X-SciTech

'Code Red' Worms Into Web Servers

By CBSNews.com staff CBSNews.com staff

July 19, 2001 / 11:25 PM EDT / CBS

An Internet Worm, known as "Code Red" has apparently infected thousands of Internet servers around the world, reports CBS News Technology Consultant Larry Magid. Although it doesn't infect individual PCs, it does go after Web servers running under Microsoft Windows 2000. It was also set to attack the White House Web site according to Internet security experts.

Infected sites can become unstable, slow down and, in some cases, display the message "Hacked By Chinese!" although there is no evidence that this worm originated in China. All we know is that it has spread to servers throughout the world.

Mark Maiffret, a technician at eEye Digital Security, a Southern California-based Internet security firm, said that his company disassembled the worm's code and found that it was set to launch a Denial of Service (DOS) attack against the White House Web site last night at 8:00 p.m. EDT. However, the site did not go down or even slow down at that time.

Keynote Systems, a San Mateo, Calif., company that monitors Internet traffic, reported no unusual problems at the White House site. The only unusual Internet problems noted by Keynote were "Internet backbone slowdowns in the aftermath of yesterday's CSX train derailment in Baltimore, probably due to damage to fiber optic lines."

'Code Red' Warning

CERT, the government-funded Internet security organization, has issued an advisory indicating
that the "Code Red" worm may have already affected as many as 225,000 hosts, and continues to spread rapidly.

Click here for more details.

After 8:00 p.m. came and went with no apparent problems at the White House site, eEye's Maiffret theorized that the White House technicians may have avoided the problem by changing the Internet Protocol (IP) address mapped to the site. User friendly Web addresses are basically aliases to IP addresses. The malicious Code Red worm, according to Maiffret was set to attack IP address 198.137.240.91 but the White House site was remapped to 198.137.240.92.

White House spokesman Jimmy Orr would not confirm or deny specific actions taken but did say that "we've taken preventative measures aimed at minimizing any impact of the omputer virus known as Code Red."

While the White House may have avoided any disruptions from the Code Red worm, the danger is not over. Steve Trilling, director of Research for Symantec, maker of a variety of Internet security products, said that it is impossible to tell right away the possible extent of the worm and the damage it could cause. He did confirm that the worm was triggered to launch a denial of service attack against the White House site and that it has infected an unspecified number of Windows-based sites around the world.

On May 22, the White House site was inaccessible for six hours as a result of a DOS attack. It was also down on May 7th and May 4th.

More from CBS News