Web worms: Code Red to Warhol

Science News, August 25, 2001 by I.P

Striking on July 19, the so-called Code Red worm infected more than 360,000 computers throughout the world in less than 14 hours. The rapid rate at which the worm spread, without human intervention, vividly demonstrated how such a rogue computer program can interfere with the Internet.

The Code Red worm failed in achieving its goal: overwhelming the White House Web site by attacking it with simultaneous messages from all the infected computers. Nonetheless, it caused considerable disruption for everyone with vulnerable systems. It could have been much worse.

With a more efficient infection strategy, a malicious programmer could build a worm that attacks all vulnerable machines worldwide in about 15 minutes, says computer science graduate student Nicholas C. Weaver of the University of California, Berkeley. Such a worm "could cause maximum damage before people could respond," he contends.

Weaver posted a paper describing his hypothetical "Warhol worm" at www.cs.berkeley.edu/~nweaver/warhol.html. Weaver's name for the worm echoes artist Andy Warhol's comment that "in the future everyone will be world famous for 15 minutes."

The Code Red worm started out on a single computer. It scanned the Internet, trying randomly chosen numerical addresses to identify computers using Microsoft's Internet Information Server (IIS) software. Whenever it found such a computer, it exploited an IIS flaw to take control of its target. It then transferred a copy of itself to the new host. Symptoms of infected systems ranged from sluggish performance to crashes.

Several factors affect how rapidly a worm spreads: how efficiently it discovers new targets, how many targets are available, and how fast it infects each target. In most cases, Weaver says, the key factor is the rate at which a worm scans a network.

The Code Red worm probed indiscriminately, encountering computers not vulnerable to the worm and those already running it. That slowed the rate of infection, Weaver says. Moreover, although the worm spread exponentially during the early stages, it took several hours to infect its first 10,000 hosts.

The author of a Warhol worm could overcome such obstacles by compiling a list of potentially vulnerable computers with good network connections before releasing the worm, Weaver says. When released, such a worm would then make its initial inroads at locations conducive to its proliferation. After it infects a computer, a Warhol worm would then split the remainder of the initial victim list with the newly installed worm.

In computer simulations, Weaver found that a Warhol worm--starting with a list of 10,000 potentially vulnerable computers, making 100 scans per second, and requiring 1 second to infect a computer--could spread to 1 million computers in considerably less than 15 minutes, even as little as 8 minutes.

"A worst-case Warhol worm is truly frightening, capable of doing billions of dollars in real damage and disruption," Weaver contends. So far, Code Red and other worms have been comparatively slow, he notes.

David Moore of the Cooperative Association for Internet Data Analysis (CAIDA) at the University of California, San Diego has analyzed how the Code Red worm spread. The worm had complete control of every machine it took over, Moore says. It could have been programmed to corrupt data or cause other irreparable damage.

Earlier this month, another worm, which called itself Code Red II but was actually a completely different program, exploited the same IIS vulnerability in those computers that hadn't already been protected against the first Code Red worm. It spread itself more efficiently than the earlier worm and was harder to track, Moore says. Code Red II also installed a surreptitious entry point into each infected system, enabling a malicious programmer to log in remotely and operate the computer.