Code Red Internet Worm Disturbs Pentagon Networks

Code Red Internet Worm Disturbs Pentagon Networks
By Deborah Zabarenko

WASHINGTON (Reuters) - The reawakened ``Code Red'' worm disturbed the Pentagon's computer networks on Wednesday, and the main U.S. computer monitoring center predicted it would infect as many systems as it did in its first incarnation in July.

``The worm is an ugly thing,'' U.S. Army Major Barry Venable said in a telephone interview from Colorado Springs, the U.S. Space Command headquarters which is in charge of defending Defense Department computer systems.

``Here at DoD (Department of Defense), we've observed several disturbances to our networks as a result of this thing working on the Internet, but we've seen no significant degradation to DoD yet,'' Venable said.

Code Red surreptitiously infects computers running Windows NT or 2000 operating systems and Microsoft Corp.'s IIS Web server software and then makes infected machines scan the Internet for more victims.

It reawakened at 8 p.m. EDT on Tuesday (0000 GMT on Wednesday) after an 11-day dormant period. First recognized by Internet security watchdogs in mid-July, the time-linked worm reached its peak virulence on July 19 before shutting down on July 20. It is designed to resume multiplying on the first of the month.

The Defense Department, which operates hundreds of Web sites, had to temporarily shut down public access to them during the July onslaught of Code Red.

Venable would not elaborate on whether Wednesday's ''disturbances'' included slow operation or whether any systems were shut down, but said of Code Red, ``We will continue to evaluate the threat that it poses.''

The FBI-led National Infrastructure Protection Center said in an online update: ``Based on preliminary analysis, we expect a level of worm activity comparable to the July 19 Code Red infection, which resulted in infection of over 250,000 systems. It should achieve that level of activity by this afternoon.''

WHITE HOUSE NOT AFFECTED

The White House, where the official Web site (http://www.whitehouse.gov) was a target of the July version of Code Red, was not affected by this latest siege, presidential spokesman Ari Fleischer told reporters.

``We have been monitoring it closely,'' Fleischer said. ``At this time there has been no impact on the White House.''

The State Department was also unaffected, a spokesman said.

By mid-afternoon on Wednesday, the U.S.-based Computer Emergency Response Team (CERT) reported increasing Code Red scanning on the Internet.

``This indicates that the worm is in the first phase of its attack cycle, in which it scans random IP addresses for systems to compromise,'' CERT said in an e-mailed update. ``These reports indicate that the number of compromised systems is increasing exponentially, and there is a potential for a large number of machines to be affected.''

By mid-afternoon, the number was in the tens of thousands, CERT said.

CERT's Chad Dougherty said in an earlier telephone interview that several Web sites had lost service because of the worm, but there were no reports of widespread outages. The overall global slowdown of the Internet had not occurred, he said.

Computers running Windows 95, 98 and ME are not vulnerable to the worm.

For infected computers, turning the machine off and then on gets rid of the worm but does not provide immunity from future infection. A free software patch is available at http://www.digitalisland.net/codered/.

A media campaign to publicize the worm and its remedies may have helped lessen the impact this time, according to Tim Belcher, chief technical officer of Riptech, an Alexandria, Virginia firm that monitors attacks on corporate networks.

``What we're seeing right now is an hourly increase (in infection) between 75 and 100 percent, but at a much slower growth rate,'' Belcher said by telephone. ``There are less vulnerable hosts out there because of the patch -- less victims, meaning slower growth.''

Code Red, named for a caffeinated soft drink favored by computer programmers, scans the Internet for other computers to infect, and as more computers are infected the scanning gets more widespread and could slow Internet traffic to a crawl.

The worm can also deface sites, though in two of the three known variants no vandalism is apparent to computer users. In last week's hits, some U.S. government sites showed the message ''Hacked by Chinese!'' but the Chinese government said the worm probably did not come from China.