Code Red (computer worm)
Encyclopedia
The Code Red worm was a computer worm
observed on the Internet
on July 13, 2001. It attacked computers running Microsoft's IIS web server.
The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret
and Ryan Permeh. The worm was named the .ida "Code Red" worm because Code Red Mountain Dew was what they were drinking at the time, and because of the phrase "Hacked by Chinese!" with which the worm defaced websites.
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.
The worm spread itself using a common type of vulnerability known as a buffer overflow
. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for such.
When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it were running IIS at all. Apache
access logs from this time frequently had entries such as these:
The worm's payload is the string following the last 'N'. A vulnerable host interprets this string as computer instructions.
appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload
. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
eEye believed that the worm originated in Makati City
, Philippines
(the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
observed on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
on July 13, 2001. It attacked computers running Microsoft's IIS web server.
The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret
Marc Maiffret
Marc Maiffret is the Chief Technology Officer at , a leading vulnerability and compliance management company, which he co-founded in 1998 along with Firas Bushnaq. Maiffret left eEye for a three-year period, during which he served as Chief Security Architect at FireEye...
and Ryan Permeh. The worm was named the .ida "Code Red" worm because Code Red Mountain Dew was what they were drinking at the time, and because of the phrase "Hacked by Chinese!" with which the worm defaced websites.
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.
Exploited vulnerability
The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.The worm spread itself using a common type of vulnerability known as a buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for such.
Worm payload
The payload of the worm included:- defacingWebsite defacementA website defacement is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own....
the affected web site to display:HELLO! Welcome to
(The last sentence became a memehttp://www.worm.com ! Hacked By Chinese!Internet memeThe term Internet meme is used to describe a concept that spreads via the Internet. The term is a reference to the concept of memes, although the latter concept refers to a much broader category of cultural information.-Description:...
to indicate an online defeat) - Other activities based on day of the month:
- Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet.
- Days 20–27: Launch denial of service attacks on several fixed IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es. The IP address of the White HouseWhite HouseThe White House is the official residence and principal workplace of the president of the United States. Located at 1600 Pennsylvania Avenue NW in Washington, D.C., the house was designed by Irish-born James Hoban, and built between 1792 and 1800 of white-painted Aquia sandstone in the Neoclassical...
web server was among those. - Days 28-end of month: Sleeps, no active attacks.
When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it were running IIS at all. Apache
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
access logs from this time frequently had entries such as these:
- GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNN
- %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
- %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
- %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
The worm's payload is the string following the last 'N'. A vulnerable host interprets this string as computer instructions.
Similar worms
On August 4, 2001 Code Red IICode Red II (computer worm)
Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, although similar in behavior to the original, analysis showed it to be a new worm instead of a variant...
appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
eEye believed that the worm originated in Makati City
Makati City
The City of Makati is one of the 17 cities that make up Metro Manila, one of the most populous metropolitan areas in the world. Makati is the financial center of the Philippines and one of the major financial, commercial and economic hubs in Asia...
, Philippines
Philippines
The Philippines , officially known as the Republic of the Philippines , is a country in Southeast Asia in the western Pacific Ocean. To its north across the Luzon Strait lies Taiwan. West across the South China Sea sits Vietnam...
(the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).