Al-Ahram Weekly Online
6 - 12 September 2001
Issue No.550
Published in Cairo by AL-AHRAM established in 1875 Current issue | Previous issue | Site map

Red devil

Code Red, a "worm", will strike again in a new form this month. Soha Abdelaty asks if Egypt's computer users need worry

1 August 2001: Hysteria overwhelms the cyber-world. 'Code Red'' a "worm" named after an infamous US Marine disciplinary procedure, attacks the Internet. It is the most vicious and destructive glitch since the millennium bug, say the front pages. "Beware of Red Code" cried the daily Ahrar newspaper on 1 August, "it penetrated the US government, attacked the White House and forced the Pentagon to shut down its computers," it continued. It also reported that the US spent $1 billion fighting the dangerous worm. And that 250 million computers were infected in the US alone.

Others, such as the London- based Hayat newspaper were even more sensational: "the virus, Red Code, that woke on the night of 1 August, like the vampires in Dracula."

1 September, 2001: It has been a month since Red Code "woke," and Egyptians are no longer interested. Relax, nothing happened, laid-back IT experts say.

So, another unjustified worm/ virus/bug scare? Or do Egyptian computer users still have something to fear? And do we even know if Egyptian Internet users were harmed or not?

Computer users worldwide first became aware of the threat when the original version of the worm struck on 16 July. But only when 300, 000 computers worldwide were affected did experts realise the danger. The reaction time of some of our own Internet Service Providers (ISPs), in Egypt, was unforgivably slow. The "largest ISP in the country," LinkDOTNet, chose to notify its customers of the danger, and offer protection, a full two weeks after the worm had struck.

In the category of "diseases" that infect computers, Red Code is a 'worm'; a program that can replicate itself, either from one disk drive to another, or through other transporting mechanisms, like e-mail. It often arrives at its new host in the form of a joke program, or software of some sort. The worm can affect a computer in various ways: clogging e-mail servers, deleting or modifying files, and even releasing confidential information.

Code Red makes use of another beast in the IT menagerie: a bug. A bug is a programming error in a software program, such as web browser security problems. Code Red exploits Microsoft bugs to wreak its havoc. It takes advantage of a bug in the Indexing Services used by Microsoft Internet Information Server (IIS) 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. "This vulnerability allows a remote intruder to run an arbitrary code on the victim machine," explains Medhat Youssef head of the Technical Unit of RITSEC, the Regional Information Technology and Software Engineering Centre, an affiliate of a cabinet think-tank.

The Red Code worm's life-cycle has three stages. During the first, which ran from 1 August, until 19 August, the worm scanned the Internet, searching for specific security holes in IIS systems. The worm then moved on to its second phase, which lasted until 27 August. Then it exploited the affected systems to send attack traffic to the White House web server. But this phase was ineffective because the worm sent traffic to an Internet Protocol (IP) address no longer in use. Now in its final phase, the worm lies dormant.

Additionally, Code Red is designed to vandalise web pages, leaving its trace by the phrase, "Hacked by Chinese."

But Code Red was not yet done. It struck again, this time in a new variant that became known as Code Red II. It was discovered on 4 August and its effects were even more baleful than version one's. As well as being a worm, Code Red II is also a Trojan Horse. Unlike a worm, a Trojan Horse does not replicate itself, but otherwise inflicts similar damage. The Trojan Horse, unable to spawn a copy of itself, relies on users inadvertently e-mailing it to other users. Once again, however, it is received as a joke or a software program. Code Red II, as well as worming through systems, deposits a Trojan Horse in the form of a file that switches off file system protection, and publishes your C: and D: drives as web pages.

Code Red II does not vandalise web pages. Nor is it "date- sensitive" like its predecessor. But it is far more powerful because it gouges a dangerous hole in the server, allowing hackers access to those systems. Furthermore, while "it is clear that the harm of Code Red II is in the same category as Code Red I, it is more capable of spreading itself," says Youssef.

While some have learnt from their previous mistakes, patching vulnerable systems, other systems remain open to the new worm, and could be affected when the worm begins scanning for them this month. The problem lies in administrators' slow response time. Some have failed to patch their systems soon enough to protect themselves from the second round of worm attack. Even more egregiously, some software is still released with security holes.

Egypt is certainly not immune to Code Red, whether in its original format or the more recent form, especially as the IT market in Egypt grows. "It [Code Red] is overwhelming the network, so all users will feel its effect, [either] as a matter of slow Internet [or] as defaced web pages," Youssef explains. Nevertheless, it remains unclear how many users in Egypt have been infected.

Trying to chart Code Red's progress in Egypt is fiendish, simply because there is no authority capable of performing such a task effectively. Even the Central Agency for Mobilisation and Statistics (CAPMAS) has not thus far reported any damages from the worm, although there is no doubt that the worm reached Egypt at some point or other, argues Youssef.

But other analysts disagree, arguing that Egypt might be immune to Code Red II because so few users actually have Windows NT or 2000, relying mostly on Windows 95 and 98. Nasser Fouad, secretary-general of the Egyptian Software Alliance told Al-Ahram Weekly, "None of my clients has complained [of contracting the worm]; neither the banks nor the exchange bureaus."

Such analysts feel Egypt is safe: for now. It is unlikely that there will be a Code Red III. And if there is, by that time existing flaws in the system should have been fixed. "The threat is low due to the procedures taken to fix the problems allowing the worm to spread," says Youssef.

Virus lingo

Bug

A programming error in a software programme which can have unwanted side effects, such as Web browser security problems, or the threat of Y2K software problems.

Category: Trojan horse

A programme that neither replicates nor copies itself, but damages or compromises the security of the computer. It is usually e-mailed to you, although it does not e-mail itself. It may masquerade as a joke programme or software of some sort.

Category: Worm

A programme that makes copies of itself, for example, from one disk drive to another, or by copying itself using e-mail or some other transport mechanism. It may do damage and compromise the security of the computer. Like a Trojan horse, it may arrive in the guise of a joke programme or software.

Causes system instability

This payload might cause the computer to crash or to behave in an unexpected fashion.

Compromises security settings

This payload might attempt to gain access to passwords or other system-level security settings. It might also search for openings in the Internet processing components of the computer to install a programme that could be controlled remotely by someone over the Internet.

Degrades performance

This payload slows computer operations. This might involve allocating available memory, creating files that consume disk space, or causing programmes to load or execute more slowly.

Deletes files

This payload deletes various files on the hard disk. The number and type of files that might be deleted varies depending on the virus.

Modifies files

This payload changes the contents of files on the computer and might corrupt files.

Payload

This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.

Releases confidential information

This payload attempts to gain access to important data stored on the computer, such as credit card information.

Source: Symantic, the international Internet security technology company.

EmailIt!Recommend this page

© Copyright Al-Ahram Weekly. All rights reserved

Send a letter to the Editor
Issue 550 Front Page
Egypt | Region | WCAR | Economy | IT | Opinion | Culture | Features
Travel | Living | Sports | Profile | People | Time Out | Chronicles | Cartoons


Search for words and exact phrases (as quotes strings),
Use boolean operators (AND, OR, NEAR, AND NOT) for advanced queries
ARCHIVES
Letter from the Editor
Editorial Board
Subscription
Advertise! 		WEEKLY ONLINE: www.ahram.org.eg/weekly
Updated every Saturday at 11.00 GMT, 2pm local time
weeklyweb@ahram.org.eg 		AL-AHRAM
Al-Ahram Organisation