'Code Red' Draws Unlikely Allies to the Web's Defense

Lots of readers are asking what this "Code Red" business is all about, in the wake of the consciousness-raising press conference Monday afternoon in Washington by the FBI, the White House, Microsoft -- would you call that an unlikely, not to say unholy, alliance?! -- and others.

Let me organize my response very briefly, as a list of points you need to know, so we can get back to trading.

• As an individual computer user, you and your computer are not at risk here. Code Red is aimed strictly at Web servers.

• Code Red is unrelated to the infuriating "SirCam" email virus that has been circulating for the past two weeks, flooding computer users' mailboxes with dangerous messages (which begin "I send this...").

• Code Red is a system-level worm, which attacks only servers running Microsoft Internet Information Server. IIS, the software used to set up a Web site, is a part of Windows NT 4.0 and Windows 2000.

• More than 350,000 servers, and perhaps as many as 500,000, were quickly "infected" with the worm when it first launched on July 19.

• For the first 19 days of each month, servers running IIS, in English, get their pages defaced by Code Red, which scrawls "Hacked by Chinese" across the pages.

• Beginning on the 20th of each month, Code Red turns its attention to the White House's Web servers, and begins trying to deface them. (The White House has long since changed its IP address, so the attempted defacing of its pages does not occur.)

• Even though the White House address has changed, the attacks will continue as long as any copies of Code Red are out there on servers, and as Code Red spreads, the vast traffic generated by it could effectively slow, conceivably (but not likely) leading to a massive slowdown of the entire Web.

• Ironically, a patch correcting the problem (by plugging a security hole in IIS discovered in June) has been available for a month and a half. Unfortunately, many inattentive system administrators never got the word and never installed the patch; it is their systems that are continuing the spread of Code Red.

The FBI's National Infrastructure Protection Center is working with Microsoft and others now to try to alert system administrators to the potential problems lurking within their servers ... because the worm starts propagating and defacing sites again on Wednesday. And even a few rogue (i.e., unpatched) servers running Code Red can cause serious continuing problems.

One of the strengths of the architrave of the Web is that it is designed to allow hundreds of thousands to millions of servers to function independently, in case of a nuclear attack or other disaster. As we're just now beginning to understand, that very strength is also key to the Web's greatest vulnerabilities.

Now we get to watch and wait. Sys admins, wake up!