Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measures
GAO-01-1073T: Published: Aug 29, 2001. Publicly Released: Aug 29, 2001.
Organizations and individuals have recently had to contend with particularly vexing computer attacks. The most notable is Code Red, but potentially more damaging are Code Red II and SirCam. Together, these attacks have infected millions of computer users, shut down websites, slowed Internet service, and disrupted businesses and government operations. They have already caused billions of dollars of damage, and their full effects have yet to be completely assessed. Code Red and Code Red II are both "worms," which are attacks that propagate themselves through networks without any user intervention or interaction. Both take advantage of a flaw in a component of versions 4.0 and 5.0 of Microsoft's Internet Information Services Web server software. SirCam is a malicious computer virus that spreads primarily through E-mail. Once activated on an infected computer, the virus searches through a select folder and mails user files acting as a "Trojan horse" to E-mail addresses in the user's address book. In addition to spreading, the virus can delete a victim's hard drive or fill the remaining free space on the hard drive, making it impossible to save files or print. On July 19, 2001, the Code Red worm infected more than 250,000 systems in just nine hours, causing more than $2.4 billion in economic losses. SirCam is allegedly responsible for the leaking of secret documents from the Ukrainian government. U.S. government agencies do not have an effective information security program to prevent and respond to these attacks and often lack effective access controls to their computer resources and consequently cannot protect these assets against unauthorized modification, loss, and disclosure. However, several agencies have taken significant steps to redesign and strengthen their information security programs. Also, Congress recently enacted legislation to provide a comprehensive framework for establishing and ensuring the effectiveness of information security controls over information resources that support federal operations and assets.