HOME

TheInfoList



Click Here for Items Related To - Code Red (computer Worm)
OR:
Code Red (computer Worm) on:   [Wikipedia]   [Google]   [Amazon]

Code Red was a computer worm observed on the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
on July 15, 2001. It attacked computers running Microsoft's IIS web server. It was the first large scale,
mixed threat attack Regarding computer security, a mixed threat attack is an attack that uses several different tactics to infiltrate a computer user's environment. A mixed threat attack might include an infected file that comes in by way of spam or can be received ...
to successfully target enterprise networks. The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because
Mountain Dew Code Red Mountain Dew, a citrus-flavored carbonated soft drink now owned by PepsiCo, has had numerous branded flavor variants since the original formula's creation in 1940. Notable flavor variants include Diet Mountain Dew, Code Red, LiveWire, Baja Blast, ...
was what they were drinking at the time. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On that day, the number of infected hosts reached 359,000. It spread worldwide but was particularly prevalent in North America, Europe and Asia (including China and India).


Concept


Exploited vulnerability

The worm showed a vulnerability in the growing software distributed with IIS, described in Microsoft Security Bulletin MS01-033, for which a patch had been available a month earlier. The worm spread itself using a common type of vulnerability known as a
buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memo ...
. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the
White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in ...
for his discovery.


Worm payload

The payload of the worm included: * Defacing the affected web site to display: HELLO! Welcome to http://www.worm.com! Hacked By Chinese! * Other activities based on day of the month: ** Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet. ** Days 20–27: Launch
denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connec ...
attacks on several fixed
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es. The IP address of the
White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in ...
web server was among those. ** Days 28-end of month: Sleeps, no active attacks. When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs from this time frequently had entries such as these: The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm.


Similar worms

On the 4th of August 2001,
Code Red II Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, it is similar in behavior to the original, but analysis showed it to be a new worm instead of a variant. Unlike the first, the seco ...
appeared. Although it used the same injection vector, it had a completely different payload. It
pseudo-random A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process. Background The generation of random numbers has many uses, such as for rando ...
ly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer. eEye believed that the worm originated in
Makati Makati ( ), officially the City of Makati ( fil, Lungsod ng Makati), is a 1st class highly urbanized city in the National Capital Region of the Philippines. Makati is the financial center of the Philippines; it has the highest concentration ...
,
Philippines The Philippines (; fil, Pilipinas, links=no), officially the Republic of the Philippines ( fil, Republika ng Pilipinas, links=no), * bik, Republika kan Filipinas * ceb, Republika sa Pilipinas * cbk, República de Filipinas * hil, Republ ...
, the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm.


See also

*
Nimda The Nimda virus is a malicious file-infecting computer worm. It quickly spread, surpassing the economic damage caused by previous outbreaks such as Code Red. The first released advisory about this thread (worm) was released on September 18, 200 ...
Worm *
Timeline of computer viruses and worms A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events. Timelines can use any suitable scale representi ...


References


External links


Code Red II analysis
Steve Friedl's Unixwiz.net, last update 22 August 2001
CAIDA Analysis of Code-Red
Cooperative Association for Internet Data Analysis The San Diego Supercomputer Center (SDSC) is an organized research unit of the University of California, San Diego (UCSD). SDSC is located at the UCSD campus' Eleanor Roosevelt College east end, immediately north the Hopkins Parking Structure. ...
(CAIDA) at the
San Diego Supercomputer Center The San Diego Supercomputer Center (SDSC) is an organized research unit of the University of California, San Diego (UCSD). SDSC is located at the UCSD campus' Eleanor Roosevelt College east end, immediately north the Hopkins Parking Structure. ...
(SDSC), updated November 2008
Animation showing the spread of the Code Red worm on 19 July 2001
by Jeff Brown,
UCSD The University of California, San Diego (UC San Diego or colloquially, UCSD) is a public land-grant research university in San Diego, California. Established in 1960 near the pre-existing Scripps Institution of Oceanography, UC San Diego is t ...
, and David Moore, CAIDA at
SDSC SDSC may refer to: * San Diego Supercomputer Center * Satish Dhawan Space Centre * Strategic and Defence Studies Centre The Strategic and Defence Studies Centre (SDSC) is a university-based institute that is situated in the Coral Bell School of ...
{{DEFAULTSORT:Code Red (Computer Worm) Hacking in the 2000s 2001 in computing Windows malware Exploit-based worms Cybercrime in India