Code Red Round II won't melt the internet

While the Code Red worm is making a name for itself in the mainstream media, at least one virus watcher is more than a little sceptical about the potential for 'the meltdown of the internet'.

While the Code Red worm is making a name for itself in the mainstream media, at least one virus watcher is more than a little sceptical about the potential for "the meltdown of the internet".

Code Red is a worm that attacks a known hole in Microsoft Internet Information Server (IIS) software versions 4.0 and 5.0. A patch has been available for more than a month, however over 300,000 servers were infected in the first 10 hours of the virus's attack.

Virus experts are expecting a second wave of activity from the virus today as the worm is believed to have a built-in delay mode which will re-trigger its breeding cycle on the 1st of every month.

However Nick FitzGerald, director of Christchurch-based Computer Virus Consulting, says it all boils down to a relatively small number of web server administrators not doing their job properly.

"What would have been good is if someone somewhere had done a reverse DNS lookup of those servers that were running Code Red when it first struck, then we could have seen just what was what."

FitzGerald says the best way to get to these administrators has been through the tabloid headlines and that mainstream media has served a purpose with its over-the-top coverage.

He says 300,000 is a conservative estimate for the number of servers that were infected, but that this is a huge proportion of the total population of around 5 million IIS servers worldwide.

He believes a large percentage of the servers were running in the US on DSL connections - pointing to small to medium sized businesses or perhaps people running IIS on NT workstations in their homes. Quite how many patches have been applied is also hard to estimate.

"If it's as high as 50% then we've still got around 100,000 to 200,000 infected machines in the so-called 'dormant stage'."

FitzGerald says there are still a number of machines, possibly in the thousands, sending out the virus, which would indicate they had incorrect date settings, adding another variable to the mix.

But he doesn't think midday today will bring about the end of the internet as we know it.

"There is no big installed base about to spring into life; that's just not going to happen."

He says instead any infected machines will begin spreading the virus again and that we could see a similar build-up pattern to last month's attack.

"Despite reports to the contrary [due to flawed testing methodologies] those copies of Code Red will not 'wake up" come midnight July 31/August 1 UTC [Universal Time Coordinated] and start spreading again."

As to future versions of the worm, perhaps released on the back of this outbreak, FitzGerald says that's a possibility.

"That's all in the lap of the gods."

Join the newsletter!

Error: Please check your email address.

Tags Code Redvirus

More about Microsoft

Show Comments

Market Place

[]