The Code Red worm/virus
was first discovered in the wild
on July 13, 2001
. It contained an apparent bug
, in that the targeting list was created from the same static random seed
, which caused it to begn its targetting by hitting the same sequence of machines.
In apparent confirmation of the theory that one of these machines was feeding intel back to the originator, a second variant (Crv2) was discovered in the wild late on July 19, 2001. This variant used a truly random sequence to create its target list, and does not deface the website. Approximately 300,000 servers are believed to have been compromised, based on the number of distinct IP addresses attacking various networks. The change to the original virus was a mere 13 bytes.
An additional weakness of the worm is that is lives entirely in memory on a server. Removing the virus is simply a matter of applying the patch (at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp), and rebooting the system. However, this would only clear the Code Red worm, and not clear out any other compromises. Since your machine has been advertising itself to the world as compromisable, it may have been attacked by a human, as well.
As it is (now) after the 20th of the month, the machines are in attack mode, attempting to connect to the former White House web server IP address. Due to a small bug in the code, after attacking (until the 28th), the worm will go into sleep mode until the first. However, the sleep mode will cause the server to freeze until rebooted, thus preventing the machine from returning to attack mode on the 1st.
On August 1, the worm reawoke, despite the valiant efforts to stamp it out. Within three hours, somewhere between 100,000 and 300,000 hosts were reinfected*. Since then, the number of infected machines appears to be holding at steady state.
Analysis of the Worm:
Corrections to below nodes
- The origin of the name is both for the alleged Chinese origin, and the Mountain Dew beverage. Eeye named it, and credit both reasons in their analysis. A reporter (CNN, I believe) turned this into a "rumor."
- Before the 20th of the month, the threads are in infect mode. After the 20th they are in attack mode.
* Errors in reporting have roots in a number of problems:
- Some data collectors (principally folks with Class A nets) are categorizing all port 80 traffic to Code Red, especially if the target machine did not exist. Thus, people scanning for web servers are being counted as infected machines.
- Some machines appear to be on dynamic addresses, because they are on home networks. When they reconnect, are given a new IP address, and get reinfected, they count as a new address.
On August 5, 2001
, Code Red II
was added into the mix. CRII is a manmade variant of CRv2 that allows anyone to connect to port 80 on an infected machine
and get a shell
prompt. This will allow legions of script kiddies
to use the 100,000 remaining Code Red hosts as a legion of zombies.