Striking on July 19, the so-called Code Red worm infected more than 360,000
computers throughout the world in less than 14 hours. The rapid rate at which the
worm spread, without human intervention, vividly demonstrated how such a rogue
computer program can interfere with the Internet.
The Code Red worm failed in achieving its goal: overwhelming the White House Web
site by attacking it with simultaneous messages from all the infected computers.
Nonetheless, it caused considerable disruption for everyone with vulnerable
systems. It could have been much worse.
With a more efficient infection strategy, a malicious programmer could build a
worm that attacks all vulnerable machines worldwide in about 15 minutes, says
computer science graduate student Nicholas C. Weaver of the University of
California, Berkeley. Such a worm “could cause maximum damage before people could
respond,” he contends.
Weaver posted a paper describing his hypothetical “Warhol worm” at
http://www.cs.berkeley.edu/~nweaver/warhol.html. Weaver’s name for the worm echoes artist
Andy Warhol’s comment that “in the future everyone will be world famous for 15
The Code Red worm started out on a single computer. It scanned the Internet,
trying randomly chosen numerical addresses to identify computers using Microsoft’s
Internet Information Server (IIS) software. Whenever it found such a computer, it
exploited an IIS flaw to take control of its target. It then transferred a copy of
itself to the new host. Symptoms of infected systems ranged from sluggish
performance to crashes.
Several factors affect how rapidly a worm spreads: how efficiently it discovers
new targets, how many targets are available, and how fast it infects each target.
In most cases, Weaver says, the key factor is the rate at which a worm scans a
The Code Red worm probed indiscriminately, encountering computers not vulnerable
to the worm and those already running it. That slowed the rate of infection,
Weaver says. Moreover, although the worm spread exponentially during the early
stages, it took several hours to infect its first 10,000 hosts.
The author of a Warhol worm could overcome such obstacles by compiling a list of
potentially vulnerable computers with good network connections before releasing
the worm, Weaver says. When released, such a worm would then make its initial
inroads at locations conducive to its proliferation. After it infects a computer,
a Warhol worm would then split the remainder of the initial victim list with the
newly installed worm.
In computer simulations, Weaver found that a Warhol worm–starting with a list of
10,000 potentially vulnerable computers, making 100 scans per second, and
requiring 1 second to infect a computer–could spread to 1 million computers in
considerably less than 15 minutes, even as little as 8 minutes.
“A worst-case Warhol worm is truly frightening, capable of doing billions of
dollars in real damage and disruption,” Weaver contends. So far, Code Red and
other worms have been comparatively slow, he notes.
David Moore of the Cooperative Association for Internet Data Analysis (CAIDA) at
the University of California, San Diego has analyzed how the Code Red worm spread.
The worm had complete control of every machine it took over, Moore says. It could
have been programmed to corrupt data or cause other irreparable damage.
Earlier this month, another worm, which called itself Code Red II but was actually
a completely different program, exploited the same IIS vulnerability in those
computers that hadn’t already been protected against the first Code Red worm. It
spread itself more efficiently than the earlier worm and was harder to track,
Moore says. Code Red II also installed a surreptitious entry point into each
infected system, enabling a malicious programmer to log in remotely and operate