Code Red floods helpdesks, not Internet
By Joris Evers
6 August, 2001 8:52
Amsterdam
http://computerworld.idg.com.au/idg2.nsf/All/4B6FC7E9F31B15864A256A9D00462491!OpenDocument&n=Sections&c=Open+Systems
The widely publicized Code Red worm may not have caused a significant
slowdown of the Internet, but it did flood technical support phone lines at
antivirus companies, several European antivirus software vendors said
Friday.
Many Internet users who were in fact immune to Code Red were scared by the
alert that was sent out Sunday by a number of U.S. government and private
organizations, the vendors said. The alert -- headlined "A Very Real and
Present Threat to the Internet: July 31 Deadline For Action" -- predicted
Code Red would cause sporadic but widespread outages of the Internet.
"Our tech support line received many calls from home users who are not
affected but heard about Code Red and were very scared, hollow scares,"
said Dennis Zenkin, spokesman for Moscow-based antivirus vendor Kaspersky
Lab Ltd.
"We have been getting thousands and thousands of phone calls. It is a real
shame, that imaginative alert from the FBI (the U.S Federal Bureau of
Investigation). The title reads like a John Grisham novel," seconded Graham
Cluley, senior technical consultant at Abingdon, England-based Sophos PLC.
Helpdesk agents at F-Secure Corp., an Espoo, Finland-based antivirus
vendor, also received a much higher than normal number of calls, said Mikko
Hypponen, manager of antivirus research.
"Lots of people called and said they had disconnected their computer from
the Internet and wanted to know when it would be safe to hook it back up.
Many of these people were typical consumers running Windows 98. The only
thing they could notice from Code Red is a slowdown of the Internet," he
said.
A Web site administrator at a relatively large Finnish company, who was
called in to work at 3 A.M. to protect his servers, also called Hypponen
for advice.
"The chief executive officer had seen something on CNN about Code Red and
called the Web master. His systems were all Linux-based, so he really had
nothing to worry about," said Hypponen.
Code Red is a self-propagating worm that exploits a flaw in Internet
Information Server (IIS), a part of Microsoft Corp.'s Windows 2000 and
Windows NT server software. It scans the Internet for vulnerable systems
and infects these systems by installing itself. A patch for the flaw has
been available since mid-June.
All three European vendors blame the panic on the unprecedented joint alert
and the often incomplete media attention it received. The alert was issued
by, among others, the FBI's National Infrastructure Protection Center, the
Computer Emergency Response Team (CERT Coordination Center), the SANS
Institute and Microsoft Corp.
"I am very skeptical about warnings that predict Internet meltdowns. They
have done more harm than good. They needed to make clear that this didn't
affect home users. I think that many people that downloaded the patch are
home users," said Sophos' Cluley.
"This issue is difficult to solve," commented Hypponen, who said he
approves of the way the alert was issued, but said he would have picked a
different headline. "People that don't have any understanding of the topic
will freak out, no matter how detailed your announcement is."
The vendors are afraid that, because the Internet did not go down, the
alert will negatively reflect on the antivirus community.
"The average person on the street will forget that the announcement came
from the FBI and Microsoft and see this as another example of the antivirus
industry warning for something that turns out to be a nonevent," said
Cluley.
Hypponen agreed, but said it is clear that the antivirus industry wasn't
involved in the alerting for the virus.
"Typically it is the antivirus industry that is blamed for touting a virus
to get more sales. The alert had an accurate view, although it was very Tom
Clancy-like."
-- You can observe a lot by just watching -- Yogi BerraRegards brd
Bernard Robertson-Dunn Canberra Australia brd@dynamite.com.au brd@austarmetro.com.au
This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:03 EST