Experts: Most Code Red attacks coming from Asia

The vast majority of servers infected by the malicious Code Red worm after its reawakening earlier this week are located in Asia, European experts said Thursday.

Amsterdam-based Internet service provider (ISP) XS4ALL Internet BV counted 7,528 unique infected machines probing its systems from midnight until 8 A.M. local time on Thursday. Close to 80 percent of the probes came from Asia, with most machines located in South Korea, said spokeswoman Sjoera Nas.

"Right after Code Red started up again on Aug. 1 most infected machines were in the U.S., but now between 75 and 80 percent are in Asia," she said, adding that after South Korea, most infected machines are in Taiwan and China. The Code Red worm re-awoke Aug. 1 in Europe, and July 31 in the U.S.

The worm has been coded to scan and infect systems for the first 19 days of each month, then to stage an attack on the U.S. White House Web site, after which it lies dormant before reawakening on the first of the next month. The White House Web site has taken steps since last month to protect itself against a new attack.

Marco van Berkum, an engineer with Dutch information security company Obit BV, based in The Hague, Netherlands, also installed a Code Red monitoring tool on his server.

"Most attacks have been coming from Asia," he said.

Bethesda, Maryland-based SANS Institute, which also monitors Code Red activity, is currently working on a geographic breakdown of Code Red activity, said spokesman Johannes Ullrich. He confirmed that Asia is a hotbed for the worm's activity, but couldn't confirm the high percentage reported by XS4ALL.

"Most of the scans with any Internet worm typically come from Asia, as that is where the unpatched systems are. Korean high schools are usually in the top 10, they have a lot of computers there," said Ullrich, who is based in Quincy, Massachusetts.

XS4ALL couldn't explain why Asia is now the epicenter of Code Red activity. However, André Post, senior researcher at Symantec Corp.'s Antivirus Research Center (SARC) in the Netherlands, offered an explanation.

"People in Asian countries don't let themselves be directed by press statements from the U.S. government," said Post. "The Western society is different, continually focused on business. It is probable that most Code Red activity is coming from Asia."

South Korea also stuck out when Code Red was first discovered in mid-July, when more than 250,000 servers worldwide were infected within nine hours, according to Mikko Hypponen, manager of antivirus research at F-Secure Corp. in Finland.

"On July 19 over 10 percent of the infected servers were located in South Korea. There must be a lot of unpatched IIS servers there," he said.

In Asia, information about Code Red does not appear to be as widely disseminated as it is in the West. Microsoft Corp.'s Web sites for Taiwan and China offered no information on their front pages about Code Red as of 6 p.m. local time. The South Korean Web site for Microsoft, however, does have Code Red prominently featured.

Hypponen said the characteristics of Code Red and the lack of information could easily create the fertile breeding ground for Code Red that Asia seems to be.

"You are a Web site administrator and notice the system performance is going down, what do you do? You reboot the system. By rebooting it you also remove Code Red. You never realize there was a worm and you probably don't install a patch. The server remains vulnerable," said Hypponen.

Code Red is a self-propagating worm that exploits a known flaw in the Web server part of Microsoft's Windows 2000 and Windows NT. It scans the Internet for vulnerable systems and infects these systems by installing itself. Once it has nestled itself on a server, it uses that server to scan the Internet for other vulnerable servers and infects those. The data packets that Code Red generates can clog data pipelines and slow the Internet.

The number of machines infected by Code Red has been increasing, XS4ALL said. On Wednesday the ISP measured only 3,950 infected machines in a 24-hour period. Thursday morning XS4ALL saw 700 unique attacks in one half-hour period, Nas said.

XS4ALL's numbers are much lower than the total number of infections reported by the SANS Institute Internet Storm Center, which stood at 228,949 as of 7 a.m. ET Thursday.

Symantec's Post disputed the number given by SANS.

"Looking at our own information, the number of infected servers is well under 100,000. There has been an increase in infected systems, but it isn't anywhere near what we saw in July," said Post, adding that Symantec has setup a measuring system at its offices around the world.

A European antivirus software vendor agreed.

"If over a 150,000 thousand systems were really infected, the Internet would be flooded with data. We have received no reports of this worm appearing in the wild," said Dennis Zenkin, spokesman for Kaspersky Lab Ltd. in Moscow.

Join the newsletter!

Error: Please check your email address.

More about F-SecureMicrosoftSANS InstituteSymantecThe SANS InstituteXS4ALL Internet

Show Comments