Code Red (computer worm)
From Free net encyclopedia
The Code Red worm was a computer worm released on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server. The most in-depth research on the worm was performed by the programmers at eEye Digital Security. They also gave the worm its name, a reference to a variety of Mountain Dew soft drink and the phrase "Hacked By Chinese!" (see Red Scare) with which the worm defaced websites.
The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.
The payload of the worm included:
- It defaced the affected web site to display:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
(The last sentence became a stock phrase to indicate an online defeat) - It tried to spread itself by looking for more IIS servers on the Internet.
- It waited 20-27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.
The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine.
When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs from this time frequently had entries such as these:
- GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
- NNNNNNNNNNNNNNNNNNN
- %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
- %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
- %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
On August 4, 2001 Code Red II appeared. Code Red II is not a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter worm).
See also
External links
- CERT Advisory CA-2001-19
- eEye Code Red advisory
- Code Red II analysis
- Urban Dictionary on the phrase "Hacked by Chinese."pl:Code Red