Network Researchers Track the Worldwide Spread of the "Code Red" Worm
Email this article
Date: 2001-07-27
Contact: KC Claffy
Phone: 858-534-8333
Email: kc@sdsc.edu
Someone turned a worm loose on the Internet late last week, and in less
than a day it infected hundreds of thousands of Web servers around the
world. Using sophisticated new "backscatter analysis" techniques
developed to detect denial-of-service attacks, researchers at the
Cooperative Association for Internet Data Analysis (CAIDA) of the San
Diego Supercomputer Center (SDSC) tracked the progress of the
infestation.

"More than 359,000 computers were infected with a version of the Code
Red worm in less than 14 hours," said David Moore, SDSC senior network
researcher and a principal investigator at CAIDA. "At the peak of the
infection frenzy, more than 2,000 new hosts were infected each minute."

The Code Red worm infects Web servers by exploiting a security flaw in
the Microsoft Internet Information Services (IIS) software package; only
systems that run Microsoft software are infected. On July 12, less than
a month after the IIS vulnerability was made known to the computer
security community, the Code Red worm was detected "in the wild" by Marc
Maiffret and Ryan Permeh of eEye Digital Security. A new, "improved"
variant surfaced on July 19.

Once it infects a host, the Code Red worm tries to spread the infection
by sending a copy of itself to 99 random IP addresses. Then it waits. On
the 20th day of the month, each copy of the worm tries to bombard the
White House Web site with messages in an attempt to overload its Web
server. Fortunately, the White House webmaster was alerted to the
problem and changed the numeric IP address of the Web server, which
foiled the second phase of the attack.

"We analyzed data from a 24-hour period, beginning midnight UTC July 19,
during the critical phase of the infection process," Moore said. "By
examining the incoming message traffic to normally unused sections of
the Internet we were able to track the spread of the infection as the
worm tried to transplant itself to machines at randomly generated
addresses on the Net."

Moore's study collected data from two sources. CAIDA had monitors on
portions of the UCSD campus network, and Vern Paxson at Lawrence
Berkeley Laboratory provided data from monitors on two networks at LBL.
In addition to Paxson, Pat Wilson, Brian Kantor, and Stefan Savage of UC
San Diego, Ken Keys, kc claffy, and Colleen Shannon of CAIDA, and Jeff
Brown of UC San Diego and NLANR all contributed data, analyses, or
advice to the tracking effort.

The worm was programmed to switch from an "infection phase" to an
"attack phase" at midnight UTC on July 20. A sudden decrease in
infection activity at that time appears to be due to this switch.

"The statistics of the infected hosts are interesting," Moore said. "43
percent of all infected hosts were in the United States, with 11 percent
in Korea, 5 percent in China, and 4 percent in Taiwan. The .NET Top
Level Domain (TLD) accounted for 19 percent of all compromised machines,
followed by .COM with 14 percent and .EDU with 2 percent." The CAIDA
study also observed 136 (0.04 percent) of .MIL and 213 (0.11 percent)
.GOV hosts infected by the worm.

Moore noted that roughly 10 percent of the top domain names of infected
hosts are domain names of Internet Service Providers to home and small
business systems. "Machines operated by home users or small businesses
are as integral to the health of the global Internet as the big systems,
and they are much less likely to be maintained by a professional system
administrator who can react quickly to a security threat. As is the case
with biologically active pathogens, vulnerable hosts can and do put
everyone at risk, regardless of the significance of their role in the
population."

A QuickTime animation of the geographic infestation of the worm is
available at
http://www.caida.org/analysis/security/code-red/newframes-small-log.mov.
In this animation, the infestation circles indicate the number of
infected hosts and their geographic locations; circles in the centers of
countries indicate hosts within country domains for which a more
specific geographic location cannot be determined.

"This could have been a lot worse," said Pat Wilson, Network Security
Manager for UC San Diego. "The Code Red worm was exquisitely coded for
maximum annoyance but minimum damage. It doesn't alter the files on a
computer's disk drive, and it resides only in memory. You can stop the
active worm by rebooting, but of course that's not going to protect you
from getting infected again -- only applying the patch will do that."

"Whoever wrote this thing wanted to scare people," said Tom Perrine,
Manager of Security Technologies at SDSC. "Imagine the chaos if it had
erased the disks or randomly corrupted the files of several hundred
thousand Web servers."

"A key component of CAIDA's mission is to provide tools, methodologies,
and analyses that promote a robust and scalable Internet," Moore said.
"One of the ways we do that is by looking for trouble spots, and
denial-of-service attacks and other remote exploits are definitely
trouble."

CAIDA is a program of the San Diego Supercomputer Center, an organized
research unit of UC San Diego. CAIDA creates tools and technologies for
Internet measurement, message traffic analysis, and network topology
visualization for use by network engineers and researchers. CAIDA also
sponsors education and outreach efforts such as the Internet Engineering
Curriculum Repository. Support for the Code Red tracking study was
provided by the Next Generation Internet program (NGI contract
N66001-98-2-8922) and Network Modeling and Simulation program (NMS grant
No. N66001-01-1-8909) of DARPA's Information Technology Office, by the
Advanced Networking Infrastructure and Research Division of the NSF's
Directorate for Computer and Information Science and Engineering (NSF
grant NCR-9711092), and by CAIDA member organizations.