Prepare for Code Red

Although most mission-critical servers and systems are safe for now, tonight’s expected reawakening of the Code Red Internet Worm highlights the need for more aggressive defenses, say Canadian e-security experts.

Describing the self-propagating worm as “a real and present threat to the Internet,” a number of U.S. government and private organizations (including the FBI) said in a joint alert that Code Red is likely to start spreading again at 8 p.m. EDT Tuesday and that it has mutated so that it “may be even more dangerous.”

In a snap news conference late Monday afternoon, Vincent Gullotto, Calif.-based director of McAfee AVERT Labs, said that once Code Red starts to spread exponentially through unprotected systems, the Internet could experience a “dramatic slowdown”, resulting in a multi-million-dollar losses for e-commerce enterprises. The volume of traffic launched by the worm could also cause some public servers and ISPs to crash, he said.

However, there is no data-loss threat to companies who have installed the free Microsoft anti-Code Red patch, said Aidan Fisher, president of Ottawa-based Sensible Security Solutions Inc (SSS). He also noted that thanks to early implementation of counter-measures, “very few” of 747,000 users supported by SSS across Canada reported any problems.

“Because of the type of worm [Code Red] is, and because of how it manipulates the vulnerability (in the servers), if their buffer is fixed our customers should not be too concerned. There hasn’t been a lot of concern (about the new alert), but we’ve been receiving calls from a lot of people, making sure their security is in place,” Fisher said.

Among those that have expressed concern are banks, federal and provincial governments, large industry and universities, Fisher added.

The worm scans the Internet for vulnerable systems and infects these systems by installing itself. Once it has nestled itself on a server it uses it to scan the Internet for other vulnerable servers and infects those. In the first nine hours of its outbreak on July 19 Code Red infected more than 250,000 systems, according to the U. S.-based Computer Emergency Response Team.

A new outbreak of Code Red is feared because the worm operates on a time clock. The first 19 days of a month the worm is set up to scan and infect, but from day 20 until day 27 the worm floods a certain Internet protocol (IP) address — in this case Washington’s White House Web server — with information requests causing a denial of service attack. The Web server has since been given a new IP address.

Code Red targets servers running Microsoft’s Internet Information Server (IIS) software versions 4.0 and 5.0. It exploits a buffer overflow vulnerability in the Indexing Service DLL (Dynamic Runtime Library) of the Web server software. IIS is part of Windows NT and Windows 2000.

Because Code Red only affect’s a computer’s memory and doesn’t write to disk, and individual machines can be fixed by simply turning them off, Fisher doesn’t see it as a high-threat issue. However, servers are very rarely shut down. To completely kill the worm every system in the world would have to be simultaneously shut down, which is why it poses a nagging problem, he said.

Since a patch for the hole used by the worm has been available since June 18, Mike Murphy, Canadian general manager of security firm Symantec Corporation, said he’s surprised so many Web administrators have been caught short by it. Especially, he said, because this kind of attack has the potential to hurt a company’s credibility and consumer confidence.

“Companies have known how to prevent this attack for a long, long time. This attack could be avoided by a lot of people by implementing good firewall policies – what I would call ingress and egress filtering policies at the firewall — on an on-going and very frequent basis. Whether there are any threats out there or not, (security staff should be) constantly looking to see what patches are available and what those patches fix,” he said.

Although in theory a worm like code Red could assault any target with a nuisance strike, Murphy noted that this country’s geo-political situation works to protect Canadian Internet businesses and e-government sites – for now.

“I think we’re fairly safe. We have our big monster cousin-brother to the south that’s always going to be targeted before us just because of its visibility, so we can hide behind that. But if somebody in Canada didn’t like the politics of the Liberal government, there’s no reason that they couldn’t target that.”

— With files from Joris Evers, IDG News Service

The FBI’s National Infrastructure Protection Center (NIPC) is at

Step-by-step instructions for installing the protective patch are posted at

Symantec is at

Sensible Security Solutions Inc. is at