News Stories

Computer Worm: FBI Had Advance Warning

The Code Red computer worm is finally slowing down, after infecting thousands of computers. The security company that first discovered the computer virus says the swift-moving worm might have been stopped much sooner if not for the FBI?s caution about publicizing security threats.

The worm hit more than 700,000 computers in July and August 2001, depositing a virus that was then automatically sent on to the user?s mailing list. It also attacked government internet sites, such as the White House website. The volume of forwarded messages engendered by the worm slowed down all internet traffic.

Details have been revealed about an earlier Code Red-like worm that hit the internet back in February 2001, raising questions about the FBI?s handling of computer virus outbreaks. A worm similar to Code Red appeared in February, March, and May 2001 on systems belonging to Sandia National Laboratories, a Department of Energy research lab based in Livermore, California and Albuquerque, New Mexico. The earlier worm propagated in a manner similar to Code Red, and also targeted the White House Web site.

?When we saw Code Red come around five months later, we realized it was different in the sense that it was going after IIS 5 servers and using a different overflow, but Code Red was obviously written by the same person as it was attacking the exact same addresses as the .htr worm attacked,? says Jim Toole, a network security administrator at Sandia.

Toole and Sandia colleague Jim Hutchins say the .htr worm they spotted in February failed to propagate successfully. It disappeared, but returned in March. They notified the FBI and the Department of Energy?s Computer Incident Advisory, and gave them complete logs of the worm?s activity as well as a copy of the malicious code.

?Each time it happened we gave a heads-up to CIAC and the FBI,? Toole says. ?We never heard anything back. We just make the reports; what they do with the info after that is up to them.?

Toole says the worm hit the same IP addresses at Sandia in all three of its attacks. Sandia?s computer system, however, is set up to trick this type of code into thinking it is propagating on the network, when it is actually safely contained and cannot infect other machines. ?But at the same time, the ?network? allows the worm to expose itself by letting it do what it?s supposed to do,? says Toole.

Toole and Hutchins captured the ?exploit,? or malicious code, that the worm carried and released it on a test machine to see what would happen.

?As soon as we ran the exploit it started doing all of these Web requests to a very specific address--ww1.whitehouse.gov. Then it stopped after a while. Then it started doing more Web requests to random IP addresses that it was trying to reinfect,? Toole says. Two servers handle requests to the White House Web site: ww1.whitehouse.gov and ww2.whitehouse.gov.

Toole says the March attack came from the same five machines running Microsoft IIS 4.0 servers that attacked them in February. It was trying to exploit an old vulnerability, announced by Microsoft back in June 1999. Microsoft released a patch for the vulnerability in July 1999.

When Code Red struck in July 2001, the Sandia system was among the first to be attacked. ?We saw it hitting our systems again on Thursday morning [July 12], before anyone else was noticing it,? Toole says. By Friday morning, e-mail security lists were full of discussions about the strange activity that network administrators were seeing on their systems.

?By then, we had already seen the worm about four times and we knew which five IP addresses it was going to go after first,? Toole says. ?By Sunday morning we were seeing 3200 attacks an hour from machines trying to run the exploit on our box. That?s a lot of attacks.?

He first assumed that it was the same author and the same code, adapted for a different vulnerability. Why would the worm?s creator switch target systems? ?Simple. A new vulnerability came out,? Toole says. ?The number of IIS 4 servers out there is a lot less than the number of IIS 5 servers. So when the IIS 5 vulnerability was announced, it made sense for the author to adapt his worm for that. People assumed it was a new exploit and it was not.?

Of the earlier worm, he says, ?It looked like someone was testing out a framework for spreading the worm.? If the FBI had issued a warning to the public instead of covering it up because the virus was attacking security systems and the White House, a lot of grief might have been prevented for PC users all over the world.

NOTE: This news story, previously published on our old site, will have any links removed.


Subscribe to Unknowncountry sign up now