Code Red (computer worm)
Code Red is a family of computer worms that spread from 12 July 2001 at the Internet. The first infected computer were reported on July 13 at eEye Digital Security, where Marc Maiffret and Ryan Permeh carried out the first analysis. The name was given to the worm in reference to the defacement message and after the drink Mountain Dew Code Red, the drinking, the two analysts during the investigation.
Most infections caused the second version of Code Red, the infected over 359,000 computers on the first day. Dangerous was the new worm Code Red II, which was circulated at the beginning of August, when he installed a backdoor. All variants together have an estimated 760,000 infected computers.
Harmful functions
Besides the function for redistribution Code Red also contained two actual malicious functions. The activity of the functions was controlled by day of the month. From the 28th to the end of the month he did not perform any actions.
Code Red II possessed apart from the distribution function only a malicious function. Activity was not depends on the date.
Dissemination
The first 19 days of every month Code Red tried to spread, by building connections to the default HTTP port of random IP addresses and attempted a buffer overflow in the component index server of the Internet Information Server from Microsoft exploit.
This attack was parallelized by 100 sub-processes. Due to an error it happened occasionally that on an affected server has more than the planned 100 processes have been started. This led, as well as the network load of the distribution attempts to scarcity of resources.
Even systems other than the IIS were affected, however, led not to a Code Red infection. Some systems (eg Cisco 600 series) introduced due to errors operating. Microsoft released three weeks before the discovery of the worm a patch to fix the gap ready. Also for the affected products from Cisco existed fixes before the outbreak.
Code Red II used to disseminate the same vulnerability.
Defacement
If a system infested corresponded to the localization of the United States, the hundredth process changed his behavior. He changed the installation of IIS so that the side HELLO "! Welcome to http://www.worm.com! Hacked By Chinese! " Indicated. After ten hours of this defacement was reversed.
Denial of Service
After the spread and a possible defacement the second malicious function is enabled between the 20th and 27th of each month. Here, a DDoS attack on a fixed IP address has been started, which was originally the website of the White House.
Apart from this explicit DDoS attack, there were also induced by the spreading routine failures.
Backdoor
The new worm Code Red II installed a backdoor, but refrained from defacement and DDoS. However, the side effects of the dissemination reinforced by the changed generation of IP addresses.
Distributional history
The first version of Code Red (more precisely Net Worm.Win32.CodeRed.a or CODERED.A ) spread only slowly, as the same IP addresses were getting infected by a statically initialized randomly. Only the second version ( CODERED.B ) did use random IP addresses and befell on July 19, within about 14 hours over 359,000 computer. Both versions could be removed by restarting the computer.
Code Red II ( also CodeRed.C ) was also included in this family, since he referenced the name and the same vulnerability exploited. However, he had been rewritten and some security experts suggest another author. In particular, he had a more sophisticated algorithm for selecting the IP address and the backdoor was deposited not only in memory but has been re-executed after a user login. The worm deactivated itself after October 1, itself, however, there was until 2003, several enhancements. The backdoor was installed.
Damage Done
The originally intended attack on the website of the White House by Code Red ran into the void, as the system administrators in time changed the IP address of the service. Nevertheless, he caused damage by the failures and the control of the pest.
According to an estimate by Computer Economics, caused the Code Red worms until end of August 2001 a loss of at least 2.6 billion U.S. dollars, of which 1.1 billion fell to the control and 1.5 billion in lost revenue.