G-men hunt for Code Red's source

G-men hunt for Code Red's source

By William Jackson

GCN Staff

JULY 31—Federal law enforcement agencies are searching for the source of the Code Red worm that earlier this month infected hundreds of thousands of servers and targeted the White House Web site for a denial-of-service attack.

Ronald Dick, director of the FBI's National Infrastructure Protection Center, said both the FBI and the Secret Service are on the case, but tracking the worm back to its source is difficult. 'At this time we do not have any suspects, but the investigation is continuing,' Dick said yesterday at a news conference in Washington.

Government and industry security experts warned that the worm appears to be programmed to go into a propagation mode from the first through the 19th of each month beginning at midnight Greenwich Mean Time, or 8 p.m. EDT [see www.gcn.com/vol1_no1/daily-updates/4770-1.html].

Copies of the worm on infected machines scan the Internet for servers running unprotected versions of Microsoft Internet Information Server. The worm exploits a buffer overflow in the IIS Indexing Service DLL and installs a copy of itself, which begins scanning for new victims.

'We have indications that a tiny percentage of infected machines are scanning the Internet now' because of clock errors on host machines, Dick said. 'On Aug. 19 we expect the victim machines to launch denial-of-service attacks against a preset target.'

The target still will be the old IP address of the White House Web site, which has been changed [see www.gcn.com/vol1_no1/daily-updates/4690-1.html]. The greatest threat from the worm is degradation of service on the Internet caused by scanning during the propagation phase, rather than the attack itself.

Because the worm exists only in memory, rebooting a machine can clean an infected server. Vulnerable servers can be protected with a patch available from Microsoft Corp. on its Web site, at www.microsoft.com.

Although the Defense Department temporarily barred public access to its Web servers to ensure they were protected against the worm, government systems were not badly infected during the July 19 outbreak, said Sallie McDonald, assistant commissioner of the Federal Technology Service's Office of Information Assurance and Critical Infrastructure Protection [see www.gcn.com/vol1_no1/news/4708-1.html].


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected