Code Red not crippling Asian Internet

The Code Red worm's impact on the Internet in Asia appears to have been minimal and some local authorities say there have been few reported attacks -- but whether or not it is an Asian worm is still unclear.

The worm hacks Web pages hosted on some Web servers, putting up a message that reads in part, "Hacked by Chinese." In addition, some logs of attacks by Code Red have shown a preponderance of Asian addresses.

Antivirus vendors in the region and the Singapore Computer Emergency Response Team (CERT), however, said Friday they have not received large numbers of reports of servers being attacked. When it infects a server, Code Red then sends out messages to scan the Internet for other servers to infect.

The Symantec Antivirus Research Center (SARC) for Asia-Pacific, in Sydney, on Friday did not receive any reports from server administrators of their servers being attacked by the worm, said David Banes, SARC regional manager. One reason for this may be that server administrators are knowledgeable enough to download and install the Microsoft Corp. software patch without contacting Symantec for assistance, he added. In China, one executive of an Internet data center in the coastal city of Hangzhou, who asked not to be named, said Thursday that the center had not seen any scanning of its servers by systems trying to propagate the worm. The data center had installed the Code Red patch on all its servers.

In addition, Internet traffic in Asia-Pacific and across the Pacific Ocean does not appear to have been seriously affected by the scanning activity of the worm.

"We are quite concerned on this issue and are trying to monitor the traffic on the (Asia-Pacific)-to-U.S. backbone. There is not much evidence to show us that Code Red affected the Internet performance," said Sang Young, engineering manager at IT Guardian, a Hong Kong Web management software vendor that monitors Internet performance.

"There's not much difference between this week and the previous week, and the week that Code Red (originally) happened," Young said.

Likewise, charts produced by the Hong Kong Internet Exchange showed normal traffic patterns in the traffic going through the territory's Internet infrastructure on Thursday and Friday.

However, one security consultant in Hong Kong said there may be areas where worms such as Code Red can more easily find hosts from which to attack other computers. Noting that server logs in Europe had detected many source addresses in South Korea, Yui Kee Computing Ltd. chief consultant Allan Dyer said other viruses that have attempted "port-scanning" on Yui Kee's servers in the past often had source addresses in South Korea. (Yui Kee servers have received more than 20 attempted attacks by Code Red in the past two days, but Dyer has not yet analyzed the sources of those attempts.)"I've taken that to indicate there are lots of systems in South Korea that have been hacked," Dyer said in an interview Friday.

"That would imply there were more unpatched systems in South Korea than in other places," Dyer said. This does not mean however, that the worm originated in Asia, he noted.

As for why there are more vulnerable systems in South Korea, Dyer could only guess. There may be more servers managed by inexperienced administrators there. Another factor may be that Code Red's initial major symptom -- a hack message on hosted Web sites -- occurs on servers that use English-language software, which may not be used by many Korean servers. Lacking an obvious sign that a server has been attacked, some administrators may overlook the infection.

Once it has found a host, the worm propagates itself by randomly generating IP addresses, a method that by itself would not tend to hit one region more than another, Symantec's Banes said.

As for whether or not the worm originated in China, the phrase it puts up on hacked pages, "Hacked by Chinese," actually resembles product slogans such as "Made by Chinese" used by a Hong Kong gift and apparel retailer. However, this is the only reported evidence of a Chinese or Hong Kong origin, and the U.S. Federal Bureau of Investigation has not announced any major leads as to Code Red's source .

There is no question whether a Chinese programmer could have written Code Red, according to Dyer.

"There are quite a lot of people in China with sufficient skills," he said.

Join the newsletter!

Or
Error: Please check your email address.

More about CERT AustraliaComputer Emergency Response TeamFederal Bureau of InvestigationMicrosoftSymantec

Show Comments