News Archive

CAIDA Network Researchers Track the Worldwide Spread of the "Code Red" Worm

Published 07/25/2001


Someone turned a worm loose on the Internet late last week, and in less than a day it infected hundreds of thousands of Web servers around the world. Using sophisticated new "backscatter analysis" techniques developed to detect denial-of-service attacks, researchers at the Cooperative Association for Internet Data Analysis ( CAIDA) of the San Diego Supercomputer Center ( SDSC) tracked the progress of the infestation.

"More than 359,000 computers were infected with a version of the Code Red worm in less than 14 hours," said David Moore, SDSC senior network researcher and a principal investigator at CAIDA. "At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute."

The Code Red worm infects Web servers by exploiting a security flaw in the Microsoft Internet Information Services (IIS) software package; only systems that run Microsoft software are infected. On July 12, less than a month after the IIS vulnerability was made known to the computer security community, the Code Red worm was detected "in the wild" by Marc Maiffret and Ryan Permeh of eEye Digital Security. A new, "improved" variant surfaced on July 19.

Once it infects a host, the Code Red worm tries to spread the infection by sending a copy of itself to 99 random IP addresses. Then it waits. On the 20th day of the month, each copy of the worm tries to bombard the White House Web site with messages in an attempt to overload its Web server. Fortunately, the White House webmaster was alerted to the problem and changed the numeric IP address of the Web server, which foiled the second phase of the attack.

"We analyzed data from a 24-hour period, beginning midnight UTC July 19, during the critical phase of the infection process," Moore said. "By examining the incoming message traffic to normally unused sections of the Internet we were able to track the spread of the infection as the worm tried to transplant itself to machines at randomly generated addresses on the Net."

Moore's study collected data from two sources. CAIDA had monitors on portions of the UCSD campus network, and Vern Paxson at Lawrence Berkeley Laboratory provided data from monitors on two networks at LBL. In addition to Paxson, Pat Wilson, Brian Kantor, and Stefan Savage of UC San Diego, Ken Keys, kc claffy, and Colleen Shannon of CAIDA, and Jeff Brown of UC San Diego and NLANR all contributed data, analyses, or advice to the tracking effort.

The worm was programmed to switch from an "infection phase" to an "attack phase" at midnight UTC on July 20. A sudden decrease in infection activity at that time appears to be due to this switch.

"The statistics of the infected hosts are interesting," Moore said. "43 percent of all infected hosts were in the United States, with 11 percent in Korea, 5 percent in China, and 4 percent in Taiwan. The .NET Top Level Domain (TLD) accounted for 19 percent of all compromised machines, followed by .COM with 14 percent and .EDU with 2 percent." The CAIDA study also observed 136 (0.04 percent) of .MIL and 213 (0.11 percent) .GOV hosts infected by the worm.

Moore noted that roughly 10 percent of the top domain names of infected hosts are domain names of Internet Service Providers to home and small business systems. "Machines operated by home users or small businesses are as integral to the health of the global Internet as the big systems, and they are much less likely to be maintained by a professional system administrator who can react quickly to a security threat. As is the case with biologically active pathogens, vulnerable hosts can and do put everyone at risk, regardless of the significance of their role in the population."

A QuickTime animation of the geographic infestation of the worm is available at In this animation, the infestation circles indicate the number of infected hosts and their geographic locations; circles in the centers of countries indicate hosts within country domains for which a more specific geographic location cannot be determined.

"This could have been a lot worse," said Pat Wilson, Network Security Manager for UC San Diego. "The Code Red worm was exquisitely coded for maximum annoyance but minimum damage. It doesn't alter the files on a computer's disk drive, and it resides only in memory. You can stop the active worm by rebooting, but of course that's not going to protect you from getting infected again - only applying the patch will do that."

"Whoever wrote this thing wanted to scare people," said Tom Perrine, Manager of Security Technologies at SDSC. "Imagine the chaos if it had erased the disks or randomly corrupted the files of several hundred thousand Web servers."

"A key component of CAIDA's mission is to provide tools, methodologies, and analyses that promote a robust and scalable Internet," Moore said. "One of the ways we do that is by looking for trouble spots, and denial-of-service attacks and other remote exploits are definitely trouble."

CAIDA is a program of the San Diego Supercomputer Center, an organized research unit of UC San Diego. CAIDA creates tools and technologies for Internet measurement, message traffic analysis, and network topology visualization for use by network engineers and researchers. CAIDA also sponsors education and outreach efforts such as the Internet Engineering Curriculum Repository. Support for the Code Red tracking study was provided by the Next Generation Internet program (NGI contract N66001-98-2-8922) and Network Modeling and Simulation program (NMS grant No. N66001-01-1-8909) of DARPA's Information Technology Office, by the Advanced Networking Infrastructure and Research Division of the NSF's Directorate for Computer and Information Science and Engineering (NSF grant NCR-9711092), and by CAIDA member organizations.

For more information:

David Moore, CAIDA, 858-534-5160,
kc claffy, CAIDA, 858-534-8333,