Code Red hits broadband providers

Worms attack servers and Windows platforms,
disrupting Internet service

Though most broadband operators took preventative measures, the Code Red worm and its mutations still managed to disrupt service for AT&T, Cox Communications, Excite@Home and Qwest Communications.

The worms, which affect users of Windows NT versions 4.0 and 5.0 as well as unpatched Microsoft Internet Information Servers, flood networks with e-mail traffic. In addition, some of Cisco Systems' equipment may be vulnerable to the worms.

According to the Systems Administration, Networking and Security Institute, cable and DSL providers are particularly at risk because of the Code Red II worm's “address resolution protocol flooding” DOS attack, which swamps networks with address requests.

Less than 2% of Excite@Home's 3.6 million subscribers were affected, though the Code Red II worm appears to have infected part of the Excite@Home network, a spokeswoman said.

“We've been able to keep the impact minimal because we made some significant upgrades to the network recently that enable us to handle increased traffic,” she said.

Less than 2% of Cox's @Home users have been affected by both strains of the worm, a Cox spokeswoman said. AT&T would not disclose information on numbers of customers affected by the worm and its mutations.

Qwest users began experiencing problems with the introduction of the Code Red II worm, a spokesman said. Some of Qwest's DSL customers using Cisco 675 and 678 modems were affected. Though the modems do not become infected, they become a target of network devices that are infected with the virus. Of the company's 360,000 DSL customers, the vast majority was not affected, a spokesman said.

Telecom companies and security experts agree on the steps to keep the Code Red worm at bay: Install the MS01-033 patch provided by Microsoft for its IIS servers; constantly monitor networks; educate customers and work with cable partners to inform them of their vulnerabilities; and encourage the use of firewall protection software.

Though Microsoft developed a fix for the worm weeks before it caused major damage, its mutations could cause more.

The first wave was deflected because users applied the patch that fixes the vulnerability in IIS servers, a Microsoft spokesman said. “All variants of the worm discovered thus far have attempted to exploit the same vulnerability; therefore, customers who applied the original patch are still protected,” he said.

Analysts and vendors agree that no platform is completely safe.

“Applications software does today and will tomorrow have bugs and vulnerabilities,” said Randy Sandone, president and CEO of Argus Systems Group. “The answer is to create a secure application environment where you can run these applications, even if they do have vulnerabilities.”

Users can also take several steps in making assets and transactions more secure, added Vincent Weafer, director of the Symantec AntiVirus Research Center. “But it's a bit like living in the city. You are going to be exposed to a lot of things around you from your neighborhood, so it's about trying to secure yourself as best as possible. And in this case, it was not that it was technically challenging or difficult to fix, but it's really about how to educate yourself to have the proper level of security for what you're doing.”