Code Red worm problems could re-emerge Aug. 1

More trouble may be coming Aug. 1 to corporate computer systems that still haven't been properly patched to defend against the Code Red worm.

In a warning issued Thursday, the CERT Coordination Center at Carnegie Mellon University in Pittsburgh said a continuing analysis of the worm shows it could be triggered on tens of thousands of additional machines when system clocks roll over at midnight Greenwich Mean Time on Aug. 1. (That would be 8 p.m. July 31 on the U.S. East Coast.) According to CERT, the problem is that because the worm is triggered to attack vulnerable systems between the 1st and 19th days of a month, if systems clocks are off in target systems, then the actual attack dates will be increased, helping to further spread the worm.

Marty Lindner, a CERT incident-handling team leader, said the only sure defense against the worm, which can cause denial-of-service attacks that can grind Web traffic to a halt, is to install patches that close the security holes targeted by the worm.

"As long as there's at least one machine out there still scanning (and spreading the worm), it will find the vulnerability again and continue," Lindner said.

Elias Levy, the chief technical officer at SecurityFocus.com in San Mateo, Calif., said that because the worm is so infectious and spreads so rapidly, a new wave of infections can start anew unless the patches are installed.

"On the 1st, reinfection will reoccur on any machines that haven't been patched," Levy said.

Affected by the malicious, self-propagating worm are systems running Microsoft Corp. Windows NT 4.0 with Internet Information Server (IIS) 4.0 or IIS 5.0 enabled and Index Server 2.0 installed, as well as Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing services installed. Also affected are some Cisco Systems Inc. Digital Subscriber Line routers.

At least two variants of the worm have been causing problems since last month. At least 280,000 hosts were compromised in the first wave of attacks, according to CERT.

Patches and information are available from Microsoft or from Cisco.

Alan Paller, research director at the SANS Institute, a nonprofit security group in Bethesda, Md., said the new round of attacks by the worm is inevitable. "The only question is how many people patched their systems," he said.

Join the newsletter!

Error: Please check your email address.

More about Carnegie Mellon University AustraliaCERT AustraliaCiscoGreenwich Mean TimeMellonMicrosoftSANS InstituteSecurityFocusThe SANS Institute

Show Comments