turned the Code Red worm loose on the Internet in July, and in
less than a day it infected hundreds of thousands of Web servers
around the world. Using sophisticated techniques developed to
detect denial-of-service attacks, researchers at SDSCs Cooperative
Association for Internet Data Analysis (CAIDA) tracked the progress
of the infestation. More than 359,000 computers were infected
with a version of the Code Red worm in less than 14 hours. At
the peak of the infection frenzy, more than 2,000 new hosts were
infected each minute. The attack of this worm was relatively harmless,
but the outbreak of the more virulent Code Red II worm in August
put tens of thousands of computers at risk.
The First Infection
graph shows the rapid spread of the Code Red infestation.
The worm was programmed to switch from an "infection
phase" to an "attack phase" at midnight GMT
on July 20. The abrupt leveling off of the infection appears
to be due to this switch.
Some computer viruses,
worms, and denial-of-service attacks amount to irritations. However,
others can assault the infrastructure of modern society, destroying
data and degrading the efficiency of networked computing and communications.
"A key component of CAIDAs mission is to provide tools,
methodologies, and analyses that promote a robust and scalable
Internet," said David Moore, SDSC senior network researcher
and a principal investigator at CAIDA. "One way we do that
is by looking for trouble spots, and denial-of-service attacks
and other remote exploits are definitely trouble."
The World Sees Red
quantitative illustration shows the early (yellow), middle
(orange), and late (red) stages in the spread of the Code
Red worm on July 19. Copyright UC Regents, Jeff Brown for
The Code Red worm infects
computers by exploiting a security flaw in Microsoft Corporations
Internet Information Services (IIS) and Personal Web Server (PWS)
software. Only systems that run Microsoft Windows NT, Windows
2000, or Windows XP are vulnerable. Once the Code Red worm infects
a host, it tries to reproduce by sending copies of itself to randomly
generated Internet addresses. On the 20th day of the month, each
copy of the worm abruptly shifts tactics. The worm stops reproducing
and begins to bombard the White House website with messages in
an attempt to overload its Web server. (The White House webmaster
foiled this denial-of-service attack by changing the numeric IP
address of the Web server.)
The Second Outbreak
data point indicates the number of infected systems detected
in a 10-minute measurement interval. The infestation appears
to be declining, with interesting fluctuations that correlate
with the business day in Europe, North America, and East
Asia. Times are in GMT; 00:00 GMT = 17:00 PDT of the previous
"The Code Red
worm was exquisitely designed for maximum annoyance, but minimum
damage," said Pat Wilson, Network Security Manager for UCSD.
"It doesnt alter the files on a computers disk
drive, and it resides only in memory. You can stop the active
worm by rebooting, but of course thats not going to protect
you from getting infected againonly applying the patch will
Earlier this year,
Moore and his colleagues used a technique they had developed called
"backscatter analysis" to detect and track denial-of-service
attacks. In these attacks, each victim receives a spoofed packet
and tries to send an appropriate response to the faked IP address;
because the attackers source address is selected at random,
the victims responses are scattered across the Internet,
an effect called backscatter.
the message traffic directed at normally unused sections of the
Internet, we were able to track the Code Red infection,"
said Moore. On July 19, CAIDAs monitors detected an unusual
burst of activitynot a denial-of-service attack, but thousands
of copies of the worm trying to infect other computers. "We
analyzed data from a 24-hour period, beginning midnight GMT July
19," said Moore (Figure 1). "When the worm tried to
transplant itself into machines at randomly generated IP addresses,
some of them were in the sections we were monitoring."
Cycles of desktop Infection
infected computers in various time zones seem to be turned
on and off according to local business hours, implying that
they are not Web servers, which operate continuously.
collected data from two sourcesthe UCSD network and, with
the help of Vern Paxson, Lawrence Berkeley National Laboratory.
(Paxson provided Internet data from monitors on two Lawrence Berkeley
networks.) In addition, Pat Wilson, Brian Kantor, and Stefan Savage
of UCSD, and K. Claffy, Ken Keys, Ryan Koga, and Colleen Shannon,
all of CAIDA, and Jeff Brown of SDSCs National Laboratory
for Applied Networking Research, contributed data, analyses, and
advice in the tracking effort.
of all infected hosts were in the United States, 11 percent were
in Korea, 5 percent in China, and 4 percent in Taiwan (Figure
2). The .NET Top Level Domain accounted for 19 percent of all
compromised machines, followed by .COM with 14 percent, and .EDU
with 2 percent. The CAIDA study also observed 0.04 percent of
.MIL and 0.11 percent of .GOV hosts infected by the worm. Moore
noted that at least 10 percent of the infected hosts were in the
domains of Internet Service Providers of home and small business
systems. "Machines operated by home users or small businesses
are much less likely to be maintained by a professional system
administrator, who would react quickly to a security threat,"
he said. "But PCs are as integral to the health of the global
Internet as the big systems."
The IIS vulnerability
was a serious security hole, exploitable by other worm programs
with more sinister intentions.
In the last week of
July, officials representing both Microsoft and the FBIs
National Infrastructure Protection Center pleaded with computer
operators to install a free software patch to fix the crucial
defect in Microsofts IIS. Microsoft and the FBI feared that
the worm would begin a second round of infection at the beginning
The fear was warranted.
The worm had been programmed to be infectious for the first 20
days of July, to attack www.whitehouse.gov for the rest of the
month, and then to deactivate itself (apparently an act of relative
kindness by the worms unknown author). During the afternoon
of Tuesday, July 31, CAIDA researchers set up their network monitors
to track the possible appearance of an August outbreak. Active,
infectious copies of the worm had survived in computers with misset
dates, which is why the infection could spread anew in August.
As expected, the worm stirred at 00:00 GMT on August 1 in Europe
and Asia, while it was still July 31 in California.
"In the second
round of infection, we saw the worm infect 85,000 systems in only
four hours," Moore said. "Only a day after the outbreak,
it had infected more than 142,000 hosts. In the course of two
weeks, we observed infection attempts from machines at more than
4 million unique IP addresses, but only a few percent of that
total were active at any one time. Dynamic reassignment of IP
addresses as people log off and onmay account for this."
The worm had a smaller
pool of potential victims to attack because many system administrators
had patched their software. Roughly 40 percent of the total number
of systems that were infected in the first attack were hit again.
A graph of the infection
in the second outbreak (Figure 3) reveals two interesting
trends. The number of infected systems seems to have slowly decreased,
possibly as system administrators belatedly began patching their
software. But unexpectedly, the number of systems infected varies
on a periodic basis.
strongly correlate to the business work day," said CAIDA
researcher Colleen Shannon. "People in various time zones
come to work in the morning and turn on their computers, which
then become infected. At the end of the workday, they shut down
their machines for the night (Figure 4). The fluctuations indicate
that, contrary to most of the publicity, the worm is infecting
a significant number of desktop systems in addition to dedicated
Web servers, which typically run all the time. Tens of thousands
of computer users may be unaware that Microsofts IIS software
is running on their systems, activated by accident or by another
program without their knowledge."
Several days into the
August outbreak, a new worm appeared, calling itself "Code
Red II"the name is embedded in the worms programming.
The new software takes advantage of the same vulnerability that
allowed the first worm to propagate. The new predator spreads
more efficiently because it uses a nonrandom algorithm to generate
IP addresses when it targets other machines for infection. It
prefers machines with nearby IP addresses, machines that may be
on the same local network.
Code Red II modifies
disk files, making its eradication much more difficult to accomplish.
"Computer operators should disinfect afflicted machines by
erasing their disks and re-installing the operating system and
other files from backups," Moore said.
When the Code Red II
worm infects a computer, it installs several files, including
a "back door." This entry point enables a hacker to
remotely log into and control any infected computer and install
additional malicious software. Among many other opportunities
for mayhem, this capability puts credit card information at risk
in Web servers that support electronic commerce.
Code Red worm was more of a warning shot than a malicious exploit,"
Moore said. "It did little permanent damage, but its method
of attack involved a potentially devastating security hole. Yet
more than 100,000 systems remained unpatched after a week of intense
publicity. Regardless of whether this is due to ignorance or apathy,
it is very troubling. Now Code Red II is loose. It isnt
firing warning shotsits hunting, and were its