Code Red worm carries 'meltdown' threat

The White House may have dodged the wrath of the Code Red worm this time, but the impact of this worm and its counterparts has been far-reaching, with more than 5000 attacks made on Australian systems in the past week.

Australia ranked in the top five countries that Code Red attacked, according to statistics generated by the SecurityFocus incidents database.

Russ Cooper, surgeon general of TruSecure Corp and editor of e-mail list NTBugtraq, said Code Red, which has infected around 300,000 systems worldwide, is the worst security event in Internet history.

"We haven't seen a worm that involves this many hosts and is this complex," he said, adding that if systems affected by the worm continue to go unpatched, "the impact, we predict, is a meltdown".

Telstra, which is presently battling concerns over a Trojan that entered its system and retrieved the login details of 69 of its customers, also felt the pinch of the Code Red worm, according to Stuart Gray, corporate affairs manager, Telstra retail.

Gray said that Telstra was informed by Microsoft of the Code Red worm when it first came to light, allowing the company to modify most of its servers so that they weren't vulnerable.

However, Telstra's Web hosting customers weren't so lucky, with around a dozen users experiencing outages for around two to three hours.

According to Gray, Telstra had advised those customers to acquire the Code Red fix; however, the group affected did not heed the advice, he said.

Glenn Miller, managing director of security provider, Janteknology, cites similar stories about a number of local companies who have been hit by the worm, resulting in their sites going down for several days.

"One company was hacked, its Web site defaced and it was down for five days," he said.

"As the company had an active e-commerce operation, it literally lost an operational business facility for five days and the cost of repairing that was probably up in the order of $10,000," Miller said, adding that the addition of lost business to the equation could well have blown the figure out to hundreds of thousands.

The thing that surprises Miller, both in regards to the Code Red worm and its viral siblings, is the general apathy that many people express in regards to defending themselves against such attacks. Miller said one company took the initiative to download the patch for the Code Red worm, but didn't bother to install it. The end result was that the company's system was attacked.

"There's a general attitude that 'it's not going to happen to me'," he said. "It really is quite disturbing."

Of even more concern, however, is a new variant of the worm, which is proving even harder to track. While it has only been modified in a subtle manner, with a mere 13 bytes of code being changed, it packs a punch equivalent to the original worm, plus more. According to Miller, the aim of the Code Red 2 worm is to establish zombie servers to mount large scale DOS attacks and can be modified to attack any target, not just the White House.

Code Red's agenda

Attaching itself to Microsoft IIS systems that are vulnerable to an .ida buffer overflow attack, the Code Red worm has a number of items on its agenda.

It runs through nearly 100 IP addresses searching for other vulnerable machines to attach itself to, as well as defacing the Web sites of machines running US English Windows NT/2000, with the message "Welcome to!, Hacked by Chinese!".

Its main focus, however, was to launch a denial of service attack on, by sending 100Kbytes of data to the site from July 20 to 27. While the White House dodged the DOS attack, it remained tight-lipped about how it defended itself against the worm, merely saying that it had taken preventive measures aimed at minimising the impact of the virus. Meanwhile, security experts speculated that the site was moved to an alternate IP address to exploit a flaw in the worm's design -- it's inability to adapt to the new IP address because it only sent data when a valid connection was made.

The worm goes into hibernation during the DOS attack phase, providing an opportunity for organisations to secure their IIS servers before it recommences infecting systems. However, security experts warn that once the dormant period ceases, the rate of infection will rise exponentially.

- Sam Costello contributed to this article

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ronda Field

PC World
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?