Web worms: Code Red to Warhol

Striking on July 19, the so-called Code Red worm infected more than 360,000

computers throughout the world in less than 14 hours. The rapid rate at which the

worm spread, without human intervention, vividly demonstrated how such a rogue

computer program can interfere with the Internet.

The Code Red worm failed in achieving its goal: overwhelming the White House Web

site by attacking it with simultaneous messages from all the infected computers.

Nonetheless, it caused considerable disruption for everyone with vulnerable

systems. It could have been much worse.

With a more efficient infection strategy, a malicious programmer could build a

worm that attacks all vulnerable machines worldwide in about 15 minutes, says

computer science graduate student Nicholas C. Weaver of the University of

California, Berkeley. Such a worm “could cause maximum damage before people could

respond,” he contends.

Weaver posted a paper describing his hypothetical “Warhol worm” at

http://www.cs.berkeley.edu/~nweaver/warhol.html. Weaver’s name for the worm echoes artist

Andy Warhol’s comment that “in the future everyone will be world famous for 15

minutes.”

The Code Red worm started out on a single computer. It scanned the Internet,

trying randomly chosen numerical addresses to identify computers using Microsoft’s

Internet Information Server (IIS) software. Whenever it found such a computer, it

exploited an IIS flaw to take control of its target. It then transferred a copy of

itself to the new host. Symptoms of infected systems ranged from sluggish

performance to crashes.

Several factors affect how rapidly a worm spreads: how efficiently it discovers

new targets, how many targets are available, and how fast it infects each target.

In most cases, Weaver says, the key factor is the rate at which a worm scans a

network.

The Code Red worm probed indiscriminately, encountering computers not vulnerable

to the worm and those already running it. That slowed the rate of infection,

Weaver says. Moreover, although the worm spread exponentially during the early

stages, it took several hours to infect its first 10,000 hosts.

The author of a Warhol worm could overcome such obstacles by compiling a list of

potentially vulnerable computers with good network connections before releasing

the worm, Weaver says. When released, such a worm would then make its initial

inroads at locations conducive to its proliferation. After it infects a computer,

a Warhol worm would then split the remainder of the initial victim list with the

newly installed worm.

In computer simulations, Weaver found that a Warhol worm–starting with a list of

10,000 potentially vulnerable computers, making 100 scans per second, and

requiring 1 second to infect a computer–could spread to 1 million computers in

considerably less than 15 minutes, even as little as 8 minutes.

“A worst-case Warhol worm is truly frightening, capable of doing billions of

dollars in real damage and disruption,” Weaver contends. So far, Code Red and

other worms have been comparatively slow, he notes.

David Moore of the Cooperative Association for Internet Data Analysis (CAIDA) at

the University of California, San Diego has analyzed how the Code Red worm spread.

The worm had complete control of every machine it took over, Moore says. It could

have been programmed to corrupt data or cause other irreparable damage.

Earlier this month, another worm, which called itself Code Red II but was actually

a completely different program, exploited the same IIS vulnerability in those

computers that hadn’t already been protected against the first Code Red worm. It

spread itself more efficiently than the earlier worm and was harder to track,

Moore says. Code Red II also installed a surreptitious entry point into each

infected system, enabling a malicious programmer to log in remotely and operate

the computer.