FYI: Red Code

Bruce Tober tbt at star-dot-star.co.uk
Mon, 30 Jul 2001 18:42:32 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Contacts:       Tinabeth Burton, 703-284-5305, tburton@itaa.org - PCIS &
ITAA
                 Keith Nahigian, 703-622-4494, keithnahigian@yahoo.com - 
CIAO
                 Deborah Weierman, 202-324-8055, dweierman@fbi.gov - NIPC

Code Red Worm: Frequently Asked Questions:
Question: Why is this important today?
Answer: Only through quick response to notify the public can risks to 
the
Internet be minimised. The government and the private sector are here 
today
to provide this warning. This is similar to when people are warned about
travel abroad and threatening weather conditions. This is not the last 
of
these threats and the partners assembled here today would like the 
public to
be aware of the possibilities and precaution options available, and take
whatever steps they deem necessary.

Question: When did it start and when did it become a concern?
Answer: This worm appeared two weeks ago and many steps have been taken 
to
try to stop it. Unfortunately, the infestation continues, mutations of 
the
worm have already begun to appear, and the worm is timed to begin
hyper-growth late on July 31. The initial worm had a seven-day 
incubation
period; the new version may incubate in an even shorter period. This
malicious code, a clear and present threat, needs to be stopped before 
it
does real harm to electronic commerce and other uses of the Internet.

Question: How does this affect business and government?
Answer: It floods the Internet with probes looking for additional 
machines
to infect. The flooding slows the Internet down. As it slows, 
transactions
that depend on timeliness begin to fail. People take longer to get 
results,
and more importantly, some sites just disappear from the Internet as the
worm's probes overwhelm networks or damage routers or both. Consumers 
will
see the Internet slow down or they may lose connectivity if their ISP is
overwhelmed with probes. From a technical perspective, it doesn't matter 
who
the target of the attack is. The real power of the worm is the amount of
bandwidth generated by all the systems attacking at once. The attack is
really against the Internet infrastructure, regardless of the actual
targeted site.

Question: What types of machines are affected?
Answer: Machines running Windows 2000 or Windows NT 4.0 and the IIS web
server software. IIS is not installed by default (or automatically) on
Windows NT 4.0 (you have to install it from the option pack) nor on 
Windows
2000 Professional (the workstation). It is installed by default on 
Windows
2000 server packages.

Question: Can "Code Red" be turned off?
Answer: Yes, but it will require the concerted action of everyone who
operates a Microsoft IIS Web server to follow the procedures we have
outlined and to do it expeditiously. There is no MASTER SWITCH to turn 
off
the Code Red worm. History shows that such exploits are not single 
events
but harbingers of trends. The only real solution is for users to fix the
vulnerability.

Question: Why doesn't industry do something about it?
Answer: Industry is doing a great deal, starting with Microsoft. The 
company
identified the vulnerability, published an effective remedy, and worked
closely with its partners in the public and private sector to spread the
word. The industry representation on the stage today is testament to the
high level of industry commitment to solving this problem.

Question: How quickly will Internet performance degrade?
Answer: Between July 12 and July 19, the Code Red worm infected more 
than
350,000 systems and, on the 19th, slowed Internet performance by 40%. 
Code
Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT, 
and
it has mutated. The newest version could scan and infect all vulnerable
systems on the Internet even more quickly than the original, possibly in 
as
little as two or three days. The worm scans the Internet, identifies
vulnerable systems, and infects these systems by installing itself. Each
newly installed worm joins all the others causing the rate of scanning 
to
grow rapidly. This uncontrolled growth in scanning directly decreases 
the
speed of the Internet and can cause sporadic but widespread outages 
among
all types of systems.
Question: Does this attack steal information or documents?
Answer: The known version of the "Code Red" worm does not "steal"
information or documents from a system. It is possible that a variant of
this worm could steal, modify or delete documents and information.
- -- 
| Bruce Tober, <tbt@star-dot-star.co.uk>,           Freelance Journalist,             |
|               My Website <http://www.star-dot-star.co.uk/>                                |
| Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) |

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBO2WciMcIpTh0zLu1EQKJqACgjDjpZVX2/dMmGBQ5TIaBnf47vZ4AoI59
HKtJdhOAt6g0PtC9Md/Or0k5
=JsU+
-----END PGP SIGNATURE-----