Skip to main content /TECH with /TECH


Subscribe to one of our news e-mail lists.
Enter your address:

CNN Mobile

CNN Websites



CNN International



Cost of 'Code Red' rising

(CNN) -- The "Code Red" worms are spreading more slowly over the Web but estimates of the damage caused by the malicious programs are rising by the day, making them among the most costly security threat ever to hit the Internet, experts said Wednesday.

The economic cost of both worms has risen to nearly $2 billion, up from an estimated $1.2 billion as of a week earlier, according to Computer Economics, a Carlsbad, California, research company that keeps a tally of the projected damage caused by computer viruses.

"I would agree that this is going to end up being the most expensive incident across the board, with regard to the number of organizations that are having to foot the bill to clean it up," said Michael Erbschloe, vice president of research at the company.

Categorizing the "Love Bug" as a virus, Erbschloe called the Code Red worms the "biggest worm incidents in the history of the Internet."

MORE STORIES Why worms like 'Code Red' are good for you  
On the Scene: 'Code Red' II worm attack  

The latest version of Code Red, which leaves computers open to hijacking, has caused sporadic outages and slowdowns on the Internet, anti-virus experts say.

The worm, known as "Code Red II," could easily permit hackers to take control of hundreds of thousands of infected machines, according to Net security analysts.

The malicious code, which first scans computers on the nearby networks in search of new victims, has caused major headaches for some businesses with many connected machines.

"The network disruption is significant enough to warrant heightened awareness," cautioned the SANS Institute on Tuesday. The institute is a computer security think tank working with the FBI and other authorities to monitor assaults on the Internet.

Since its debut Saturday, Code Red II has managed to infiltrate internal networks of Internet service providers and other major companies. The proliferating worm can flood nearby machines with enough traffic to force Web sites offline, Net authorities said.

Collateral damage not taken lightly

"It's something we call collateral damage, but I don't mean that lightly," said Alan Paller, director of research for the SANS Institute. "This thing creates traffic inside a subnet, creates traffic in addition to what comes in from the outside."

"An awful lot of traffic is being sent, clogging the bandwidth. The worm has this magnifying effect" during attacks on internal networks, said Russ Cooper, owner and moderator of NTBugtraq, an electronic mailing list that discusses Windows security bugs.

In Virginia, one regional ISP affiliated with Cox Interactive Media suffered service outages on Monday and Tuesday. Callers trying a customer service phone number were greeted with a taped recording saying service would be restored Wednesday.

Code Red II is a possible culprit for that and other sporadic outages, computer security experts said. Cox Interactive representatives did not return numerous phone calls.

At AOL Time Warner Inc., which offers the RoadRunner cable modem service, spokesman Mike Luftman said there had been "minimal impact" and no service outages from Code Red. (AOL Time Warner is the parent company of

"There have been slight slowdowns, but those are geographically limited," said Luftman. "We've only identified about 1,000 customers whose computers have been infected."

ExciteAtHome Corp. spokeswoman Estela Mendoza said Code Red's impact on cable customers has been "minimal and not widespread," affecting less than 2 percent of its subscribers.

Hijacking epidemic in the making?

The rogue application, which disappears from computer memory after one or two days, secretly installs a backdoor on infected Web servers, making them vulnerable to hijacking.

"I think there are enough hackers in the world that will look for machines they can own. It's not difficult to find them. It is very easy to control a large number of machines," Cooper said.

The infection gives high-tech outlaws the ability to take control of tainted machines, steal any data they contain -- be it credit card numbers or sensitive passwords -- and even launch additional attacks on the Net, computer security experts said.

"This is going to cause the meltdown of the Internet, the vulnerability that this worm is exploiting," said Cooper.

Code Red II has infected an estimated 150,000 to 400,000 machines, according to anti-virus companies. The assault is reminiscent of the original Code Red, which launched attacks on the Internet in mid-July and the first week of August.

The two worms are composed of different code, but both take advantage of the same security flaw in Microsoft operating systems and software. The original Code Red worm affects computers running Internet Information Services (IIS) software and Windows NT 4.0 or Windows 2000 operating systems.

Home machines not at risk

Code Red II seems to infect only machines running IIS and Windows 2000. Servers using Windows NT crash when Code Red II attempts to infect, SANS said. Virtually no home computers are at risk of infection, as machines with Windows 95, 98 or Me are not vulnerable to either worm.

Some models of Cisco Systems Inc. digital subscriber line routers, Hewlett-Packard Co. print servers and 3Com Corp. LAN modems are susceptible to denial-of-service attacks when their Web interfaces get overloaded, even though that equipment is not specifically targeted by the Code Red worm, experts said.

"They're not getting infected, but they're still shutting down," said Elias Levy, chief technology officer of

Last week, users downloaded more than 1 million patches from Microsoft to ward off Code Red. The patch protects against Code Red II as well.

Those measures should help protect against the new worm, too. But computers infected with the later worm should be reformatted entirely, security experts advised. The reason is that a hacker might have stealthily entered an infected machine and done more hidden damage.

When the Code Red worm made its debut last month, it swept through more than 250,000 computers in nine hours, forced the White House to change its numerical IP Web address and prompted the Pentagon to briefly take its public Web sites off-line.

The origin of both worms remain a mystery, but Code Red II is designed to stop spreading on October 1.

-- Writer Richard Stenger, Sci-Tech Editor Daniel Sieberg and Reuters contributed to this report.

• The SANS Institute
• Code Red technical data
• National Infrastructure Protection Center
• Riptech

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.



Back to the top