Code Red wakes up with a whimper

The Code Red worm emerged from its slumber Tuesday night to begin a second wave of attacks on the Internet. Security experts said it could be days before the extent of any damage is known, but there were early signs that efforts to avert a much-talked-about meltdown of the Internet had been successful.

“We haven’t seen much overall impact,” said Keith Peer, president and CEO of Medina, Ohio-based computer security firm Central Command Inc. “There have been a few thousand infections (of servers) that we’re aware of … but nowhere near the catastrophic levels that had been predicted.”

Matrix.Net Inc., an Austin, Texas-based company that offers products for measuring Web performance, also was optimistic.

“Right now our graphs are not showing any change in latency, packet loss or reachability across the Internet as a whole,” said Joi Chevalier, a Matrix.Net marketing manager, about two hours after the worm relaunched itself. “It looks pretty quiet out there.”

In fact, popular Web sites in Canada, the United States, Europe and Asia could be accessed as normal late Tuesday night, suggesting the worst fears had yet to materialize.

Code Red exploits a security hole in versions 4.0 and 5.0 of Microsoft Corp.’s Internet Information Server, which is included with Windows 2000 and Windows NT 4.0 and is widely used to run Web sites. It made headlines last month when it infected more than 250,000 servers in 9 hours on July 19, defacing many of them with graffiti and launching a “denial of service” attack that slowed the Internet and disabled the White House Web site.

The program has a built-in timer that caused it to relaunch itself when the clocks ticked past midnight Greenwich Mean Time Wednesday (8 p.m. Tuesday in New York or 9 a.m. Wednesday in Tokyo). The Federal Bureau of Investigation’s National Infrastructure Protection Center, along with Microsoft and several other security groups, urged businesses worldwide Monday to install a free patch from Microsoft that fixes the hole. Failure to do so could allow the worm to propagate and clog the Internet to a crawl, they warned.

Users don’t have a glowing reputation for installing patches quickly, but Monday’s unusual press conference may have spurred them to action and helped avert a crisis. A Microsoft spokeswoman said Tuesday that more than one million copies of the patch had been downloaded since the security hole was discovered in June. About 200,000 of those downloads occurred over a 24-hour period starting Sunday afternoon, said David Radoff, a spokesman for Digital Island Inc., which hosts the Web site for Microsoft where the patch is available.

That rate had increased as much as fivefold Tuesday, he said, suggesting that as many as one million additional copies of the patch may have been downloaded by the end of the day. An estimated six million servers worldwide run Microsoft’s Internet Information Server. Microsoft said the number of downloads doesn’t necessarily correspond to the number of servers that have been fixed, since some administrators may have downloaded the patch once and applied it to several servers.

On the other hand, some home users may have downloaded the patch in error, thinking they needed it for their home PCs.

“We got calls from home users running Windows 98 who were trying to download the patch and said it’s not working,” said Marc Maiffret, chief hacking officer at eEye Digital Security Inc., who is credited with identifying the worm. Code Red doesn’t attack computers running Windows 95, 98 or ME, and home users are unlikely to be affected unless performance of the Web slows.

Maiffret noted that a variant of the worm identified last week does not deface Web sites, making it harder for companies to know when they have been affected. It also scans the Web more efficiently for unprotected servers, making it potentially far more virile.

That’s partly what prompted government officials to issue their dire warnings Monday that the worm poses “a serious and continued threat to Internet users.” They feared that when the worm re-awoke it would spread rapidly, scanning the Internet for unprotected servers and in the process flooding the Web with unwanted packets of data, causing it to slow.

If that were to happen it is likely it would have become apparent “a couple of hours” after the worm re-awoke, Maiffret said. That didn’t appear to be the case late Tuesday evening.

Perhaps more damaging, the worm is also programmed to launch another denial of service attack August 20. Such attacks flood a Web site with fake requests for data, causing the site to grind to a halt or crash. The target earlier this month was the White House Web site at, but a version of the worm may have been adapted to launch attacks at other popular Web sites that may not be prepared to defend themselves, said Russ Cooper, surgeon general of TruSecure Corp. and editor of the security e-mail list NTBugtraq.

Cooper said it would probably be well into Wednesday before the extent of any damage can be assessed properly. “It’ll take that long to do its work,” he said. “Remember, it’s starting from scratch again.”

If the worm does manage to identify hundreds of thousands of unprotected servers, as it did July 19, it could have a noticeable impact on the performance of the Internet, said Peter Salus, Matrix.Net’s chief knowledge officer. The slowdown would be most apparent to people who use applications that are heavy on graphics and other data, such as online games or bulk file transfers, he said.

However, Salus said he thinks it unlikely the disruption will be widespread, in part because administrators appear to have patched their servers just in time. “I feel that by and large this will not be noticeable to most people except for a few things that may be specifically targeted, like was targeted last time.”

Network Associates Inc. said it had completed a scan of more than 20,000 systems on the Internet earlier Tuesday, and discovered that 1,230 of them remained unprotected against Code Red.

Ravi Venkatesam, vice-president of operations at Atesto Technologies, another Web performance monitoring company in Fremont, Calif., agreed.

“How much effect it will have depends on how many servers are still not patched,” he said. “I feel most large corporations would have already taken care of this.”

There were no indications Tuesday that the FBI or law enforcement groups overseas with which it is working in concert had come any closer to finding the author of Code Red.

“My guess is, like so many of the disruptive things on the Internet over the last three or four years, this is almost a teenage prank kind of thing,” said Salus of Matrix.Net. “There are a lot of bright kids out there; unfortunately some of them are bored.”

Microsoft’s patch is available at

The National Infrastructure Protection Center’s advisory about Code Red is on the Web at