Code: Blue denotes an emergency medical situation requiring immediate attention. A Code Blue is initiated when a patient is unresponsive, pulseless, or not breathing: i.e. the patient needs cardiopulmonary resuscitation (CPR). Once there is a Code Blue, a team of doctors and nurses, often a designated "code-team", will rush to the patient taking life-saving measures. The team uses a crash cart which contains important aids such as a defibrillator, intubation equipment, suction, oxygen, and an I.V. setup to stabilize the patient.

Not to be confused with a Code: Brown, which is ER-speak for when a patient doesn't make it to the bathroom or bedpan in time.

Disclaimer: I'm not a doctor or nurse. I've never participated in a Code Blue. Corrections, elaborations are welcome.

Code Blue is one term used for a hypothetical vaccine or antidote to the Code Red Worm, exploiting the backdoor created by Code Red II to immunize compromised systems. The idea for this antidote seems to have occurred seperately to several parties, and the name seems to have been independently invented at least twice. To the best of my knowledge, it has not yet been implemented.

Disclaimer: Because the use of this vaccine involves distributing a piece of infectious software which works by cracking into other people's computers, it cannot be considered a white-hat operation. It is at best gray-hat, meaning that while it may be ethically acceptable to many legitimate operators, it uses cracking techniques and is very likely illegal. I do not recommend that you write a program to these specifications.

The basic operation of a Code Blue program, when installed on a given Windows 2000 or Windows NT system is as follows. The initial installed host is termed the origin system.

  1. Kill any running Code Red or Code Red II processes on the origin system, and remove any backdoors installed by Code Red II.
  2. Hook into to the origin system's IIS Web server, in such a way that any incoming HTTP request for default.ida gets passed to the Code Blue program.
  3. When a request matching "default.ida?XXX..." -- that is, a Code Red II infection attempt -- comes in, record the IP address of the sender. Call it the target system. Because the target system is trying to send us Code Red II, we know that it is itself infected, and therefore harbors the root.exe backdoor.
  4. Using the root.exe backdoor, break into the target system and cause it to download two pieces of software from the origin system: the Microsoft security patch for the default.ida vulnerability, and the Code Blue program itself.
  5. Have the target system install the security patch, then run Code Blue. (It is now itself an origin system, and starts at step 1 above.)
  6. Wait for another default.ida?XXX... request, and repeat.

Code Blue, written to these specifications, would not be as infectious as Code Red II. To continue the biological analogy -- if Code Red worms are parasites on vulnerable Microsoft IIS installations, then Code Blue would be a predator of Code Red II. As such, I cannot expect that Code Blue would drive Code Red into extinction, although it might well make a significant dent in the population of infected systems.

Please note that I am not a Windows programmer, and I cannot provide any technical details as to how one might write a Code Blue program. I do not recommend that you (or anyone else) write one. I consider it an interesting mental exercise into software ecology, but I am not sure that I want to encourage an ecology based on the proliferation and exploitation of security holes.


Update, Sep. 4 2001: A German hacker calling himself Der HexXer has released a worm program called Code Green, which serves a similar purpose to Code Blue -- it fights Code Red II. Unlike Code Blue, Code Green is an active worm, meaning that it scans the Internet address space for vulnerable systems, rather than waiting for Code Red to attack.

Another recently-released program, CRclean by Markus Kern, appears to be quite close in its behavior to the Code Blue model. The announcement of CRclean, and a link to its source, is available at http://www.securityfocus.com/archive/82/211462.

Update, Sep. 10 2001: As if to confuse things more, Kaspersky Labs has just announced its discovery of a malicious worm going by the name "Code Blue". This worm also removes Code Red infections and immunizes the infected systems, but it also attempts to perpetrate a denial of service attack against a security-oriented Web site.

Log in or registerto write something here or to contact authors.