The federal government, Microsoft Corp. and multiple IT security research groups are jointly warning about an expected re-emergence of the Code Red worm today and are urging users of Microsoft's Web server software to take "immediate action" to protect their systems.
In an advisory issued yesterday, government and private-sector officials said failing to patch systems that are vulnerable to the worm could significantly degrade the Internet's ability to support applications such as e-commerce and e-mail. The advisory was signed and posted by the FBI's National Infrastructure Protection Center (NIPC), Microsoft and six other organizations.
They plan to hold a press conference this afternoon in Washington to further discuss the potential dangers of the Code Red worm, which was first spotted two weeks ago. Today's briefing will be led by NIPC director Ronald Dick and Ken Watson, chairman of the private-sector Partnership for Critical Infrastructure Security (PCIS) and head of critical infrastructure protection at Cisco Systems Inc.
In an interview Friday in his office at FBI headquarters, Dick said the worm's ability to take advantage of vulnerable systems and overload the Internet with self-replicating traffic is likely to start having a significant impact on businesses in the coming weeks. Dick said NIPC analysts believe Code Red may have existed for weeks before it was first discovered on July 19, and the Cooperative Association for Internet Data Analysis in La Jolla, Calif., estimates that the worm has already infected more than 375,000 computers.
In yesterday's advisory, the NIPC, Microsoft and the security organizations warned that Code Red is likely to start spreading again at 8 p.m. EDT tomorrow and that the worm "has mutated so that it may be even more dangerous" than it was the first time around. The worm goes through a series of active and dormant stages, with each active stage becoming more effective than the previous one -- a development that lets Code Red infect more and more systems, according to Dick.
The renewed warnings follow a similar advisory that was issued last Thursday by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. CERT, which is one of the security groups taking part in today's press conference, said continuing analysis of Code Red showed that the worm could be triggered on tens of thousands of additional computers when system clocks roll over at midnight Greenwich Mean Time on Aug. 1.
Code Red exploits a buffer overflow problem in the index server included in Versions 4.0 and 5.0 of Microsoft's Internet Information Services (IIS) software. The vulnerability, which was detailed by Microsoft last month in a security bulletin, could allow an attacker to gain complete control of a targeted system.
Microsoft "strongly" urged all IIS users to immediately install a patch that's available in separate versions for Windows NT 4.0 and Windows 2000. That recommendation was repeated as part of yesterday's advisory, and step-by-step instructions for installing the patches have been posted on the Web site of San Francisco-based e-business network operator Digital Island Inc.
Despite all the warnings, Dick said, getting the information out to users has proven to be more difficult than he ever imagined it would be. Officials are at a loss as to what more they can do to get companies, particularly ones that don't belong to a security information sharing alliance such as PCIS, to heed the warnings sent out by NIPC and other groups, he said.
"There is a need for trust and a need for meaningful information sharing," Dick said, adding that Code Red is "taking advantage of known vulnerabilities for which there are fixes." Early warnings helped the White House and other federal agencies sidestep the initial outbreak of the worm, he noted. Today's press conference is designed to get the message about the dangers out to the thousands of companies that have yet to patch their systems, Dick said.
"Our intent is to help protect the Internet and [critical IT] infrastructure from attack," Dick said. Code Red hasn't risen to the level of being a threat to national security or the economy, he added. But in the announcement of today's press conference, the NIPC called the worm "a very real and present threat to the Internet" and said it could cause performance on the Web to slow down "dramatically." To make matters worse, it said, most companies hit by the worm "will not even know they have been compromised.