Worm Shuts Pentagon Web Sites Again

Thursday August 02 01:26 AM EDT

Worm Shuts Pentagon Web Sites Again
By ABCNEWS.com
Government officials are saying the "Code Red" computer worm has had little impact on the Internet so far, but continue to be guarded about its long-term effects.

The Pentagon was forced to shut the public out of many Defense Department Web sites Wednesday night as the reactivated Code Red worm continued to snake its way across the Internet.

The worm, first detected July 19, infected some 300,000 Microsoft's Windows 2000, Windows NT or Internet Information Server version 4.0 or 5.0, and forced the Pentagon the shut down its Web sites at that time.

It then went into a period of dormancy, but has infected tens of thousands of new computers since its reactivation on Tuesday.

The worm installs the phrase "Hacked by Chinese!" on the attacked Web sites.

Computers using Microsoft's Windows 98 or Windows 95, or using any of Apple's Macintosh operating systems, are not vulnerable to the the worm, which is intended to create outages on major Web sites, slowing down Internet traffic in the process.

Attack of the Web-Slowing Worm

"We continue to receive reports of the Code Red scanning activity. This indicates that the worm is in the first phase of its attack cycle, in which it scans random IP addresses for systems to compromise, Roman Danyliw, Internet security analyst at the CERT Coordination Center, said late Wednesday. "These reports indicate that tens of thousands of machines have been compromised."

He said the rate of infection continues to grow, but its intensity appeared to be subsiding.

Among those affected, the Pentagon, where a spokesman told The Associated Press its system was slowed, and one civilian agency's server was infected.

At the same time, a number of Defense Department sites - including the DefenseLINK gateway - were open.

David Moore, a senior researcher at the Cooperative Association for Internet Data Analysis in San Diego estimated that nearly 130,000 computer systems around the world had been infected with the worm, as of 8 p.m. ET.

But Moore said the worm's spread is starting to slow.

"It actually seems to be reaching the part where it starts to level off," explains Moore "It does look like it's slowing down. And, it's getting close to infecting everyone who can be infected."

Target: White House

The White House Web site, the original target of the first Code Red attack last month, has so far been unaffected by the worm, and there have been relatively few reports of disturbances in Internet traffic due to Code Red.

"We have been monitoring it closely," White House spokesman Ari Fleischer told reporters on Wednesday. "At this time there has been no impact on the White House."

How to protect your computer from Code Red And while the overall effect of the worm has not been catastrophic, experts are watching.

"There are pockets of this worm in the wild right now," says Jerry Freese, director of intelligence at Vigilinx, a digital security solutions provider in New Jersey monitoring Code Red. Freese points out that with an estimated eight million servers in operation worldwide, the majority of vulnerable machines in use have still not been protected against the worm.

An estimated one million people have downloaded the patch designed to prevent a worm infestation.

"It will be some time before we can make any definite conclusions," said Ronald Dick, director of the NIPC, at a press conference Tuesday night. "The storm has not passed yet."

On the 20th Day, Code Red Attacked

Code Red is programmed to do its damage over an extended period of time. It operates in two phases over a 20-day cycle: for the first 19 days, the worm spreads onto unprotected servers. From each of those, it attempts to latch on to 99 new servers. On the 20th day, the computers carrying the worm are instructed to bombard the target Web site.

Two versions of the Code Red worm have observed. Both take advantage of a security flaw in some versions of Microsoft's network servers, and instructs the servers to bombard government Web sites with streams of data. The company first announced both the flaw and the patch to fix it on June 18.

Dick pointed out at a briefing in Washington on Tuesday that Code Red should not damage individual computers in the way that widespread viruses can.

"The damage from this particular worm is not necessarily from the intrusion into the systems itself," said Dick. "It doesn't go in and destroy files, it doesn't go in and alter data that we're aware of. Basically what it does is take advantage of the vulnerability of a Microsoft Internet service software and then launches on a pre-scheduled time service attack on a particular target."

Experts caution that Code Red could rewrite the book on computer viruses.

"This has brought some new techniques in as far as writing a worm," says Simon Perry, vice president of security at software firm Computer Associates. "You will see copycats that use this as a propagating technique."

As Marty Lindner of the CERT Coordination Center concludes: "I think it's safe to assume that Code Red is the first of a new breed, and there will be more like it."


ABCNEWS' Peter Dizikes and Bryan Robinson contributed to this report.