Code Red: Microsoft and US government got it wrong

NEWS Data from web performance monitoring firm Keynote has thrown doubt on US claims the Code Red worm halted traffic when it struck web-servers last week. In a joint conference held by Microsoft, US Federal Government Agencies and IT industry bodies, it was stated that web performance fell by 40 per cent when the worm - which targets a flaw in Microsoft's Internet Information Server (IIS) - hit its peak on 19 and 20 July. However, Keynote said its data shows web performance only fell by a maximum of 15 per cent. Additionally it blamed much of this poor performance on a train crash in Baltimore that damaged the fibre-optic lines running alongside the track. Bill Jones, senior director of public services at Keynote, said: "On 19 and 20 July there was a minor slowdown, some of which we attribute to the train wreck which cut cables and some of which was a result of increased traffic because of the virus reports." The news contributes to a growing feeling that the Code Red problem has been over-hyped. The worm works by searching for vulnerabilities in servers and propagating itself rapidly between them. This web traffic can force a denial of service attack when all the messages start to point themselves to a certain IP address at a given time. In the meantime the authorities claim other internet traffic is massively slowed because of the huge amounts of data being transmitted. Upwards of 300,000 computers are thought to have been affected. However, a repeat performance can be avoided quite easily if users download a patch for the flaw in Microsoft's IIS. Raimund Genes, European VP at security vendor Trend Micro, said: "This has been absolutely over-hyped. Yes there may be some slight slow-down in web performance, but it will be nothing like what has been predicted." Eric Chien, chief researcher at rival security vendor Symantec, agreed, urging people to remember no new servers will be infected that were not hit last time, because the worm had already sought out all machines running vulnerable software. He said: "You have to think that, with all the publicity, many people would have patched the hole in their servers, so we wont see 300,000 servers affected this time." The worm has lain dormant since 24 July, and is due to remerge at 01:00(BST) on the morning of 1 August.