"More than 359,000 computers were infected with a version of the Code Red worm in less than 14 hours," said David Moore, SDSC senior network researcher and a principal investigator at CAIDA. "At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute."

The Code Red worm infects Web servers by exploiting a security flaw in the Microsoft Internet Information Services (IIS) software package; only systems that run Microsoft software are infected. On July 12, less than a month after the IIS vulnerability was made known to the computer security community, the Code Red worm was detected "in the wild" by Marc Maiffret and Ryan Permeh of eEye Digital Security. A new, "improved" variant surfaced on July 19.

Once it infects a host, the Code Red worm tries to spread the infection by sending a copy of itself to 99 random IP addresses. Then it waits. On the 20th day of the month, each copy of the worm tries to bombard the White House Web site with messages in an attempt to overload its Web server. Fortunately, the White House webmaster was alerted to the problem and changed the numeric IP address of the Web server, which foiled the second phase of the attack.

"We analyzed data from a 24-hour period, beginning midnight UTC July 19, during the critical phase of the infection process," Moore said. "By examining the incoming message traffic to normally unused sections of the Internet we were able to track the spread of the infection as the worm tried to transplant itself to machines at randomly generated addresses on the Net."

Moore's study collected data from two sources. CAIDA had monitors on portions of the UCSD campus network, and Vern Paxson at Lawrence Berkeley Laboratory provided data from monitors on two networks at LBL. In addition to Paxson, Pat Wilson, Brian Kantor, and Stefan Savage of UC San Diego, Ken Keys, KC claffy, and Colleen Shannon of CAIDA, and Jeff Brown of UC San Diego and NLANR all contributed data, analyses, or advice to the tracking effort.

The worm was programmed to switch from an "infection phase" to an "attack phase" at midnight UTC on July 20. A sudden decrease in infection activity at that time appears to be due to this switch.

"The statistics of the infected hosts are interesting," Moore said. "43 percent of all infected hosts were in the United States, with 11 percent in Korea, 5 percent in China, and 4 percent in Taiwan. The .NET Top Level Domain (TLD) accounted for 19 percent of all compromised machines, followed by .COM with 14 percent and .EDU with 2 percent." The CAIDA study also observed 136 (0.04 percent) of .MIL and 213 (0.11 percent) .GOV hosts infected by the worm.

Moore noted that roughly 10 percent of the top domain names of infected hosts are domain names of Internet Service Providers to home and small business systems. "Machines operated by home users or small businesses are as integral to the health of the global Internet as the big systems, and they are much less likely to be maintained by a professional system administrator who can react quickly to a security threat. As is the case with biologically active pathogens, vulnerable hosts can and do put everyone at risk, regardless of the significance of their role in the population."

A QuickTime animation of the geographic infestation of the worm is available at CAIDA. In this animation, the infestation circles indicate the number of infected hosts and their geographic locations; circles in the centers of countries indicate hosts within country domains for which a more specific geographic location cannot be determined.

"This could have been a lot worse," said Pat Wilson, Network Security Manager for UC San Diego. "The Code Red worm was exquisitely coded for maximum annoyance but minimum damage. It doesn't alter the files on a computer's disk drive, and it resides only in memory. You can stop the active worm by rebooting, but of course that's not going to protect you from getting infected again -- only applying the patch will do that."

"Whoever wrote this thing wanted to scare people," said Tom Perrine, Manager of Security Technologies at SDSC. "Imagine the chaos if it had erased the disks or randomly corrupted the files of several hundred thousand Web servers."

"A key component of CAIDA's mission is to provide tools, methodologies, and analyses that promote a robust and scalable Internet," Moore said. "One of the ways we do that is by looking for trouble spots, and denial-of-service attacks and other remote exploits are definitely trouble."

Related Links
Code Red: The Movie 300K quicktime clip
CAIDA
SpaceDaily
Search SpaceDaily
Subscribe To SpaceDaily Express

Thanks for being here; We need your help. The SpaceDaily news network continues to grow but revenues have never been harder to maintain. With the rise of Ad Blockers, and Facebook - our traditional revenue sources via quality network advertising continues to decline. And unlike so many other news sites, we don't have a paywall - with those annoying usernames and passwords. Our news coverage takes time and effort to publish 365 days a year. If you find our news sites informative and useful then please consider becoming a regular supporter or for now make a one off contribution.
SpaceDaily Contributor $5 Billed Once credit card or paypal		SpaceDaily Monthly Supporter $5 Billed Monthly paypal only