Bugs, viruses & worms plague IT world
Bernhard Warner

CODE Red computer worm threatened to hobble the Internet on Tuesday, forcing companies and government to fortify against an attack at midnight GMT. The worm is the latest in a series of disruptive so-called bugs and viruses to infest the IT world in recent years. Following are some earlier pests.

Sircam — Emerged in July, 2001. Still active, though its impact is on the wane, Sircam is an e-mail worm that has spread to computer users in 50 countries.

The worm, also named W32.Sircam, arrives as an e-mail attachment and can delete files from the infected computer's hard drive. Experts describe it as a self-propagating worm written in English and Spanish-language versions. It sends copies of itself, disguised as a random file from the infected computer's hard drive, to all names addresses in the infected computer's address book.

Anna Kournikova — Developed by a 20-year-old Dutch man, the Kournikova worm spread in February to hundreds of thousands of computers via e-mail. The hoax e-mail carried an attachment that was identified as a picture of the Russian tennis star. Once opened, it spread around the world, slowing down e-mail systems and shutting down some servers. The worm's author, Jan Dewit from Dutch town of Sneek, was arrested after turning himself in on February 13 to local authorities.

The Love Bug —First detected in Asia on May 4, 2000, the most destructive computer worm of all was predicted at the time to have done billions of dollars in damage. Carrying the phrase "I love you" in the subject line of an e-mail, unwitting victims, including those at the Pentagon and the Central Intelligence Agency in Washington D.C., and the British parliament, opened the email and systematically spread the corrupted message to every address in their in-box. It forced network administrators to shut down e-mail systems. The Love Bug was traced to a 27-year-old Filipino, Reonel Ramones. The case was later dropped by Philippine authorities. Melissa. The queen of email viruses first appeared in April, 1999, spreading via infected computer users' Microsoft Outlook email address books. Once opened, it could destroy files in a user's hard drive.David Smith, a New Jersey man suspected of creating the "Melissa" virus appeared in court to be charged with violating New Jersey computer laws. The virus disrupted and crashed some e-mail and computer networks at thousands of companies and government agencies around the globe by overloading their systems.

NIC the government agency that hosts government Web sites reported no immediate effect from the dreaded "Code Red" Internet worm that was expected to strike Web servers on Wednesday.

"This was a known problem and so we had already taken the necessary precautions and installed the software patch," B.K. Gairola, deputy director-general of National Informatics Centre (NIC) told Reuters by telephone.

NIC connects Indian states through its nationwide satellite-based computer network and maintains more than 500 government Web sites.

The worm, a benign sort of software virus that affects computers running certain types of Windows operating systems, has struck twice before, hitting hundreds of thousands of computers.

But millions of computer users have been better prepared this time, thanks to a free software patch that catches the worm before it turns.

"We have done our best. There are no incidents to report so far but we are keeping our fingers crossed," Gairola said.

The U.S. government, which appeared to be the target of previous manifestations of the virus, said it had not been affected but said it could be days before any damage was noticed.

Code Red bombards Web sites with a crippling amount of traffic, making them inaccessible to legitimate users.

It stealthily gains entry to Web servers when users call up a page and attacks computers running Microsoft's Windows NT and Windows 2000 operating systems. Windows '95, '98 and Microsoft Me users are generally not vulnerable.

"Wherever we have a combination of such systems, we had applied patches," a spokesman for Satyam Infoway, told Reuters.

"We have not been affected so far," he added.

The original version also defaced sites hosted by infected computers and some affected sites showed the message "Hacked by Chinese!" afterwards — although the Chinese government said the worm probably didn't originate there.

IT had already cost an estimated $1.2 billion in damage to networks, a research organization said on July 30.

The cost of clean-up, monitoring and checking systems for the self-propagating worm, which has infected about 360,000 servers, is $740 million, said Michael Erbschloe, vice president of research at Computer Economics, an independent research organization in Carlsbad, Calif.

The loss of productivity associated with the worm, which launched its first attack on July 19, is estimated at $450 million, said Erbschloe.

"Information technology people are not cheap," he said. "A lot of companies have outsourced this and they have to pay sometimes $300 an hour to have people come in and look at their servers."

An estimated six million servers are still at risk, he said.

Microsoft Corp. has reported more than one million downloads of its patch to plug the hole in its Internet Information Server. The worm affects computers running Windows NT and Windows 2000 operating systems, but not those running Windows 95, 98 or ME.

The economic cost of Code Red will not be fully tallied until the worm finishes its cycle, experts said. The worm, which has several known variants, was first recognized in mid-July and is programmed to infect other computers the first 20 days of the month and then lie dormant indefinitely.

However, infected computers with incorrect internal time and date settings are likely to keep it going into August, experts said. Erbschloe had estimated the economic impact from last year's Love Bug virus to be $8.7 billion and the economic damage from the Melissa virus in 1999 to be about $1 billion.

While some people have questioned his figures, Erbschloe said that Lloyds of London put the estimate for Love Bug at $15 billion.

"In my opinion, $8.7 billion is not ludicrous," he said. "Some companies reported seven million Love Bug messages and 10 days to clean up."

Network Associates Inc. on Tuesday reported that it has scanned more than 20,000 systems and detected more than 1,230 machines that remain vulnerable to Code Red.

"WELCOME to www.worm.com ! Hacked by Chinese!" This has been a common visual on more than 3,25,000 Computers running IIS as their Web server software. Cause — a new worm. Welcome to the world of the Code-Red — a worm spreading like wild fire across the globe. And it all happened in about 24 hours.

eEye, a computer security firm had discovered a vulnerability on June 18, which could be maliciously used to perform some functions on computers running IIS Web servers, a part of Microsoft NT operating system. They called it the .ida vulnerability. Details available at www.eeye.com/html/Research/Advisories/AD20010618.html. Microsoft responded promptly and released a patch for the same.

In less than a month, on July 13, the same company received packet logs and information from two network administrators who were experiencing a large amount of attacks targeting the .ida vulnerability. As per the company, they were able to deduce that someone had released a worm for the .ida vulnerability. Within the connection logs, they could see connection attempts from over 5,000 IIS 5 Web servers target various other IIS 5 Web servers and propagating the worm to them. The attacked servers were made to attack further IIS5 servers thus starting a chained propagation. A major attack was visible on July 19 when the payload of the worm was about to be triggered the next day.

The worm is designed to perform three basic functions:

a) Propagate itself

b) Deface the Web page on the victim and

c) Start a distributed denial of service attack on http//www.whitehouse.org, the official White House Web site.

The ultimate target of the worm was to bring the White House Web site down by making countless connections to the site. This is possible as the worm is coded in such a way that it checks the system date from the computer and if it’s greater than 20, it connects to www.whitehouse.org. This will be done from all systems infected by the worm (roughly 3,25,000 systems at the time of writing of this text, which might grow exponentially in time to come). It is now believed that there are two variants of the worm. The new one was released within a last few hours and it propagated fast enough to be visible within a few hours of being released.

Any Web server running Microsoft Internet Information Server version 4 or 5 and the patch for .ida vulnerability not installed, is vulnerable. There were also reports that systems with the patch installed are also experiencing problems. Initially, it was reported that the worm infected only IIS servers that had Index Server running. This was later modified as whether or not the service was running; the files are there on the system. As per Netcraft (www.netcraft.com), there are about 6 million IIS servers connected to the primary network. Some of the routers are also vulnerable to the attack and may stop responding thus causing service outages.

A sensible sysadm will always have logging enabled. So in the logs, one can notice high amounts of network traffic load and/or many outgoing connections. These connections will be mostly to the port 80 (http or Web service) of the target IP address. Using the netstat –an command at the DOS prompt, one can check if any such connections exist or using some utility that shows you the current network status.

The worm at one stage also checks for the existence of C:\ notworm file. If this file exists, you surely are infected. If it’s not, you maybe. If this file exists, the worm is designed to stay silent and does not propagate. However, it still will start the DoS attack when the payload trigger it.