The Code Red worm/virus was first discovered in the wild on July 13, 2001. It contained an apparent bug, in that the targeting list was created from the same static random seed, which caused it to begn its targetting by hitting the same sequence of machines.

In apparent confirmation of the theory that one of these machines was feeding intel back to the originator, a second variant (Crv2) was discovered in the wild late on July 19, 2001. This variant used a truly random sequence to create its target list, and does not deface the website. Approximately 300,000 servers are believed to have been compromised, based on the number of distinct IP addresses attacking various networks. The change to the original virus was a mere 13 bytes.

An additional weakness of the worm is that is lives entirely in memory on a server. Removing the virus is simply a matter of applying the patch (at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp), and rebooting the system. However, this would only clear the Code Red worm, and not clear out any other compromises. Since your machine has been advertising itself to the world as compromisable, it may have been attacked by a human, as well.

As it is (now) after the 20th of the month, the machines are in attack mode, attempting to connect to the former White House web server IP address. Due to a small bug in the code, after attacking (until the 28th), the worm will go into sleep mode until the first. However, the sleep mode will cause the server to freeze until rebooted, thus preventing the machine from returning to attack mode on the 1st.

On August 1, the worm reawoke, despite the valiant efforts to stamp it out. Within three hours, somewhere between 100,000 and 300,000 hosts were reinfected*. Since then, the number of infected machines appears to be holding at steady state.

Analysis of the Worm: http://www.eeye.com/html/Research/Advisories/AL20010717.html


Corrections to below nodes
  • The origin of the name is both for the alleged Chinese origin, and the Mountain Dew beverage. Eeye named it, and credit both reasons in their analysis. A reporter (CNN, I believe) turned this into a "rumor."
  • Before the 20th of the month, the threads are in infect mode. After the 20th they are in attack mode.

* Errors in reporting have roots in a number of problems:

  • Some data collectors (principally folks with Class A nets) are categorizing all port 80 traffic to Code Red, especially if the target machine did not exist. Thus, people scanning for web servers are being counted as infected machines.
  • Some machines appear to be on dynamic addresses, because they are on home networks. When they reconnect, are given a new IP address, and get reinfected, they count as a new address.

Code Red II

On August 5, 2001, Code Red II was added into the mix. CRII is a manmade variant of CRv2 that allows anyone to connect to port 80 on an infected machine and get a shell prompt. This will allow legions of script kiddies to use the 100,000 remaining Code Red hosts as a legion of zombies.

The Code Red worm works by exploiting the .ida overflow bug (which had been patched for weeks before the discovery of the worm) in order to overwrite the worm's code into one of IIS's DLLs. Once there, it spawns 100 threads:

Threads 1 - 99:
If time is before 20:00 UTC, attempt to infect random1 other IPs.
If time is greater than 20:00 UTC, flood whitehouse.gov2.
Thread 100:
If server is set to the enUS codepage (US English), alter some DLL so that it will load a page from within's the worm's memory rather than http://localhost/index.* (see Stavr0's writeup in Code Red).
Else act like threads 1 through 99.

1: Although the list of IPs appears random, the worm has a hardcoded seed for its random number generator. It has been speculated that the worm's author chose a seed that would have eir IP high on the list so ey could get a list of infected servers.

2: The DDoS attack was directed at a hardcoded IP previously used by whitehouse.gov, therefore in order to avoid the attack the administrators changed the IP of their server.


Some interesting features of this worm:

  • It contains a lysine deficiency (type: Anti-Lysine) in that it will shut down if a particular file exists on the hard drive.
  • It can infect a system more than once, creating yet another 100 threads.
  • It has been seen on some of Microsoft's Windows Update servers, which means that Microsoft isn't applying its own security patches on one of the most important sites on the Net (crackers could get everyone updating Windows to download malicious code).

Also:

  • There are two rumours3 why it's named "Code Red":
  • Slashdot is running a contest to guess the NYT and WSJ's headlines concerning the worm.

3: See cordelia's write-up, below.

Source: discussions on Slashdot and the security bulletin Stavr0 mentioned.

The latest worm to infect Microsoft IIS Web servers. Once infected, the victim server attempts to infect further hosts by sending the following HTTP command:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53ff%u0078%u0000%u00=a
Infected web servers show the following defacement:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

Source: http://www.cert.org/advisories/CA-2001-19.html

The Code Red worm will also bring down internet connections of dsl customers who have a Cisco 67x (especially the 675) modem/router.

This happens because these routers have a web interface that allows you to view stats on the router. When code red launches an attack, the Ciscos get spammed with bad packets. The Cisco's natural response to this is to shut down the WAN interface (see: design flaw).

There are two ways to fix this. The first, also the easiest, is to simply power cycle the router. Unplug it for a few seconds, plug it back in, and you should be up for a while. The next time code red attacks however, it will just go back down. The second will actually prevent code red from shutting down the router.

Telnet or Terminal into the router. Enter your exec password, and at the "CBOS>" prompt type "enable" and press enter. When it asks for another password, just press enter. You should see "CBOS#".. type "set web disable", and press enter. Then type "write", press enter. Then type "reboot" and press enter. This will shut down the web interface and keep code red from taking down the router.

Update: There is another command you must enter or your connection will still go down periodically. At a CBOS#, type "set web port 55555". Then type "write", then "reboot". That will take care of code red issues.
Another Update: The long-term solution to code red and its variants has arrived in the form of a new version of CBOS. Flashing your Cisco 67x with CBOS v2.4.3 should take care of all your Code Red/Code Red II/Nimda problems, you can even use the web interface!

Click Here for more info on the Cisco 67x.
What does the Code Red worm tell us about the state of information security in the world today? Richard Forno, in an essay recently published on SecurityFocus, holds that Code Red's success indicates that we have become far too tolerant of dodgy products from software vendors, particularly Microsoft. He suggests that only the force of legal liability -- possibly even charges of criminal negligence -- will compel software authors to produce secure products.

The following is my letter to M. Forno in response:


M. Forno --

Thank you for your excellent article on the implications of the world's responses to Code Red. Microsoft has for too long gotten away with releasing seriously flawed software, and passing the costs of insecurity off to the consumer.

However, I must take issue with the idea that holding Microsoft legally liable for security holes is the best way to prevent future damage. Every software distributor -- from Microsoft to Red Hat to Cisco to OpenBSD -- has released software with holes. The precedent of holding software authors up for civil or even criminal (negligence) penalties would cast a chilling effect on all programmers, even those who are more careful.

Furthermore, Microsoft software is the focus of attacks not just because it contains more holes, but because it is so very popular. Take the example of viruses on desktop systems: For years, Macintosh users have poked fun at Windows for its susceptibility to viruses. In fact, Mac OS systems are just as susceptible -- it's just that there are fewer Macs in the world than Windows PCs, so virus authors do not bother writing viruses for them.

To put it bluntly: It's true that Microsoft code sucks, and that it sucks more than most of its competitors' code. It's also true, though, that when one platform takes on the role of monoculture (or monopoly) it will come under much greater examination by the black hats. Yes, Microsoft has used the "we're so popular that everyone wants to crack our systems" line to misdirect attention away from its systems' inherent poor security. However, no major OS today -- of the many better designed than Windows -- would make a secure monoculture.

IT folks are legendary for taking personal preferences -- favored operating systems, languages, even text editors -- as matters of religious writ. Large installations commonly "standardize" on single platforms such as Windows for "ease of maintenance", i.e. the convenience or preferences of the IT department. Yet when a worm comes to town, it is diversity -- or, in management-speak, "market fragmentation" and "incompatibility" -- which could save the day.

That, it seems to me, is the true lesson of Code Red.

Log in or registerto write something here or to contact authors.