “”a civic duty.””
As of Wednesday morning, one million users had already downloaded the patch, according to Harlick. David Woelfle, EDS Canada’s chief architect for core infrastructure, said blanket news coverage influenced people to download the patch, reducing the worm’s damage this time around.
“”It was like the Y2K transition,”” Woelfle said. “”Everybody had done their homework.””
Harlick said he expects Code Red to fade from the news unless there is a spike in the rate of infection, but he added the worm’s legacy will live on.
“”What won’t fade are the lessons learned. I take the million downloads as the result of a greater level of awareness of the need to keep up with security patches,”” Harlick said. “”If (Code Red) had been successful, it could have affected general Internet functions. That brings a greater appreciation to people that this is platform we use with some risk.””
An Ipsos-Reid poll released in May shows Canadians were quite weary of virus and worms before Code Red. The poll reported 46 per cent of Internet users in Canada have been hit with a virus and a full 78 per cent of users fear getting one.
Harlick gave mixed reviews to Microsoft – criticism for not taking the time to make more robust products and credit for taking a lead role in publicizing the situation.