G-men hunt for Code Red's source

G-men hunt for Code Red's source

By William Jackson

GCN Staff

JULY 31—Federal law enforcement agencies are searching for the source of the Code Red worm that earlier this month infected hundreds of thousands of servers and targeted the White House Web site for a denial-of-service attack.

Ronald Dick, director of the FBI's National Infrastructure Protection Center, said both the FBI and the Secret Service are on the case, but tracking the worm back to its source is difficult. 'At this time we do not have any suspects, but the investigation is continuing,' Dick said yesterday at a news conference in Washington.

Government and industry security experts warned that the worm appears to be programmed to go into a propagation mode from the first through the 19th of each month beginning at midnight Greenwich Mean Time, or 8 p.m. EDT [see www.gcn.com/vol1_no1/daily-updates/4770-1.html].

Copies of the worm on infected machines scan the Internet for servers running unprotected versions of Microsoft Internet Information Server. The worm exploits a buffer overflow in the IIS Indexing Service DLL and installs a copy of itself, which begins scanning for new victims.

'We have indications that a tiny percentage of infected machines are scanning the Internet now' because of clock errors on host machines, Dick said. 'On Aug. 19 we expect the victim machines to launch denial-of-service attacks against a preset target.'

The target still will be the old IP address of the White House Web site, which has been changed [see www.gcn.com/vol1_no1/daily-updates/4690-1.html]. The greatest threat from the worm is degradation of service on the Internet caused by scanning during the propagation phase, rather than the attack itself.

Because the worm exists only in memory, rebooting a machine can clean an infected server. Vulnerable servers can be protected with a patch available from Microsoft Corp. on its Web site, at www.microsoft.com.

Although the Defense Department temporarily barred public access to its Web servers to ensure they were protected against the worm, government systems were not badly infected during the July 19 outbreak, said Sallie McDonald, assistant commissioner of the Federal Technology Service's Office of Information Assurance and Critical Infrastructure Protection [see www.gcn.com/vol1_no1/news/4708-1.html].


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected