Washington, DC., July 30, 2001 — Leading government and industry groups working to protect the Internet held a joint press conference today to address the threat of the “Code Red” Internet Worm and to warn the public to take necessary preventative measures to combat its further spread.
The groups warned that the Code Red Internet worm continues to pose a threat to users and is poised to strike again on July 31 st , at 8pm EDT when a stronger version weaves its way through systems across the globe. They said it is likely that this Distributed Denial of Service could impact businesses and home users as the Internet slows down dramatically. The Code Red worm takes advantage of a flaw discovered in June in Microsoft’s Internet Information Services software used on Internet servers. This flaw allows an attacker to gain full control of a server that has not been patched to correct the weakness. Most system administrators and users will not even know they have been compromised.
The groups collaborated on a joint technical alert, issued on Sunday July 29, to spread the word on the need to take preventative actions to protect against the worm, which the groups say has the potential to mutate into more damaging variations.
“The Internet has become indispensable to our national security and economic well being. Worms like “Code Red” pose a distinct threat to the Internet. The protection of the Internet requires a partnership with the government, private companies and the public as a whole,” said Ron Dick, Director of the National Infrastructure Protection Center. “Today’s press conference is evidence of this partnership in action.”
“This worm has the potential to affect all of our infrastructures, which is why the Partnership for Critical Infrastructure Security, a public-private collaborative effort, is here today,” said Ken Watson, Chairman of the Partnership for Critical Infrastructure Security. “I would like to commend the U.S. governments response to this threat, and call upon governments worldwide to encourage the establishment of information sharing mechanisms such as ISACs that can help prevent and respond to attacks on the Internet like the “Code Red” worm.”
Groups involved in today’s joint warning are:
Critical Infrastructure Assurance Office (CIAO)
Federal Computer Incidence Response Center (FedCIRC)
National Infrastructure Protection Center (NIPC)
Information Technology Association of America (ITAA)
CERT Coordination Center
Internet Security Systems (ISS)
Internet Security Alliance (ISA)
Information Technology Information Sharing and Analysis Center (IT-ISAC)
National Coordinating Center for Telecommunications (NCC)
The Partnership for Critical Infrastructure Security (PCIS) is a collaborative effort of industry and Government to address risks to the Nations critical infrastructures and assure the delivery of essential services over the nations critical infrastructures. The mission of the Partnership is to work with the federal government to promote the critical infrastructure security of the United States by focusing on cross-industry sector issues.
The National Infrastructure Protection Center (Center) evolved from the FBI’s Computer Investigations and Infrastructure Threat Assessment Center, and has been given a national, critical infrastructure protection mission per Presidential Decision Directive (PDD) 63. The Center was designed to bring under a single entity responsibility for coordinating the Government’s efforts to prevent and respond to attacks and illegal cyber activities directed towards our critical infrastructures. It operates under the investigative and national security authorities of the Attorney General. The mission of the Center is to detect, deter, warn of, respond to, and investigate malicious acts, both physical and cyber, that threaten or target the Nation’s critical infrastructure.
Government and Industry Groups Warn “Code Red” Internet Worm Ready for Serious Strike; Urge Preventative Measures
Question: Why is this important today?
Answer: Only through quick response to notify the public can risks to the Internet be minimized. The government and the private sector are here today to provide this warning. This is similar to when people are warned about travel abroad and threatening weather conditions. This is not the last of these threats and the partners assembled here today would like the public to be aware of the possibilities and precaution options available, and take whatever steps they deem necessary.
Question: When did it start and when did it become a concern?
Answer: This worm appeared two weeks ago and many steps have been taken to try to stop it. Unfortunately, the infestation continues, mutations of the worm have already begun to appear, and the worm is timed to begin hyper-growth late on July 31. The initial worm had a seven day incubation period; the new version may incubate in an even shorter period. This malicious code, a clear and present threat, needs to be stopped before it does real harm to electronic commerce and other uses of the Internet.
Question: How does this affect business and government?
Answer: It floods the Internet with probes looking for additional machines to infect. The flooding slows the Internet down. As it slows, transactions that depend on timeliness begin to fail. People take longer to get results, and more importantly, some sites just disappear from the Internet as the worms probes overwhelm networks or damage routers or both. Consumers will see the Internet slow down or they may lose connectivity if their ISP is overwhelmed with probes. From a technical perspective, it doesn’t matter who the target of the attack is. The real power of the worm is the amount of bandwidth generated by all the systems attacking at once. The attack is really against the Internet infrastructure, regardless of the actual targeted site.
Question: What types of machines are affected?
Answer: Machines running Windows 2000 or Windows NT 4.0 and the IIS web server software. IIS is not installed by default (or automatically) on Windows NT 4.0 (you have to install it from the option pack) nor on Windows 2000 Professional (the workstation). It is installed by default on Windows 2000 server packages.
Question: Can “Code Red” be turned off?
Answer: Yes, but it will require the concerted action of everyone who operates a Microsoft IIS Webserver to follow the procedures we have outlined and to do it expeditiously. There is no MASTER SWITCH to turn off the Code Red worm. History shows that such exploits are not single events but harbingers of trends. The only real solution is for users to fix the vulnerability.
Question: Why doesn’t industry do something about it?
Answer: Industry is doing a great deal, starting with Microsoft. The company identified the vulnerability, published an effective remedy, and worked closely with their partners in the public and private sector to spread the word. The industry representation on the stage today is testament to the high level of industry commitment to solving this problem.
Question: How quickly will Internet performance degrade?
Answer: Between July 12 and July 19, the Code Red worm infected more than 350,000 systems and, on the 19th, slowed Internet performance by 40%. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT, and it has mutated. The newest version could scan and infect all vulnerable systems on the Internet even more quickly than the original, possibly in as little as two or three days. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems.
Question: Does this attack steal information or documents?
Answer: The known version of the “Code Red” worm does not “steal” information or documents from a system. It is possible that a variant of this worm could steal, modify or delete documents and information.