Director of the
|Recent Daily Interviews|
Gabriel De Kock
Mark D. Luftig
At 8 p.m. EDT this evening, a malicious worm is expected to awaken in computer systems around the world and wreak havoc on the Internet.
It sounds like something out of a bad science-fiction novel, but it's the truth. A malicious worm, a piece of computer code already embedded in hundreds of thousands of computers, is expected to launch an attack that was originally aimed at whitehouse.gov, the White House's Web site. The origin of the computer virus is unknown. (For more on the virus, read Jim Seymour's article. ) A worm is a virus that infects a computer via a network, like the Internet, and propagates itself by copying its own code and sending it out to other computers connected to that network. This particular worm, known as Code Red, is unique due to its lengthy incubation period -- it replicates itself through networks, undetected, from the first to the 19th of the month. Then on the 20th, it launches a denial-of-service attack on a specific targeted Web site. In effect, the virus sends so many requests and so much data to the site that it overloads its servers, and users can't access it. As a result of certain coding within the clocks of computers, analysts fear that the worm may awaken tonight, rather than on the first of the month, and start a new round of infections. In today's Daily Interview, TheStreet.com speaks with Vincent Weafer, senior director of the Anti-Virus Research Center at Symantec, an Internet security company. Weafer explains what exactly a "malicious worm" is, how it works and how it affects the companies that it targets. Weafer also elaborates on how you can protect your own computer and company from a possible attack, and tells us what the Code Red worm may bring tonight.
TSC: Let's start with the basics: How do denial-of-service viruses affect Web sites, and what actually goes on when a site is attacked? Weafer: There's two impacts of an exploit like this. Code Red is a worm, which, once it infects a machine, goes looking for other vulnerable machines to infect. During that period, you've got lots of data occurring on the Internet while it's out there searching for these other vulnerable machines. So the side effects may be a slowdown of the network, or possible overloading of some of the infrastructure, such as routers, if too many scans are occurring at once. Now, Code Red has a "direct payload," which is a denial-of-service attack against a specific IP address; that IP address used to belong to whitehouse.gov,
but the site has since been moved . During the period when the payload is active, all the infected machines send large amounts of junk data toward this address. Had that address been active at that time, the Internet would have been very overloaded with all this junk data being targeted against the particular address. TSC: Once a virus such as Code Red attacks a company's Web site, what does it take to defeat the attack, in terms of technology, time and financial expense? Weafer: In this case, it's very, very simple. And Microsoft has already created a security patch for their Internet Information Servers that are vulnerable to this. So all the administrator has to do is go to the Microsoft Web site and download that patch, reboot their systems and then they're not vulnerable to this attack again. TSC: Does the patch have to be implemented before the system is attacked as a preventative measure, or can it be used once the site is attacked as a remedy? Weafer: It should be used before the system is attacked, but even if the system is currently being attacked, the patch can still be deployed. TSC: What about companies such as eBay and Yahoo! that were hit by denial-of-service attacks in February of 2000? Are they vulnerable to the Code Red worm? Weafer: In this case, most of those companies are only vulnerable if they've got Internet Information Servers themselves, and, of course, if there would be infections disrupting their systems. However, most of the large corporations have already taken pains to protect their systems, so it's very unlikely that the high-profile names or governments or large enterprises would be that impacted. Right now, we're really looking at medium enterprises, small offices and home users who've got small Web sites where they've got this deployed, and where they may not understand the importance of security patches. These are the most likely source of these attacks and denials of service. They're the ones that we're really trying to reach out to right now to say "make sure you understand if you've got a vulnerable system and deploy the security patch." TSC: So most of the large companies have either planned for this in advance and have anti-viral software, or, should they be attacked, it won't really affect their bottom line, right? Weafer: Yes, and really the impact for the large companies is just making sure that their systems are not vulnerable for this worm to spread amongst their own systems. Based on what happened in July, most of them have learned and are updating their systems. It's really reaching out to the other people to say "make sure you patch your systems." Though in terms of pure denial of service, there was only one targeted address, which was changed so that it's invalid. Really, we're not comparing this to the distributed denial-of-service attacks that hit eBay and Amazon last year. In effect, this, unless it is modified, will not continue. TSC: Did either eBay or Amazon, or any other company hit by a similar virus, lose significant revenue as a result of that attack? Weafer: I don't have that data. I think, for many companies, the main concern is their reputation, is making sure that they can prepare for these things. And of course, the denial of service is just about whether they can deal with large volumes of data coming in at one time. And most companies, especially security-conscious companies, have ways of dealing with that, with routers and filters. But, of course, it's about how can you deal with a flood, very, very quickly. TSC: What are the implications of the Code Red virus to Microsoft and Cisco, the two companies that have products that are vulnerable to the malicious code? Weafer: Microsoft has taken a very active role in this, in warning people about updating their security patches. It's just another example of complex software having vulnerabilities that are discovered and then exploited by hackers. Microsoft has been very vocal in making sure that people understand the vulnerability and know how to protect against it. Their own infrastructure and systems have already been patched, so they're very secure. Cisco, too. With their router, they're just making sure that should there be a flood of scanning on the Internet, or junk data being sent around, that their routers and systems can deal with that volume of data, and they don't have any negative side effects. TSC: Do the writers of viral code target specific systems like Microsoft's Windows NT and Cisco's routers? Weafer: Potentially, they will. And certainly this is a targeted attack against Microsoft's systems, not Microsoft itself, but its systems, which in this case is the Internet Information Server. TSC: Are there large expenses to combating viruses? Weafer: Yes, there certainly can be. You need to make sure you have people trained and in place, that you've got the right tools -- firewalls, gateways, anti-virus software -- and that's a lot of things put in place to make sure you're secure. I think the main lesson is trying to understand what are your digital assets that you're trying to protect and how important they are to you, because the same way in the physical world you may get a bigger, stronger safe based on whether you're a bank or just keeping some of your personal documents, it's the exact same thing with computer security. You base the amount of security on the value of those assets that you're protecting. TSC: What can we expect from the Code Red work tonight? Weafer: I think we'll definitely see a spread of infections; I don't think the Internet will be severely impacted, but we will see a noticeable increase in traffic, as many of the new infections and some of the existing ones wake up from hibernation. But really, it's all about lots of port scans occurring and making sure we get the word out to people to tell them to protect their systems by employing the patch and rebooting their system. TSC: So no major damage? Weafer: I don't believe so. An increase in data and maybe some servers being overloaded, but I don't think it's going to be catastrophic.