Despite the hype, the widely publicised Code Red worm may not have caused a significant slowdown of the internet. However, several European software vendors confirmed on Friday that it did flood technical support phone lines at antivirus companies.
Virus swamps helpdesks not internet after hype
Many internet users who were in fact untargeted by Code Red were scared by the alert that was sent out last Sunday by a number of US government and private organisations, the vendors said.
This is a little rich coming from the companies that did so much to make sure the media knew about Code Red. PC Advisor received numerous press releases on the subject, but refused to publish stories about the worm precisely because so many companies have a vested interest in scaring the public.
The alert, headlined 'A Very Real and Present Threat to the Internet: July 31 Deadline For Action', predicted Code Red would cause sporadic but widespread outages of the internet.
"Our tech support line received many calls from home users who are not affected but heard about Code Red and were very scared, hollow scares," said Dennis Zenkin, spokesman for Moscow-based antivirus vendor Kaspersky Labs.
"We have been getting thousands and thousands of phone calls. It is a real shame, that imaginative alert from the FBI. The title reads like a John Grisham novel," seconded Graham Cluley, senior technical consultant at UK-based Sophos.
Helpdesk agents at F-Secure, a Finland-based antivirus vendor, also received a much higher than normal number of calls, said Mikko Hypponen, manager of antivirus research.
"Lots of people called and said they had disconnected their computer from the internet and wanted to know when it would be safe to hook it back up. Many of these people were typical consumers running Windows 98. The only thing they could notice from Code Red is a slowdown of the internet," he said.
A website administrator at a relatively large Finnish company, who was called in to work at three in the morning to protect his servers, also called Hypponen for advice.
"The chief executive officer had seen something on CNN about Code Red and called the webmaster. His systems were all Linux-based, so he really had nothing to worry about," said Hypponen.
Code Red is a self-propagating worm that exploits a flaw in IIS (Internet Information Server), a part of Microsoft's Windows 2000 and Windows NT server software. It scans the internet for vulnerable systems and infects these systems by installing itself. A patch for the flaw has been available since mid-June.
All three European vendors blame the panic on the unprecedented joint alert and the often-incomplete media attention it received. The alert was issued by, among others, the FBI's National Infrastructure Protection Center, the CERT (Computer Emergency Response Team) Coordination Center, the SANS Institute and Microsoft.
"I am very sceptical about warnings that predict internet meltdowns. They have done more harm than good. They needed to make clear that this didn't affect home users. I think that many people that downloaded the patch are home users," said Sophos' Cluley.
"This issue is difficult to solve," commented Hypponen, who said he approves of the way the alert was issued, but said he would have picked a different headline. "People that don't have any understanding of the topic will freak out, no matter how detailed your announcement is."
The vendors are afraid that, because the internet did not get swamped by rogue packets of data, the alert will negatively reflect on the antivirus community.
"The average person on the street will forget that the announcement came from the FBI and Microsoft and see this as another example of the antivirus industry warning for something that turns out to be a non-event," said Cluley.
Hypponen agreed, but said it is clear that the antivirus industry wasn't involved in the alerting for the virus.
"Typically it is the antivirus industry that is blamed for touting a virus to get more sales. The alert had an accurate view, although it was very Tom Clancy-like."