May 06, 2002, 5:05 PM — When computer security historians look back at 2001, the emergence of the Nimda and Code Red worms will likely sit close to the top of their significant events lists. Both worms were heralded as threats that could have brought down large sections of the Internet, but when this didn't happen the security spotlight quickly moved elsewhere.
New data obtained from a study by Arbor Networks Inc. will likely refocus that spotlight as it shows that both worms are alive and well and still infecting new victims daily. Though the data from Arbor's study is still preliminary, it shows a wide range of Code Red, Code Red 2 and Nimda infections, according to Dug Song, security architect at the Waltham, Massachusetts, Arbor.
Arbor has been monitoring a large section of the Internet since September and in that time has seen machines associated with about 5 million unique IP (Internet Protocol) addresses become infected with one of the three worms, he said.
Though Nimda infections are fairly level, the rate of Code Red 2 infections is up in the last month, he said.
"There appears to be an ever-growing pool of Code Red 2-infected hosts (every month)," he said.
Why Code Red 2 is continuing to spread is still a mystery to Arbor, Song said.
"We don't know what's accounting for this," he said. "It's counterintuitive" since infected systems should be getting patched and removed from the Web, he said.
Arbor's study isn't the only data that points to a continued presence for the worms. The worms still hold places in the top 20 viruses detected worldwide in April by Kaspersky Labs Ltd., and antivirus vendor Trend Micro Inc. has had more than 1,500 reports of Nimda activity worldwide in the last 24 hours, according to a virus map on its Web site.
Nimda and Code Red both attack security vulnerabilities in Microsoft Corp.'s IIS (Internet Information Services) Web server product, though patches to fix the flaws have been available for nearly a year. Despite the long-standing presence of the patches and the major push to fix vulnerable systems near the time of the original outbreaks, both worms have been constantly active since their release, said Oliver Friedricks, director of engineering at SecurityFocus Inc., located in San Mateo, California.
SecurityFocus is "still seeing a pretty consistent level of both worms," Friedricks said, though there has been a small increase in activity in the last few months. This is likely due to "people ... putting new systems on the Internet and not patching them" and those systems getting infected, he said.