Code Red worm carries 'meltdown' threat

The White House may have dodged the wrath of the Code Red worm this time, but the impact of this worm and its counterparts has been far-reaching, with more than 5000 attacks made on Australian systems in the past week.

Australia ranked in the top five countries that Code Red attacked, according to statistics generated by the SecurityFocus incidents database.

Russ Cooper, surgeon general of TruSecure Corp and editor of e-mail list NTBugtraq, said Code Red, which has infected around 300,000 systems worldwide, is the worst security event in Internet history.

"We haven't seen a worm that involves this many hosts and is this complex," he said, adding that if systems affected by the worm continue to go unpatched, "the impact, we predict, is a meltdown".

Telstra, which is presently battling concerns over a Trojan that entered its system and retrieved the login details of 69 of its customers, also felt the pinch of the Code Red worm, according to Stuart Gray, corporate affairs manager, Telstra retail.

Gray said that Telstra was informed by Microsoft of the Code Red worm when it first came to light, allowing the company to modify most of its servers so that they weren't vulnerable.

However, Telstra's Web hosting customers weren't so lucky, with around a dozen users experiencing outages for around two to three hours.

According to Gray, Telstra had advised those customers to acquire the Code Red fix; however, the group affected did not heed the advice, he said.

Glenn Miller, managing director of security provider, Janteknology, cites similar stories about a number of local companies who have been hit by the worm, resulting in their sites going down for several days.

"One company was hacked, its Web site defaced and it was down for five days," he said.

"As the company had an active e-commerce operation, it literally lost an operational business facility for five days and the cost of repairing that was probably up in the order of $10,000," Miller said, adding that the addition of lost business to the equation could well have blown the figure out to hundreds of thousands.

The thing that surprises Miller, both in regards to the Code Red worm and its viral siblings, is the general apathy that many people express in regards to defending themselves against such attacks. Miller said one company took the initiative to download the patch for the Code Red worm, but didn't bother to install it. The end result was that the company's system was attacked.

"There's a general attitude that 'it's not going to happen to me'," he said. "It really is quite disturbing."

Of even more concern, however, is a new variant of the worm, which is proving even harder to track. While it has only been modified in a subtle manner, with a mere 13 bytes of code being changed, it packs a punch equivalent to the original worm, plus more. According to Miller, the aim of the Code Red 2 worm is to establish zombie servers to mount large scale DOS attacks and can be modified to attack any target, not just the White House.

Code Red's agenda

Attaching itself to Microsoft IIS systems that are vulnerable to an .ida buffer overflow attack, the Code Red worm has a number of items on its agenda.

It runs through nearly 100 IP addresses searching for other vulnerable machines to attach itself to, as well as defacing the Web sites of machines running US English Windows NT/2000, with the message "Welcome to!, Hacked by Chinese!".

Its main focus, however, was to launch a denial of service attack on, by sending 100Kbytes of data to the site from July 20 to 27. While the White House dodged the DOS attack, it remained tight-lipped about how it defended itself against the worm, merely saying that it had taken preventive measures aimed at minimising the impact of the virus. Meanwhile, security experts speculated that the site was moved to an alternate IP address to exploit a flaw in the worm's design -- it's inability to adapt to the new IP address because it only sent data when a valid connection was made.

The worm goes into hibernation during the DOS attack phase, providing an opportunity for organisations to secure their IIS servers before it recommences infecting systems. However, security experts warn that once the dormant period ceases, the rate of infection will rise exponentially.

- Sam Costello contributed to this article