Update: Code Red Infections SlowingUpdate: Code Red Infections Slowing

The spread of Code Red continues, say security experts. As of 1:30 p.m. EDT Wednesday, the worm managed to infect roughly 100,000 systems. However, SANS Institute, a security research house, says the hourly rate of infection appears to be declining. Experts hope this shows that a sizable portion of vulnerable systems had been patched by the Tuesday deadline.

Stuart Staniford, president of Silicon Defense, an intrusion-detection company, estimates that the hourly rate of infection is .75 hosts an hour, per infected machine. That means each infected server is infecting less than one other system per hour. The first wave of Code Red, which occurred last week, had an infection rate of 1.6 to 1.8 new systems per hour.

Michael Erbschloe, author of Information Warfare, How To Survive Cyber Attacks, and VP of research at Computer Economics, estimates that the first wave of Code Red cost companies worldwide $1.2 billion. Erbschloe says the cost of clean up was $740 million, and the cost associated with lost productivity reached $450 million. Erbschloe says he doesn't expect the second wave to be as costly.

According to the SANS Institute's incidents.org Web site, as of 9 p.m. EDT Tuesday, 157 systems had been infected; by 8 a.m. Wednesday, 8,007 had been infected. At 11 a.m., infected systems numbered more than 22,000.

"Those numbers are in line with what we are seeing," says Bill Pollak, spokesman for the CERT Coordination Center.

"During the first Code Red attack, I'd only noticed a few scans on our systems," says Owen Creger, IS security manager for accounting-software maker Creative Solutions Inc. Creger says that as of noon Tuesday, he had noticed more than 40 scans on his intrusion-detection system. "I think this time around, [Code Red's] improved IP address random-access generator is making it try to spread faster," he says.

Security experts Tuesday were hoping that companies would heed repeated warnings about the Code Red worm. Variants of the worm, which hit hundreds of thousands of Microsoft NT and Windows 2000 operating systems last week, began striking Tuesday at 8 p.m. EDT. The worm scans the Internet from infected servers, searching for servers that do not have Microsoft's fix in place. As more systems become infected, the worm's propagation will increase and potentially slow Internet traffic to a crawl.

According to Microsoft, as of late Monday, more than 1 million patches had been downloaded. Experts had hoped that the estimated 6 million potential targets would be patched in time.

According to Marc Maiffret, chief hacking officer at eEye Digital Security, hundreds of thousands of infections were discovered in the first wave, which only had six or seven days to propagate and infect new servers. Because the worm has a built-in cycle to spread for 19 days before it launches a denial-of-service attack, the next wave may be worse.

Eeye discovered the vulnerability in Microsoft's Internet Information Services software, which ships with Windows NT and 2000. "I think when the first comes around and the worm has 20 days to spread, we will see at least the same impact as the last one," says Maiffret. "Hopefully, IT administrators [will] prove me wrong and have been installing the patches--but a few hundred thousand systems is a lot of systems to patch."

Eeye has published a free tool that administrators can use to determine whether their servers are vulnerable to Code Red. The tool is available at http://www.eeye.com/html/Research/
Tools/codered.html.

Microsoft's patch is available at
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/itsolutions/security/
topics/codealrt.asp