Microsoft Corp. and several Internet security organizations Monday warned of the second coming of a malicious worm and urged vulnerable users to download a security patch before Tuesday evening.
The group, which included representatives from the National Infrastructure Protection Center (NIPC), the Federal Computer Incident Center (FedCIRC) and the Partnership for Critical Infrastructure Security, said the Code Red worm has the potential to seriously disrupt the functioning of the Internet.
“What makes this one different is how dramatically it is able to propagate itself,” Ronald Dick, director of the NIPC, said from Washington. “On the Internet we are all connected.”
Unlike viruses, worms do not need to infect files in order to spread. The Code Red worm works by seeking out a vulnerability in Microsoft’s Internet Information Server (IIS) that Microsoft made public in mid-June. Anyone running both IIS (4.0 or 5.0) and Windows NT or Windows 2000 is susceptible to the Code Red worm. Once present on the newly-infected system, the worm seeks out other unprotected systems and so on.
To date, the Code Red worm has infected an estimated 300,000 users, including 250,000 during nine hours on July 19, according to a release issued by Microsoft and the security organizations.
The Code Red worm is likely start spreading again on July 31st at 8:00 pm EDT. The worm works on monthly cycle, spreading itself from the first to the 19th of the month, launching denial-of-service attacks against an IP address imbedded in the worm’s code between the 20th and 27th, and then hibernating before beginning the cycle again on the first day of the next month.
The targeted IP address in July was the White House’s Web site, which reportedly avoided the attack by switching its IP address.
Kenneth Watson, president of the Partnership for Critical Infrastructure Security, said the worm’s new variant aims to establish zombie servers for large-scale denial of service attacks.
“This worm is vicious in intent,” he said.
In order to protect their systems and those of others, computer users need to download one of two patches, one for Windows 2000 users and one for Windows NT version 4.0 users, available free from Microsoft. Dick labeled the act of downloading the patch “a civic duty.”
He added the Code Red worm highlights the need for all citizens to become familiar with computer security.
“Just as all living things are vulnerable to malicious activity, so are computers,” Dick said. “Security on the Internet is not just for computer experts, but for the public at large.”
Scott Culp, program manager for Microsoft’s security response centre, said hundreds of thousands of users have already downloaded the security patch. He added that many more users have potentially installed the patch, as one administrator can download the patch and distribute it to thousands of users.
The Code Red worm, named after the highly-caffeinated soft-drink workers at Aliso Viejo, CA-based Eeye Digital Security drank while deciphering the worm in mid-July, has apparently not done much damage in Canada to date.
Chuck Wilmink, director of the Vancouver-based Canadian Centre for Information Technology Security, said there were no confirmed local reports of Code Red Infection. Ray Nicholl, chief technical officer for ASG Technologies of Fredericton, reported only a pair of local calls concerning the Code Red Worm.
