'Code Red' keeps low profile

By Richard Stenger
CNN

(CNN) -- Authorities said the second coming of the "Code Red" electronic worm has had little effect so far, but warned that it could take several more days before its full effect was known.

"Currently, all goverment and private sector watch centers are not reporting any unusual activity associated with the Code Red worm, but we will remain vigilant and continue to monitor the situation throughout the night," Ron Dick, director of the FBI's National Infrastructure Protection Center, said late Tuesday.

"While there is no activity now, it does not mean that the storm has passed. It will take some time before we can make any definitive conclusions."

Computer operators watched and waited late Tuesday and early Wednesday to see what, if any, impact a second worldwide wave of computer-worm infections may have online. Code Red could bring Internet traffic to a crawl and was expected to unleash itself beginning Tuesday night at 8 p.m. EDT. But whether the mutated bug will pack more punch than the original epidemic remains the subject of considerable debate.

VIDEO Critics want software makers, like Microsoft, to protect consumers from computer bugs. CNN's David George reports (August 1) Play video (QuickTime, Real or Windows Media) Despite minimal reported damage, officials warn that danger from the computer virus is far from over. CNN's James Hattori reports (July 31) Play video (QuickTime, Real or Windows Media)   MORE STORIES In-Focus: 'Code Red': Will the patch work?   'Code Red' latest in series of nasty Net bugs     RESOURCES On the Scene: Sieberg: 'Braced for worst, hoping for best'   Message board: 'Code Red' worm

Allan Paller, director of the SANS Institute for computer security, said it took seven days to fully gauge the worm's spread the last time it appeared.

"This time it's bound to take less. We just don't know how much less," he said.

Microsoft reported that more than a million people have tried to avoid the Code Red worm by downloading and applying the free patch available from the Microsoft Web site.

"This should have a measurable impact on the overall effect of the worm," an FBI statement said.

Authorities said it may be 12 hours or more before the impact of the electronic worm is known. The FBI said it would provide another update within 24 hours.

When the Code Red worm made its online debut earlier this month, the program swept through hundreds of thousands of computers in less than half a day, forced the White House to take evasive action and the Pentagon to take its public Web sites offline temporarily.

The malicious code is designed to spread for the first 19 days of each month. After that, infected computers flood the White House Web site with streams of data meant to knock it off the Net. Anti-virus experts expect infected machines will spark another worldwide infection binge beginning at midnight Greenwich Mean Time, or 8 p.m. EDT. Some contaminated machines with incorrectly set internal clocks have most likely set off the first waves of the invasion already, Internet authorities said.

Risk of data robbers

Since the original onslaught, two strains of the Code Red worm have been identified. Computer security experts warn that more virulent variations could dramatically slow Internet traffic, disrupt electronic commerce and e-mail communications and even lead to theft of sensitive corporate or government information.

"Instead of just propagating itself, (the worm) could do something really damaging. It could delete files. It could erase Web servers. Or it could send your company's confidential information out on the Internet," said Declan McCullagh of Wired News on Tuesday.

Likewise, the FBI's Dick warned that Code Red could be modified to "gain control over a Web server or alter or steal critical corporate and private data."

Dick urged Web site operators to take steps to stop the spread of Code Red, which is named after a high-caffeine soft drink popular with computer programmers. Foremost among them -- download a free Microsoft software patch to convey immunity on vulnerable machines.

The rogue application takes advantage of a defect in Microsoft's Internet Information Services software. It affects only computers with the IIS Web server software and Window's NT or 2000 operating systems. Windows 95, Windows 98 and Windows Me are immune.

Rebooting an infected machine removes the bug from memory but does not protect it from further assaults.

'Thousands overreacting'

Some Internet security experts are convinced that Code Red doomsday predictions are premature, much as the highly feared Y2K bug turned dud.

"There will definitely be some traffic from this worm this evening. But I don't think there will be the widespread damage that's predicted. I could be wrong. But I don't think we're going to see anything like we've heard about," said David Perry, director of global education for Trend Micro.

Worldwide alerts have prompted hundreds of thousands of computer users to download preventive patches. Moreover, most home PCs and network computers cannot be infected in the first place.

"There are about 300 million computers on the Internet (but) the number of NT installations on desktops is relatively miniscule," Perry said. "A lot of people are trying to download the Microsoft fix that don't need it at all. There are thousands of people overreacting to this right now," Perry said.

Nevertheless, Perry agrees with other computer experts that the new worm version is more powerful than the original. It randomly scans Internet addresses instead of known ones in search of new victims, he said.

Bug blitzkrieg predicted

And when it unleashes its second wave Tuesday evening, the sheer data volume as the worm spreads and scans for other vulnerable machines could prove a serious drag on Internet traffic for Web servers all over the world, warned the Computer Emergency Response Team (CERT). "Because the worm propagates very quickly, it is likely that nearly all vulnerable systems will be compromised by August 2," warned CERT, a federally funded Internet security research center at Carnegie Mellon University.

Despite this message left on some defaced Web sites, the origin of the attack remains unknown

When first identified on July 19, Code Red infected nearly 300,000 computers, anti-virus experts estimated. The outbreak forced the White House to change its numerical Web address to keep its site online and forced the Pentagon to halt briefly public access to its Web sites to disinfect and protect them.

Some infected Web sites were defaced with the phrase, "Welcome to http://www.worm.com! Hacked By Chinese!" But eEye Digital Security, which discovered the Microsoft flaw that the worm later exploited, said the malicious code spread too quickly for online investigators to determine its origin.

Unlike conventional computer viruses, which need the assistance of humans to spread, worms can self-replicate across the Internet.

-- CNN Justice Producer Terry Frieden, CNN Science and Technology Producer Marsha Walton, CNN.com Sci-Tech Editor Daniel Sieberg and CNN.com writer Matt Smith contributed to this report.