Related Resources • Virus Encyclopedia • Code Red Goes Splat • Internet Armageddon • Web Server Flaw

Elsewhere on the Web • Security Patch • eEye Digital Advisory

The Code Red worm has the dubious honor of being one of the most talked about worms in recent times. Code Red affects only web servers using Microsoft® IIS software. Web server administrators running IIS can easily defend their web server with a simple security patch Microsoft® released in June 2001, a full month before the worm was released.

While the patch may be easy to obtain and install, it is clear that an abundant number of server administers had ignored the initial bulletins. Code Red infected as many as 250,000 servers in a nine hour period when it first appeared in July 2001. The worm follows a set pattern, infecting for the first 19 days of the month, attempting a DDoS attack on the 20th, and then sleeping for the remainder of the month. As the clock ticks over to the first of a new month, the worm wakes up and begins its routine once again.

The worm is not a threat to the average user. Only administrators of web servers running Microsoft® IIS software need to be concerned about installing the Microsoft security patch. Once installed, the patch closes a buffer overrun vulnerability that the worm takes advantage of to infect. With current Netcraft estimates of six million IIS servers in use on the Internet, or approximately 21% of the web servers on the 'Net, Code Red does have the potential to infect a vast number of these - provided they are left unpatched.

What can the average user expect?
The worm scans batches of IP addresses looking for vulnerable web servers. Since it is scanning based on IP address, it also probes users' machines. Those running personal firewalls will be aware of more probes of their computers, as the worm seeks potential victims (those using IIS without the proper security patch applied). Otherwise, the affect most likely to be seen is a slowdown of the Internet, more difficulty connecting to sites, perhaps some sites being brought down - either to update protection against the worm or because the worm caused the server to crash.

What are Microsoft and the government doing?
Microsoft has joined forces with CERT (the Computer Emergency Response Team headed by Carnegie-Melon Software Engineering Institute), NIPC (the cybercrime division of the FBI) and antivirus vendors to issue alerts to as web server administrators as possible, urging them to upgrade to the needed patch.

Are Microsoft and the government acting appropriately?
The parties involved have the unenviable task of deciding when to alert, whom to alert, and how to alert. Too many alerts and there are allegations of crying wolf. Too few and there are allegations of complacency or ineptitude. Certainly the fact that 250,000 servers were compromised within 9 hours when Code Red first appeared is an indication that a significant number of web server administrators have failed to provide adequate security. We are only as strong as our weakest link. If hundreds of thousands of administrators do not heed the alerts and warnings, each of us suffers (in a best case scenario) from a lethargic connection to web sites. As long as the worm is probing around the 'net, the extra traffic it generates has a resulting affect on bandwidth. If it continues to successfully infect - and mutate - the problem becomes the bigger, worst case, scenario of a massive denial of service attack. If the government is successful, if the alerts are responded to and administrators install the patch, Code Red will be a big no show. In that case, the government will likely be accused of over-reacting. It's a damned if you do, damned if you don't situation. Put another way, if the government is successful, they'll be accused of being hysterical incompetents and we will never discover the "other" outcome that could have resulted.