Although security organizations are warning users that the Code Red worm might retrigger on July 31, the warnings remain suspect. As Surgeon General of TruSecure and NTBugtraq mailing list editor Russ Cooper points out, testing of the Code Red worm indicates otherwise.
Cooper posted a message to the NTBugtraq mailing list on Sunday, July 29, to retract a statement he'd given to the media that said the worm would propagate itself again at the end of July. According to Cooper, further analysis of the Code Red worm code reveals that the worm does perform a date check to determine the day of the month. However, the worm limits the date-checking routine to days numbered 1 through 28. Because this limited dateframe excludes days numbered 29 through 31, Cooper said, "When \[the worm\] goes dormant after the \[July\] 27, it does not come back."
In addition, Cooper reminded users that the analysis applies only to the original Code Red worm and might not apply to variants of the code. Nonetheless, several entities, including SANS Institute Online (SANS), Internet Security Systems (ISS,) and Computer Associates (CA) warn that the worm might retrigger. Over the weekend, SANS sent an email stating, "Code Red is likely to start spreading again on July 31, 2001, 8:00 PM EDT and has mutated so that it may be even more dangerous."
ISS sent an alert stating, "On servers that are still infected, the worm is in a pre-programmed "sleep" mode. There are concerns that these infected servers will awake from this sleep mode and begin propagating again on August 1, 2001. While these reports are largely inaccurate, there is a definite threat that the Code Red worm, or a variant of the worm, will be launched and begin spreading on or after August 1st."
According to CA, any version of the Code Red worm to date has three different phases of operation, each based on the day of the month. From the days 1 to 19 of the month, the worm will attempt to infect IIS-based Web servers by targeting randomly chosen IP addresses. From days 20 through 27, the worm instigates a Denial of Service (DoS) attack using packet flooding against a specific IP address embedded in the code, which turns out to be a now-inactive IP address for the US government's Whitehouse Web server. On day of the month, the worm becomes dormant, but remains in the system's memory.
eEye Digital Security released information one week ago stating that it had become aware of at least one other Code Red variant, which the company has dubbed Code Red v2 (CDv2). According to eEye, the CDv2 worm operates in the same fashion as the original Code Red worm except CDv2 doesn’t deface Web pages or make contact with any other hosts aside from those that it tries to infect, which makes CDv2 much harder to detect.