Worm carries larger warning

FedCIRC

Federal computer security experts are using the Code Red computer worm to raise agency executives' awareness that a formal process is needed for fixing problems that make systems vulnerable to such attacks.

The worm is poised to spread anew starting at 8 p.m. EDT today, when it will begin to infect Web servers to use them in a denial-of-service attack on the White House Web site.

Microsoft Corp. has several software patches available on its Web site to fix the vulnerability that the worm exploits. The Federal Computer Incident Response Center (FedCIRC), the National Infrastructure Protection Center and many private-sector organizations also have issued alerts with details on the problem and how to fix it.

But while many of those organizations are focused on raising awareness of this specific worm, FedCIRC is using the opportunity to take awareness a step further.

"The intention is to send it not just to the techie people, but to let the senior management at the CIO level and higher know that this could be a significant problem...but also that this needs to be put on their plate because it's their responsibility," said Sallie McDonald, assistant commissioner of the General Services Administration's Office of Information Assurance and Critical Infrastructure Protection, which oversees FedCIRC.

FedCIRC regularly sends out technical alerts and information to federal systems administrators and information security officers, but rarely to agency chief information officers. But the center has been moving past that to provide more "English language" warnings for agency administrators, up to and including the deputy secretaries and agency heads, McDonald said.

FedCIRC is using its warnings to push an initiative that the CIO Council and the Office of Management and Budget endorsed last October after the ILOVEYOU virus hit government systems. In a memo to agency heads, the council and OMB encouraged agencies to set up a formal process to report to FedCIRC whether the latest software patches have been received by the correct agency officials and whether the patches are correctly put in place.

FedCIRC is developing a new system to help agencies receive and report on such patches. In August, the center plans to release a request for proposals for an automatic patch dissemination system, McDonald said. Using that system, agencies can set up a profile of the operating systems and applications on their networks, and then have only the patches for those configurations sent to them for installation.

The initial attack of the Code Red worm this month took advantage of a vulnerability in Microsoft's Windows NT or Windows 2000 and IIS 4.0 or 5.0. It is now set to start infecting Web servers again and will continue to look for other hosts until Aug. 19.

Once a system is infected, the worm will direct it to launch a distributed denial-of-service attack on the White House Web site's Internet Protocol address between Aug. 20 and Aug. 27.

The White House countered the July attack simply by changing its IP address by one digit.