The worm has defaced Web sites with the words "Hacked by Chinese."
By Matt Elliott
World Staff Writer
A computer virus that infected an estimated 250,000 servers in less then nine hours July 19 is about to saddle up for a second go Tuesday evening.
The virus, dubbed the Code Red worm, is expected to start spreading again at 7 p.m. CDT Tuesday, the government-funded Computer Emergency Response Team said Monday.
The worm defaces Web sites with the words "Hacked by Chinese." It exploits a flaw discovered in June in Microsoft's Windows NT and WIndows 2000 operating systems.
Only computers set to use the English language will have their Web pages defaced, and users of Windows 95, Windows 98 or Windows ME have not been affected.
For the first 20 days of every month, the worm spreads. From the 20th on it attacks the White House Web site, trying to knock it offline.
Officials said the virus attack could slow down the Internet and cause sporadic but widespread outages.
"This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, e-mail and entertainment," a CERT advisory warned.
Government and private officials said the worm is a worldwide danger. At a news conference Monday in Washington, D.C., they called on computer users to secure their systems by downloading a software fix.
Ron Dick, head of the FBI's National Infrastructure Protection Center, lamented that too many computer users think of their systems as simple appliances, not recognizing that a computer needs "to be constantly monitored and maintained. It functions like a living organism."
The FBI is working with authorities in Canada, the United Kingdom and Australia to fight the worm's spread. FBI legal attaches stationed overseas have sent the word to 46 other countries.
According to CERT analysts, the worm is "malicious self-propagating code" that exploits code in unpatched Microsoft Internet Information Server-enabled systems, CISCO 600 series DSL routers, Windows NT 4.0 and Windows 2000.
Once the virus has infected a host, it then will bombard specific servers with useless information, causing them to shut down, the CERT report stated. Last week, the recipient was the White House site, which was forced to change its numerical Internet address to dodge the attack.
Businesses and analysts alike have been astounded by the virus' quick spread, and computer users are urged to patch their systems promptly to nip the problem in the bud.
The rapid rate of infection of Code Red comes as no surprise to John Hale, director of the Center for Information Security at the University of Tulsa. | "It's really not that astounding considering the proliferation of the Microsoft software that the virus preys upon," Hale said. "We saw the same kind of thing with the I Love You virus and the other viruses that use Microsoft Outlook."
Hale attributes part of the problem to a simple lack of action on the part of programmers and system administrators.
"People just don't pay attention to security alerts," he said. "If everybody patched their software in a timely manner, we wouldn't be dealing with this particular worm right now."
"It uses a buffer overflow technique which has been around for decades, and in terms of the big picture, we're not learning from our past mistakes, from a software engineering perspective."
"If everybody patched their software in a timely manner, we wouldn't be dealing with this particular worm right now."
John Hale
Director of the Center for Information Security at the University of Tulsa
"This is just a piece of flawed code that some hacker took advantage of."
Hale said that although the worm does not cause permanent damage to the infected systems, it does require time consuming and costly remedies, which may hurt infected businesses.
"In terms of dollars, you've got a lot of time spent detecting the intrusion and implementating the remedy," Hale said. "It's a tremendous waste of bandwidth and manpower."
Hale added that the worm could mutate at any time and could turn in to a more malicious variant.
"A mutant strain of this worm could be easily converted into something where it did something malicious at each stop on its way," he said.
R. Brent Johnson, president of Secure Agent.com in Tulsa, urged local businesses to take steps immediately to avoid technological setbacks that could result from the virus.
Basically, there are two problems. One is to keep it out of your system, which is easier said then done," Johnson said.
"The second problem is if you receive emails, you'll get it. The best thing to do is to back up your systems."
Secure Agent has several new patents and patents pending on secure backup programs and e-mail protection.
"It's very difficult to keep this stuff out of your machine," Johnson said.
The Code Red virus hit the Tulsa World Web site -- tulsaworld.com -- during the initial phase of infection July 19. The virus, which has since been eradicated from the newspaper's system, failed to shut down the Web site, although some users were not able to send e-mails through the site for a short time.
Investigators don't know who wrote Code Red or where it started.
Other government sites have been targeted, including the Pentagon, which had to shut down public access to its sites while purging the worm from its system.
Businesses and some users who have not patched their servers yet are urged to visit www.microsoft.com, where a security alert is posted and a patch is available for download.
Return to the News Coverage |
