Code Red was a

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...

observed on the

Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

on July 15, 2001. It attacked computers running Microsoft's IIS web server. It was the first large scale,

mixed threat attack Regarding computer security, a mixed threat attack is an attack that uses several different tactics to infiltrate a computer user's environment. A mixed threat attack might include an infected file that comes in by way of spam or can be received ...

to successfully target enterprise networks. The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because

Mountain Dew Code Red Mountain Dew, a citrus-flavored carbonated soft drink now owned by PepsiCo, has had numerous branded flavor variants since the original formula's creation in 1940. Notable flavor variants include Diet Mountain Dew, Code Red, LiveWire, Baja Blast, ...

was what they were drinking at the time. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On that day, the number of infected hosts reached 359,000. It spread worldwide but was particularly prevalent in North America, Europe and Asia (including China and India).

Concept

Exploited vulnerability

The worm showed a vulnerability in the growing software distributed with IIS, described in Microsoft Security Bulletin MS01-033, for which a patch had been available a month earlier. The worm spread itself using a common type of vulnerability known as a

buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory ...

. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the

White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in 1800. ...

for his discovery. Mountain Dew CODE RED

Worm payload

The payload of the worm included: * Defacing the affected web site to display: HELLO! Welcome to http://www.worm.com! Hacked By Chinese! * Other activities based on day of the month: ** Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet. ** Days 20–27: Launch

denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

attacks on several fixed

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

es. The IP address of the

web server was among those. ** Days 28-end of month: Sleeps, no active attacks. When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all.

Apache The Apache () are a group of culturally related Native American tribes in the Southwestern United States, which include the Chiricahua, Jicarilla, Lipan, Mescalero, Mimbreño, Ndendahe (Bedonkohe or Mogollon and Nednhi or Carrizaleño an ...

access logs from this time frequently had entries such as these: The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm.

Similar worms

On the 4th of August 2001,

Code Red II Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, it is similar in behavior to the original, but analysis showed it to be a new worm instead of a variant. Unlike the first, the seco ...

appeared. Although it used the same injection vector, it had a completely different

payload Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...

. It

pseudo-random A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process. Background The generation of random numbers has many uses, such as for rando ...

ly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer. eEye believed that the worm originated in

Makati Makati ( ), officially the City of Makati ( fil, Lungsod ng Makati), is a 1st class highly urbanized city in the National Capital Region of the Philippines. Makati is the financial center of the Philippines; it has the highest concentration ...

Philippines The Philippines (; fil, Pilipinas, links=no), officially the Republic of the Philippines ( fil, Republika ng Pilipinas, links=no), * bik, Republika kan Filipinas * ceb, Republika sa Pilipinas * cbk, República de Filipinas * hil, Republ ...

, the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm.

References

External links

Code Red II analysis
Steve Friedl's Unixwiz.net, last update 22 August 2001
CAIDA Analysis of Code-Red

Cooperative Association for Internet Data Analysis The San Diego Supercomputer Center (SDSC) is an organized research unit of the University of California, San Diego (UCSD). SDSC is located at the UCSD campus' Eleanor Roosevelt College east end, immediately north the Hopkins Parking Structure. ...

(CAIDA) at the

San Diego Supercomputer Center The San Diego Supercomputer Center (SDSC) is an organized research unit of the University of California, San Diego (UCSD). SDSC is located at the UCSD campus' Eleanor Roosevelt College east end, immediately north the Hopkins Parking Structure. ...

(SDSC), updated November 2008
Animation showing the spread of the Code Red worm on 19 July 2001
by Jeff Brown,

UCSD The University of California, San Diego (UC San Diego or colloquially, UCSD) is a public university, public Land-grant university, land-grant research university in San Diego, California. Established in 1960 near the pre-existing Scripps Insti ...

, and David Moore, CAIDA at

SDSC SDSC may refer to: * San Diego Supercomputer Center * Satish Dhawan Space Centre * Strategic and Defence Studies Centre The Strategic and Defence Studies Centre (SDSC) is a university-based institute that is situated in the Coral Bell School of ...