Code Red: Are You Ready For The Next Attack?

The first wave of the Code Red worm infected more than 350,000 servers on the Internet last month and cost more than $1 billion for companies around the world to clean up the mess. The second wave of Code Red infected more than 250,000 servers last week, with the cleanup costs still to be calculated. Security experts are wondering what's next.

Many were surprised the worm didn't do more damage. Both versions are designed to deface some Web sites and launch a distributed denial-of-service attack on the White House Web site, which easily dodged the first attack by changing its Internet address. "It's peculiar to me that this worm seemed so well-written on one hand, yet had such an ineffectual payload," says Frank Prince, a security analyst with Forrester Research. More dangerous versions of the worm may be on their way, he says.

Also concerned is Chris Rouland, director of Internet Security Systems Inc.'s research arm, X-Force. He says the two versions of Code Red may be a "beta test for information warfare," and IT managers need to prepare for more damaging versions. "If new variants target more critical parts of the infrastructure, we'll be seeing a lot more trouble," he says.

Code Red is just the latest in what are a growing number of viruses and worms that attack servers and Web sites. The worm exploits a vulnerability in the 6 million Windows servers that run Microsoft's Internet Information Services software and uses those servers to launch an attack. Many security experts warned that Code Red could create so much traffic that the Internet could slow down. The threat was taken so seriously that the FBI's National Infrastructure Protection Center called an unprecedented press conference to warn businesses to download and install a free software patch to cure infected servers and eliminate the vulnerability.

The second version of the worm is poised to attempt another attack Aug. 20 on whitehouse.gov, but few expect it to have much impact. "The White House and Internet service providers have all prepared themselves for that attack," says Pete Lindstrom, a security analyst with Hurwitz Group, "and nothing of significance should happen."