Code: Blue denotes an emergency medical situation requiring immediate attention. A Code Blue is initiated when a patient is unresponsive, pulseless, or not breathing: i.e. the patient needs cardiopulmonary resuscitation (CPR). Once there is a Code Blue, a team of doctors and nurses, often a designated "code-team", will rush to the patient taking life-saving measures. The team uses a crash cart which contains important aids such as a defibrillator, intubation equipment, suction, oxygen, and an I.V. setup to stabilize the patient.

Not to be confused with a Code: Brown, which is ER-speak for when a patient doesn't make it to the bathroom or bedpan in time.

Disclaimer: I'm not a doctor or nurse. I've never participated in a Code Blue. Corrections, elaborations are welcome.

Code Blue is one term used for a hypothetical vaccine or antidote to the Code Red Worm, exploiting the backdoor created by Code Red II to immunize compromised systems. The idea for this antidote seems to have occurred seperately to several parties, and the name seems to have been independently invented at least twice. To the best of my knowledge, it has not yet been implemented.

Disclaimer: Because the use of this vaccine involves distributing a piece of infectious software which works by cracking into other people's computers, it cannot be considered a white-hat operation. It is at best gray-hat, meaning that while it may be ethically acceptable to many legitimate operators, it uses cracking techniques and is very likely illegal. I do not recommend that you write a program to these specifications.

The basic operation of a Code Blue program, when installed on a given Windows 2000 or Windows NT system is as follows. The initial installed host is termed the origin system.

  1. Kill any running Code Red or Code Red II processes on the origin system, and remove any backdoors installed by Code Red II.
  2. Hook into to the origin system's IIS Web server, in such a way that any incoming HTTP request for default.ida gets passed to the Code Blue program.
  3. When a request matching "default.ida?XXX..." -- that is, a Code Red II infection attempt -- comes in, record the IP address of the sender. Call it the target system. Because the target system is trying to send us Code Red II, we know that it is itself infected, and therefore harbors the root.exe backdoor.
  4. Using the root.exe backdoor, break into the target system and cause it to download two pieces of software from the origin system: the Microsoft security patch for the default.ida vulnerability, and the Code Blue program itself.
  5. Have the target system install the security patch, then run Code Blue. (It is now itself an origin system, and starts at step 1 above.)
  6. Wait for another default.ida?XXX... request, and repeat.

Code Blue, written to these specifications, would not be as infectious as Code Red II. To continue the biological analogy -- if Code Red worms are parasites on vulnerable Microsoft IIS installations, then Code Blue would be a predator of Code Red II. As such, I cannot expect that Code Blue would drive Code Red into extinction, although it might well make a significant dent in the population of infected systems.

Please note that I am not a Windows programmer, and I cannot provide any technical details as to how one might write a Code Blue program. I do not recommend that you (or anyone else) write one. I consider it an interesting mental exercise into software ecology, but I am not sure that I want to encourage an ecology based on the proliferation and exploitation of security holes.


Update, Sep. 4 2001: A German hacker calling himself Der HexXer has released a worm program called Code Green, which serves a similar purpose to Code Blue -- it fights Code Red II. Unlike Code Blue, Code Green is an active worm, meaning that it scans the Internet address space for vulnerable systems, rather than waiting for Code Red to attack.

Another recently-released program, CRclean by Markus Kern, appears to be quite close in its behavior to the Code Blue model. The announcement of CRclean, and a link to its source, is available at http://www.securityfocus.com/archive/82/211462.

Update, Sep. 10 2001: As if to confuse things more, Kaspersky Labs has just announced its discovery of a malicious worm going by the name "Code Blue". This worm also removes Code Red infections and immunizes the infected systems, but it also attempts to perpetrate a denial of service attack against a security-oriented Web site.

Code blue means that the patient is either dead or in ventricular fibrillation, which means they will be dead soon if you don't do something right away. This qualifies as a time pressure situation.

The code team swarms the room, with a code cart. A physician will "run" the code, though any nurse will start it.

Jobs include:

1. CPR. This rotates. To do effective CPR, the patient must be on a firm surface, so that may mean rolling them up on their side and sliding a board underneath.

2. Running the code. One doctor will be in charge, but anyone can speak up if they know something or notice something.

3. Attaching stuff. If the patient is not already hooked up to a heart monitor, this means attaching ECG stickers, getting an iv placed (wide bore) and getting the person ready to intubate, if they are not already intubated. "In the field", which means outside the hospital, the first job is getting the clothes out of the way, which means cutting through them fast with bandage scissors. This can be one or two or three nurses or medical students or EMTs or whatever.

4. Recorder. They write down what is happening and all the times.

The medical school joke is "in an emergency, first check your own pulse". The first thing to remember is that the patient is dead. You need to be respectful but you cannot actually make them worse. Though some people might argue that coming back and having stroke like or traumatic brain injury like symptoms is worse.

So, the patient is either dead or nearly dead. You have about 8 minutes. If the person is over 80, CPR is breaking ribs or else it is not effective. Hospitals have taken to doing practice codes in a video taped room, and then analyzing what is happening. How efficiently is the code run? They can then break it down and go over everything that was done.

The longest code I ever attended was at the VA in Portland, Oregon. The gentleman had had a heart transplant. We were instructed to keep going, even though we were beyond 20 minutes. The code was not "called", that is, ended, until the transplant surgeon arrived. It was well over half an hour. He "called" the code immediately when he arrived. The room had gotten quiet at least ten minutes before that because we all knew that it was now futile, though CPR was continued.

I renew Basic CPR and ACLS: Advanced Cardiac Life Support, every two years to stay certified. Back when I was working for the county hospital, they would give me the infant fake case because I was doing obstetrics. In the ACLS class, the patient usually gets a pulse back. In reality if you want to survive a code blue, it's best to die on television. The survival rate on medical shows is way higher than the reality. Your next best choice is either in an ER or else in a Las Vegas Casino, where the security people are used to attaching AEDs.

Log in or register to write something here or to contact authors.