HOME

TheInfoList



Click Here for Items Related To - Code Red worm
OR:
Code Red worm on:   [Wikipedia]   [Google]   [Amazon]

Code Red was a
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will ...
observed on the
Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...
on July 15, 2001. It attacked computers running Microsoft's IIS web server. It was the first large-scale, mixed-threat attack to successfully target enterprise networks. The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because they were drinking Mountain Dew Code Red at the time of discovery. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On that day, the number of infected hosts reached 359,000. The worm spread worldwide, becoming particularly prevalent in North America, Europe, and Asia (including China and India).


Concept


Exploited vulnerability

The worm showed a vulnerability in software distributed with IIS, described in Microsoft Security Bulletin MS01-033 (CVE-2001-0500), for which a patch had become available a month earlier. The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the
White House The White House is the official residence and workplace of the president of the United States. Located at 1600 Pennsylvania Avenue Northwest (Washington, D.C.), NW in Washington, D.C., it has served as the residence of every U.S. president ...
for his discovery.


Worm payload

The payload of the worm included: * Defacing the affected web site to display: HELLO! Welcome to http://www.worm.com ! Hacked By Chinese! * Other activities based on the day of the month: ** Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet. ** Days 20–27: Launch
denial of service In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...
attacks on several fixed
IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
es. The IP address of the
White House The White House is the official residence and workplace of the president of the United States. Located at 1600 Pennsylvania Avenue Northwest (Washington, D.C.), NW in Washington, D.C., it has served as the residence of every U.S. president ...
web server was among these. ** Days 28-end of month: Sleeps, no active attacks. When scanning for vulnerable machines, the worm did not test whether the server running on a remote machine was running a vulnerable version of IIS, or even whether it was running IIS at all.
Apache The Apache ( ) are several Southern Athabaskan language-speaking peoples of the Southwestern United States, Southwest, the Southern Plains and Northern Mexico. They are linguistically related to the Navajo. They migrated from the Athabascan ho ...
access logs from this time frequently had entries such as these: The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm.


Similar worms

On August 4, 2001, Code Red II appeared. Although it used the same injection vector, it had a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer. eEye believed that the worm originated in
Makati Makati ( ; ), officially the City of Makati (), is a highly urbanized city in the National Capital Region of the Philippines, known for being one of the leading financial centers in the country. As of 2013, the city has the highest concent ...
,
Philippines The Philippines, officially the Republic of the Philippines, is an Archipelagic state, archipelagic country in Southeast Asia. Located in the western Pacific Ocean, it consists of List of islands of the Philippines, 7,641 islands, with a tot ...
, the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm.


See also

* Nimda worm * Timeline of computer viruses and worms


References


External links


Code Red II analysis
Steve Friedl's Unixwiz.net, last update 22 August 2001
CAIDA Analysis of Code-Red
Cooperative Association for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC), updated November 2008
Animation showing the spread of the Code Red worm on 19 July 2001
by Jeff Brown, UCSD, and David Moore, CAIDA at SDSC {{DEFAULTSORT:Code Red (Computer Worm) Hacking in the 2000s 2001 in computing July 2001 Windows malware Exploit-based worms Cybercrime in India