UQ computer security experts warn of the reactivation of Internet worm

The Australian Computer Emergency Response Team (AusCERT) at The University of Queensland has warned Australian companies and individuals to be prepared for a further round of propagation of an Internet worm known as Code Red.

AusCERT is a subscription-based organisation with members distributed throughout Australia and New Zealand in the government, commercial and education sectors.

UQ's Director of Information Technology Services and AusCERT Nick Tate said several Internet security firms around the world had recently released information on Code Red.

"This worm is believed to have infected thousands of sites overseas, and some sites within Australia and New Zealand," he said.

AusCERT co-founder and General Manager Rob McMillan said there were believed to be at least two variants of Code Red that each followed a date-triggered pattern of:

- propagation mode, from the 1st to the 19th of the month;
- denial-of-service attack mode, from the 20th to the 27th of the month, to be launched against a specific IP address embedded in the code; and
- sleep mode, from the 27th day of the month onwards, where the worm remains in memory but inactive.

"Some sites have reported significant increases in network bandwidth usage during the worm's propagation and denial of service phases," he said.

"The Code Red worm may again activate in its propagation mode on August 1, 2001. It is therefore possible that some organisations will notice a significant increase in network bandwidth usage on this day, possibly causing service disruption.

"It is possible that the worm could continue following this cycle monthly until each vulnerable machine is patched. As vulnerable machines are patched, the impact of the worm will diminish with each cycle.

"The worm propagates via a vulnerability in the Microsoft Internet Information Server (IIS). Microsoft recently released a patch for this vulnerability, and organisations are strongly urged to consider installing these patches in accordance with their policies and procedures."

Mr McMillan said the number of Internet security incidents was growing rapidly. Some 8197 computer security incidents were reported to AusCERT last year representing a four-fold increase on the number reported in 1999. AusCERT had also received an increasing number of reports of web-page defacement throughout Australia and New Zealand, he said.

The group began operations in 1993, and acts as a co-ordinating centre, advisory capability, centre of expertise, and a portal to its contacts throughout the world.

"We provide a single, trusted point of contact in Australia and New Zealand for the Internet computer community to deal with computer security incidents and their prevention," he said.

"Our members have been fully briefed on Code Red and other security concerns."

AusCERT is an operational arm of The University of Queensland. It is funded primarily through membership fees, with some additional income from value-added services such as research, training and education. It has a strong focus in the Asia-Pacific region.

The group won the Government-service delivery category at the Asia/Pacific (Queensland) IT awards in December 2000. Previous honours include winning the SANS 1998 Technology Leadership Award.

For more information, email: auscert@auscert.org.au or visit the AusCERT website: http://www.auscert.org.au

Media: For further information, contact Jan King at UQ Communications at 07 3365 1120.