The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because they were drinking the Mountain Dewflavor of the same name at the time of discovery.[2]
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On that day, the number of infected hosts reached 359,000.[3]
The worm spread worldwide, becoming particularly prevalent in North America, Europe and Asia (including China and India).[4]
The worm showed a vulnerability in the growing software distributed with IIS, described in Microsoft Security Bulletin MS01-033,[5] for which a patch had become available a month earlier.
The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for his discovery.[6]
When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs from this time frequently had entries such as these:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm.
On August 4, 2001, Code Red II appeared. Although it used the same injection vector, it had a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
^Lemos, Rob. "Virulent worm calls into doubt our ability to protect the Net". Tracking Code Red. CNET News. from the original on June 17, 2011. Retrieved March 14, 2011.
^"CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL". CERT/CC. July 17, 2001. Retrieved June 29, 2010.
External linksedit
, Steve Friedl's Unixwiz.net, last update 22 August 2001
, by Jeff Brown, UCSD, and David Moore, CAIDA at SDSC
January 01, 1970
code, computer, worm, code, computer, worm, observed, internet, july, 2001, attacked, computers, running, microsoft, server, first, large, scale, mixed, threat, attack, successfully, target, enterprise, networks, code, worma, website, defaced, wormcommon, name. Code Red was a computer worm observed on the Internet on July 15 2001 It attacked computers running Microsoft s IIS web server It was the first large scale mixed threat attack to successfully target enterprise networks 1 ida Code Red WormA website defaced by the wormCommon nameCode RedTechnical nameCRv and CRvIITypeServer Jamming Worm The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell They named it Code Red because they were drinking the Mountain Dew flavor of the same name at the time of discovery 2 Although the worm had been released on July 13 the largest group of infected computers was seen on July 19 2001 On that day the number of infected hosts reached 359 000 3 The worm spread worldwide becoming particularly prevalent in North America Europe and Asia including China and India 4 Contents 1 Concept 1 1 Exploited vulnerability 1 2 Worm payload 2 Similar worms 3 See also 4 References 5 External linksConcept editExploited vulnerability edit The worm showed a vulnerability in the growing software distributed with IIS described in Microsoft Security Bulletin MS01 033 5 for which a patch had become available a month earlier The worm spread itself using a common type of vulnerability known as a buffer overflow It did this by using a long string of the repeated letter N to overflow a buffer allowing the worm to execute arbitrary code and infect the machine with the worm Kenneth D Eichman was the first to discover how to block it and was invited to the White House for his discovery 6 Worm payload edit The payload of the worm included Defacing the affected web site to display HELLO Welcome to http www worm com Hacked By Chinese Other activities based on the day of the month 7 Days 1 19 Trying to spread itself by looking for more IIS servers on the Internet Days 20 27 Launch denial of service attacks on several fixed IP addresses The IP address of the White House web server was among these 3 Days 28 end of month Sleeps no active attacks When scanning for vulnerable machines the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS or even to see if it was running IIS at all Apache access logs from this time frequently had entries such as these GET default ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN u9090 u6858 ucbd3 u7801 u9090 u6858 ucbd3 u7801 u9090 u6858 ucbd3 u7801 u9090 u9090 u8190 u00c3 u0003 u8b00 u531b u53ff u0078 u0000 u00 a HTTP 1 0 The worm s payload is the string following the last N Due to a buffer overflow a vulnerable host interpreted this string as computer instructions propagating the worm Similar worms editMain article Code Red II On August 4 2001 Code Red II appeared Although it used the same injection vector it had a completely different payload It pseudo randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution favoring targets on its own subnet more often than not Additionally it used the pattern of repeating X characters instead of N characters to overflow the buffer eEye believed that the worm originated in Makati Philippines the same origin as the VBS Loveletter aka ILOVEYOU worm See also editNimda worm Timeline of computer viruses and wormsReferences edit Trend Micro Enterprise Prevention and Management of Mixed Threat Attacks PDF ANALYSIS ida Code Red Worm archived copy from July 22 2011 Euaa advisory eEye Digital Security July 17 2001 a b Moore David Shannon Colleen c 2001 The Spread of the Code Red Worm CRv2 CAIDA Analysis Retrieved October 3 2006 Discoveries Video The Spread of the Code Red Worm National Science Foundation MS01 033 Microsoft Security Bulletin MS01 033 Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise Microsoft Corporation June 18 2001 Lemos Rob Virulent worm calls into doubt our ability to protect the Net Tracking Code Red CNET News Archived from the original on June 17 2011 Retrieved March 14 2011 CERT Advisory CA 2001 19 Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service DLL CERT CC July 17 2001 Retrieved June 29 2010 External links editCode Red II analysis Steve Friedl s Unixwiz net last update 22 August 2001 CAIDA Analysis of Code Red Cooperative Association for Internet Data Analysis CAIDA at the San Diego Supercomputer Center SDSC updated November 2008 Animation showing the spread of the Code Red worm on 19 July 2001 by Jeff Brown UCSD and David Moore CAIDA at SDSC Retrieved from https en wikipedia org w index php title Code Red computer worm amp oldid 1215401161, wikipedia, wiki, book, books, library,
