G-men hunt for Code Red's source

G-men hunt for Code Red's source

By William Jackson

GCN Staff

JULY 31—Federal law enforcement agencies are searching for the source of the Code Red worm that earlier this month infected hundreds of thousands of servers and targeted the White House Web site for a denial-of-service attack.

Ronald Dick, director of the FBI's National Infrastructure Protection Center, said both the FBI and the Secret Service are on the case, but tracking the worm back to its source is difficult. 'At this time we do not have any suspects, but the investigation is continuing,' Dick said yesterday at a news conference in Washington.

Government and industry security experts warned that the worm appears to be programmed to go into a propagation mode from the first through the 19th of each month beginning at midnight Greenwich Mean Time, or 8 p.m. EDT [see www.gcn.com/vol1_no1/daily-updates/4770-1.html].

Copies of the worm on infected machines scan the Internet for servers running unprotected versions of Microsoft Internet Information Server. The worm exploits a buffer overflow in the IIS Indexing Service DLL and installs a copy of itself, which begins scanning for new victims.

'We have indications that a tiny percentage of infected machines are scanning the Internet now' because of clock errors on host machines, Dick said. 'On Aug. 19 we expect the victim machines to launch denial-of-service attacks against a preset target.'

The target still will be the old IP address of the White House Web site, which has been changed [see www.gcn.com/vol1_no1/daily-updates/4690-1.html]. The greatest threat from the worm is degradation of service on the Internet caused by scanning during the propagation phase, rather than the attack itself.

Because the worm exists only in memory, rebooting a machine can clean an infected server. Vulnerable servers can be protected with a patch available from Microsoft Corp. on its Web site, at www.microsoft.com.

Although the Defense Department temporarily barred public access to its Web servers to ensure they were protected against the worm, government systems were not badly infected during the July 19 outbreak, said Sallie McDonald, assistant commissioner of the Federal Technology Service's Office of Information Assurance and Critical Infrastructure Protection [see www.gcn.com/vol1_no1/news/4708-1.html].


  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected