Ronald Dick, director of the National Infrastructure Protection Center, didn't mince words Monday when discussing the fast-spreading Code Red worm: "The mass traffic associated with this worm's propagation could degrade the functioning of the Internet."
Dick says research shows Code Red has the capability to infect half a million servers in a single day. The Code Red worm surfaced July 12, and within days it had infected more than 350,000 servers. It attempted, and failed, to launch a distributed denial-of-service attack against the White House Web site. The original worm exploits a vulnerability in Microsoft's Internet Information Services software, which ships with Windows NT and 2000. Microsoft desktop operating systems are not susceptible. It's estimated that Microsoft has shipped more than 6 million copies of IIS.
Security experts warn that variants of the Code Red worm could start appearing, and they may spread more effectively than the versions that struck last week. Code Red is set to start propagating once again at 8 p.m. Eastern time Tuesday.
"I feel like a broken record; [NIPC] must feel like a broken record," says Pete Lindstrom, security analyst with Hurwitz Group. "Hopefully, people will be listening. We will see if it makes a dent." Lindstrom sees a cycle of vulnerabilities being found, patches being published, and people failing to use those patches. "It'll happen tomorrow, and in another month and a month after that. Sometimes people will patch their systems, sometimes they won't. We will see what happens tomorrow night."
While the overall health of the Internet depends on how many companies properly patch their servers, protection for servers running IIS is fairly straightforward. The patch is available at Microsoft TechNet.