Code Red (computer worm)

from Wikipedia, the free encyclopedia

Code Red is a family of computer worms that started spreading on the Internet on July 12, 2001. The first infected computers were reported to eEye Digital Security on July 13th , where Marc Maiffret and Ryan Permeh carried out the first analysis. The worm was named in reference to the defacement report and after the drink Mountain Dew Code Red , which the two analysts drank during the investigation.

Most of the infections were caused by the second version of Code Red , which infected over 359,000 computers on the first day. The new worm Code Red II , which was circulating from the beginning of August because it installed a backdoor , was more dangerous . All variants together have infected an estimated 760,000 computers.

Malicious functions

In addition to the retransmission function, Code Red also contained two actual malicious functions. The activity of the functions was controlled over the day of the month. From the 28th to the end of the month, he took no action.

Code Red II had only one malicious function apart from its dissemination function. The activity was not dependent on the date.

distribution

The first 19 days of every month tried to Code Red spread by links to the standard HTTP port of random IP addresses built and tried a buffer overflow in the component index server of the Internet Information Server from Microsoft exploit.

This attack was parallelized by 100 sub-processes. Due to an error it occasionally happened that more than the intended 100 processes were started on an infected server. Like the network load of the dissemination attempts, this led to a scarcity of resources.

Systems other than IIS were also affected, but Code Red did not lead to an infection. Some systems (e.g. Cisco 600 series) stopped operating due to errors. Microsoft released a patch to fix the vulnerability three weeks before the worm was discovered. Bug fixes also existed for affected Cisco products before the outbreak.

Code Red II used the same vulnerability to distribute.

Defacement

If a system was attacked whose location corresponded to that of the USA, the hundredth process changed its behavior. He changed the IIS installation so that the “ HELLO! Welcome to http://www.worm.com! Hacked By Chinese! ”Indicated. After ten hours this defacement was reversed.

Denial of Service

After the spread and a possible defacement, the second malicious function was activated between the 20th and 27th of each month. A DDoS attack was started on a fixed IP address that was originally that of the White House's website .

Apart from this explicit DDoS attack, there were also failures induced by the distribution routine.

Backdoor

The new worm Code Red II installed a backdoor , but dispensed with defacement and DDoS. The side effects of the spread increased due to the changed generation of the IP addresses.

Distribution history

The first version of Code Red (more precisely Net-Worm.Win32.CodeRed.a or CODERED.A ) only spread slowly because the same IP addresses were always infected by a statically initialized random generator . Only the second version ( CODERED.B ) used really random IP addresses and attacked over 359,000 computers within about 14 hours on July 19. Both versions could be removed by restarting the computer.

Code Red II (also CODERED.C ) was also included in this family because it referenced the name and exploited the same vulnerability. However, it had been rewritten and some security experts suspect a different author. In particular, it had a more sophisticated algorithm for selecting the IP address and the backdoor was not only stored in the main memory, but was executed again after a user login. The worm deactivated itself after October 1, but there were various further developments until 2003. The backdoor remained installed.

Damage caused

The originally intended attack on the website of the White House by Code Red came to nothing because the system administrators changed the IP address of the service in good time. Still, it caused damage from the failures and the pest control.

According to an estimate by Computer Economics , the Code Red worms caused damage of at least 2.6 billion US dollars by the end of August 2001, of which 1.1 billion was due to control and 1.5 billion due to lost sales.

Web links

Individual evidence

  1. a b Analysis: .ida “Code Red” Worm . eEye Digital Security
  2. a b c CAIDA Analysis of Code-Red
  3. a b Analysis: CodeRed II Worm . eEye Digital Security
  4. Code Red Costs Could Top $ 2 Trillion .  ( Page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. PC World@1@ 2Template: Dead Link / www.pcworld.com  
  5. MS01-033. Microsoft Security Bulletin
  6. Cisco Security Advisory: “Code Red” Worm - Customer Impact ( Memento of the original dated June 12, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.  @1@ 2Template: Webachiv / IABot / www.cisco.com
  7. Net-Worm.Win32.CodeRed.a ( Memento of the original from October 31, 2006 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Kaspersky Lab  @1@ 2Template: Webachiv / IABot / www.viruslist.com
  8. CODERED.A Trend Micro
  9. CODERED.B Trend Micro
  10. a b CODERED.C Trend Micro
  11. a b c F-Secure Virus Descriptions: CodeRed
  12. Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measures (PDF; 143 kB) US General Accounting Office
  13. Out-Law: Code Red cost $ 2.6 billion worldwide