Code Red infections growing

If you find the Code Red worm do not tinker with it

By BBC News Online technology correspondent Mark Ward

The Code Red virus is active and scanning the internet for computers to infect, but has so far failed to produce the global web slowdown experts had feared.

The US Computer Emergency Response Team said that tens of thousands of computers have been infected and its potential for causing trouble is still growing.

But others have said that they do not expect this second wave of activity to stop the smooth running of the net.

Last time Code Red was active it infected over 250,000 computers in a nine-hour period.

Early estimates

The much expected wave of disruption that the Code Red worm was supposed to unleash today has not yet materialised.

If it is updated to make it more efficient we could be in for a lot more trouble

Kenneth De Spiegeleire, ISS

In the first six hours that Code Red was active it infected some 22,000 web sites - far fewer than the 250,000 it managed when at its virulent height in mid-July. "However," said Cert, "the worm's potential is still unknown at this time."

The US National Infrastructure Protection Centre said it too was getting reports that Code Red had awoken.

A statement issued by the Centre said: "Early reports of activity spanning the entire globe indicate the worm has gone active and is presently spreading throughout the internet."

One estimate from Internet Security Systems said eventually the worm would infect as many machines as it managed during the last outbreak.

The UK Home Office was more cautious and said: "Fears that the worm would have a potentially devastating effect on the Internet seem to have been unfounded."

"Monitoring showed that the worm started its scanning routine as forecast but there was no discernible impact on the infrastructure of the internet."

The rate at which Code Red is expanding is slowing suggesting that it is struggling to find vulnerable computers.

Code Red threat

3.5m websites use Microsoft IIS software

About 35% initially vulnerable

Dropped to 15% due to Code Red warnings

Code Red dissected

Detailed analysis of the Code Red worm has revealed why it poses a threat to the internet and the confusion over its potential for disrupting the net.

A report by Internet Security Systems (ISS) said that concerns that infected servers will re-awaken and unleash a deluge of data were "largely inaccurate".

Code Red is a relatively sophisticated program that has three modes; scanning, flooding and sleep.

While "scanning" the worm searches for vulnerable servers and runs malicious computer code on those it finds to embed itself and spread. Fears that rampant scanning could slow the net prompted this week's rash of warnings.

During "flooding" mode the worm bombards the Whitehouse.gov website with bogus data packets.

Slumbering software

ISS believed that the final "sleep" phase could last indefinitely and that infected machines would not unleash havoc on the net.

The report notes that even if the worm is re-activated manually by a hacker, many of the vulnerable machines have been patched.

Netcraft, which carries out regular surveys of web server software, estimates that around 3.5 million sites are using Microsoft IIS software.

Of these about 35% were initially vulnerable, a figure that has now dropped to 15% following the publicity about the worm.

Virus variants

But the ISS report warns that the threat posed by the Code Red virus has not entirely disappeared.

The damage done when it struck on 19 July was caused by a variant of the virus rather than the original. Whoever tampered with the code of the worm improved its ability to propagate and made it more effective.

The original worm randomly generated network addresses and then sent data to each one to find out if they were vulnerable.

ISS estimates that the worm could scan at least 400,000 net addresses per day, and could take a long time to probe the entire net address space of 4 billion potential combinations.

But the report warns that newer variants of the worm which fix some of the remaining bugs in the malicious program could lead to disruption of the net in the future.

"If it is updated to make it more efficient we could be in for a lot more trouble " said Kenneth De Spiegeleire, manager of the ISS security assessment service, "because then it might not be so easy to patch."