Reborn Code Red starts slowly, gains speed

More than 24 hours after it reawakened, the Code Red worm is not spreading as quickly as it did in July and is only beginning to live up to its advance billing. The worm, which has been touted by various Internet security bodies as a serious threat to the Internet, had infected almost 150,000 new systems by 8:30 p.m. U.S. East Coast time Wednesday, according to figures posted on incident-tracking Web sites.

The number of systems infected continues to grow quickly, however, and may continue to grow for the next three weeks.

Code Red, which had been lying dormant since July 27, was initially discovered in mid-July and infected over 250,000 computers in its first nine hours. Because of the way the worm is written, its attempts to spread itself cease between the 27th and 30th of the month and resume again on the 1st of the next month.

In an unexpected twist, Keynote Systems Inc., an Internet performance monitoring firm, issued an advisory late Wednesday saying the slowdown in Internet traffic it reported on July 19 was not due to Code Red, as had been widely thought. The firm has concluded that the slowdown was due to a train wreck and subsequent fire in a tunnel in Baltimore, which damaged parts of the Internet infrastructure.

The slowdown was specific to parts of the Internet backbone that had high-speed connections running through the tunnel, Keynote said in a statement. “If the slowdown had been due to the worm, it would not have been selective as to the backbones and geography but would have affected all backbones and the Internet as a whole.”

“If the worm had such a dramatic effect on the Internet on July 19, why hasn’t it had a similar effect now, when it is much more widespread now than it was then?” Keynote continued. “We have seen no effect on performance over the past couple of days.”

The performance of the Internet Wednesday “slowed within normal parameters during the day,” and performance had improved significantly by 6 p.m. Eastern Time, when workers on the East Coast shut down their computers and went home, Keynote said.

The development adds to the uncertainty as to whether Code Red will live up to the dire warnings from government agencies and security groups, who said Monday that the worm could greatly slow the Internet as it reactivated itself and set about searching for other computers on the Internet to infect.

However, Matrix.Net Inc., a different Internet performance monitoring company in Austin, Texas, said its graphs measuring average latency on the Internet for July 19 and July 20 tell a different story, one that suggests Code Red was responsible for the slowdown last month.

On the day of the train crash, its graph showed average latency on the Internet at a normal level, and only on the following day did it observe an increase in latency. This suggests the slowness on the Internet was in fact caused by Code Red, said marketing manager Joi Chevalier.

She added that Matrix.Net witnessed a slight decline in performance on the Internet on Wednesday in terms of latency, reachability and packet loss. The decline was too slight to draw any immediate conclusions, however, and Matrix.Net will continue to monitor the situation into the evening, she said.

The different conclusions drawn by the two firms may have to do with differences in how the two companies measure Internet performance, Joi said.

The worm attacks Microsoft Corp. Internet Information Server (IIS) systems vulnerable to a certain type of security flaw discovered in June. The worm exploits a flaw in IIS’s Index Server extensions to infect systems. Microsoft has issued a patch for the problem. Over one million users have downloaded the patch from Microsoft’s Web site, according to the company.

When the worm infects a system, it immediately begins scanning 100 IP (Internet Protocol) addresses looking for other vulnerable servers. This phase of the worm’s activity takes place from the 1st of the month to the 20th. On the 20th, infected systems launch Denial of Service attacks against the White House Web site until the 27th, when the worm goes dormant again.

Though only 76 systems were infected by the second round of Code Red in the first hour of Aug. 1, that number climbed to 157 in the day’s second hour, 495 in the fourth, 1,591 in the sixth and 13,487 in the 10th, according to data posted on The total number of infections, as reported by, the SANS Institute Internet Storm Center/ and the University of California at San Diego’s Cooperative Association for Internet Data Analysis, is around 150,000 systems.

Though that number is less than half what the first round of Code Red tallied, the worm may still infect far more systems, according to Russ Cooper, who has the title of surgeon general at security company TruSecure Corp., and is the editor of the NTBugtraq security e-mail list. “Unlike the last time, this isn’t going to stop tonight,” he said. “It will reach more hosts than it did before because it will run longer.”

“Nothing makes me believe that we’re going to top out at 50,000 or 100,000 (infected systems),” he added.

To make matters worse, systems can be infected more than once, leading to a greater number of scans for vulnerable systems and to the use of more bandwidth, he said. If a server is infected with two copies of the worm, the system will scan 10,000 IP addresses, rather than just 100, because the worms have a multiplying effect, he said.

“This time I believe every vulnerable system will be attacked,” he said, adding that he expects that between 500,000 and one million servers are still vulnerable.

Cooper dismissed concerns in some quarters that Code Red has been blown out of proportion.

“The data that we have already collected says this is an event,” he said. Not until three to five days’ data has been collected and a plateau in growth numbers has been seen can Code Red be said to no longer be an event or to be a smaller-than-expected one, he said. is online at The University of California at San Diego’s Cooperative Association for Internet Data Analysis Code Red data is at More information on the IIS Indexing Service DLL and patches that close the vulnerability are available on Microsoft’s Web site at