Code Red (computer worm)

.ida Code Red Worm
Common name	Code Red
Technical name	CRv and CRvII
Type	Server Jamming Worm
Isolation	July 15, 2001

Code Red was a computer worm observed on the Internet on July 15, 2001. It attacked computers running Microsoft's IIS web server.

The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because Code Red Mountain Dew was what they were drinking at the time.^[1]

Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.^[2]

Concept

Exploited vulnerability

The worm showed a vulnerability in the growing software distributed with IIS, described in Microsoft Security Bulletin MS01-033,^[3] for which a patch had been available a month earlier.

The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for his discovery.^[4]

Worm payload

The payload of the worm included:

Defacing the affected web site to display:

ax

HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

Other activities based on day of the month:^[5]
- Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet.
- Days 20–27: Launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.^[2]
- Days 28-end of month: Sleeps, no active attacks.

When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs from this time frequently had entries such as these:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0

The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interprets this string as computer instructions, propagating the worm.

Similar worms

On August 4, 2001, Code Red II appeared. Although it used the same injection vector, it had a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.

eEye believed that the worm originated in Makati City, Philippines, the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm.

References

↑ ANALYSIS: .ida "Code Red" Worm (Archived copy from 22 July 2011), Code Red advisory, eEye Digital Security, 17 July 2001
1 2 Moore, David; Colleen Shannon (c. 2001). "The Spread of the Code-Red Worm (CRv2)". CAIDA Analysis. Retrieved 2006-10-03.
↑ MS01-033 "Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise", Microsoft Corporation, 18 June 2001
↑ Lemos, Rob. "Virulent worm calls into doubt our ability to protect the Net". Tracking Code Red. CNET News. Retrieved 14 March 2011.
↑ "CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL". CERT/CC. 17 July 2001. Retrieved 2010-06-29.

External links

Code Red II analysis, Steve Friedl's Unixwiz.net, last update 22 August 2001
CAIDA Analysis of Code-Red, Cooperative Association for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC), updated November 2008
Animation showing the spread of the Code Red worm on 19 July 2001, by Jeff Brown, UCSD, and David Moore, CAIDA at SDSC

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[1] ANALYSIS: .ida "Code Red" Worm (Archived copy from 22 July 2011), Code Red advisory, eEye Digital Security, 17 July 2001

[caida-2] 1 2 Moore, David; Colleen Shannon (c. 2001). "The Spread of the Code-Red Worm (CRv2)". CAIDA Analysis. Retrieved 2006-10-03.

[3] MS01-033 "Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise", Microsoft Corporation, 18 June 2001

[4] Lemos, Rob. "Virulent worm calls into doubt our ability to protect the Net". Tracking Code Red. CNET News. Retrieved 14 March 2011.

[5] "CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL". CERT/CC. 17 July 2001. Retrieved 2010-06-29.