Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Code Red (computer worm)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{short description|Computer worm}} {{ infobox computer virus |fullname = .ida Code Red Worm |image = Website defaced by Code Red worm.png |caption = A website defaced by the worm |common name = Code Red |technical name = CRv and CRvII |aliases = |family = |classification = |type = Server Jamming Worm |subtype = |origin = |author = |ports used = |OSes = |filesize = |language = }} '''Code Red''' was a [[computer worm]] observed on the [[Internet]] on July 15, 2001. It attacked computers running [[Internet Information Services|Microsoft's IIS web server]]. It was the first large-scale, [[Mixed threat attack|mixed-threat attack]] to successfully target enterprise networks.<ref name="TrendMicro">{{cite web |author=Trend Micro |title=Enterprise Prevention and Management of Mixed-Threat Attacks |url=http://www.biz.netvigator.com/chi/pdf/eps_whitepaper.pdf}}</ref> The Code Red worm was first discovered and researched by eEye Digital Security employees [[Marc Maiffret]] and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because they were drinking [[Mountain Dew Code Red]] at the time of discovery.<ref>[https://web.archive.org/web/20110722192419/http://www.eeye.com/Resources/Security-Center/Research/Security-Advisories/AL20010717 ANALYSIS: .ida "Code Red" Worm (archived copy from July 22, 2011)], Euaa advisory, eEye Digital Security, July 17, 2001</ref> Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On that day, the number of infected hosts reached 359,000.<ref name="caida">{{cite web |last1=Moore |first1=David |last2=Shannon |first2=Colleen |title=The Spread of the Code-Red Worm (CRv2) |url=http://www.caida.org/research/security/code-red/coderedv2_analysis.xml |work=[[CAIDA]] Analysis |year=c. 2001 |access-date=October 3, 2006}}</ref> The worm spread worldwide, becoming particularly prevalent in North America, Europe, and Asia (including China and India).<ref>{{cite web |title=Discoveries β Video β The Spread of the Code Red Worm |url=https://www.nsf.gov/discoveries/disc_videos.jsp?org=NSF&cntn_id=100075&media_id=51501 |website=[[National Science Foundation]]}}</ref> ==Concept== ===Exploited vulnerability=== The worm showed a vulnerability in software distributed with IIS, described in Microsoft Security Bulletin MS01-033 (CVE-2001-0500),<ref>[https://web.archive.org/web/20060831221910/http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx MS01-033 "Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise"], Microsoft Corporation, June 18, 2001</ref> for which a patch had become available a month earlier. The worm spread itself using a common type of vulnerability known as a [[buffer overflow]]. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the [[White House]] for his discovery.<ref>{{cite web|url=http://news.cnet.com/2009-1001-270471.html|title=Virulent worm calls into doubt our ability to protect the Net|last=Lemos|first=Rob|work=Tracking Code Red|publisher=CNET News|url-status=live|archive-url=https://web.archive.org/web/20110617101100/http://news.cnet.com/2009-1001-270471.html|archive-date=June 17, 2011|access-date=March 14, 2011}}</ref> ===Worm payload === The payload of the worm included: * [[Website defacement|Defacing]] the affected web site to display: HELLO! Welcome to <nowiki>http://www.worm.com</nowiki> ! Hacked By Chinese! * Other activities based on the day of the month:<ref>{{cite web |title=CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL |url=http://www.cert.org/advisories/CA-2001-19.html |work=CERT/CC |date=July 17, 2001 |access-date=June 29, 2010}}</ref> ** Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet. ** Days 20β27: Launch [[denial of service]] attacks on several fixed [[IP address]]es. The IP address of the [[White House]] web server was among these.<ref name="caida" /> ** Days 28-end of month: Sleeps, no active attacks. When scanning for vulnerable machines, the worm did not test whether the server running on a remote machine was running a vulnerable version of IIS, or even whether it was running IIS at all. [[Apache HTTP Server|Apache]] access logs from this time frequently had entries such as these: {{pre|1=GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0}} The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm. ==Similar worms== {{main|Code Red II}} On August 4, 2001, [[Code Red II (computer worm)|Code Red II]] appeared. Although it used the same injection vector, it had a completely different [[Computer virus|payload]]. It [[pseudo-random]]ly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer. eEye believed that the worm originated in [[Makati]], [[Philippines]], the same origin as the [[ILOVEYOU|VBS/Loveletter]] (aka "ILOVEYOU") worm. ==See also== *[[Nimda|Nimda worm]] *[[Timeline of computer viruses and worms]] ==References== {{reflist}} ==External links== *[https://web.archive.org/web/20191213105201/http://www.unixwiz.net/techtips/CodeRedII.html Code Red II analysis], Steve Friedl's Unixwiz.net, last update 22 August 2001 *[https://web.archive.org/web/20191022035851/http://www.caida.org/research/security/code-red/ CAIDA Analysis of Code-Red], [[Cooperative Association for Internet Data Analysis]] (CAIDA) at the [[San Diego Supercomputer Center]] (SDSC), updated November 2008 *[https://web.archive.org/web/20160414125114/http://www.caida.org/research/security/code-red/newframes-small-log.mov Animation showing the spread of the Code Red worm on 19 July 2001], by Jeff Brown, [[UCSD]], and David Moore, [[CAIDA]] at [[San Diego Supercomputer Center|SDSC]] {{Hacking in the 2000s}} {{DEFAULTSORT:Code Red (Computer Worm)}} [[Category:Hacking in the 2000s]] [[Category:2001 in computing]] [[Category:July 2001]] [[Category:Windows malware]] [[Category:Exploit-based worms]] [[Category:Cybercrime in India]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite web
(
edit
)
Template:Hacking in the 2000s
(
edit
)
Template:Infobox computer virus
(
edit
)
Template:Main
(
edit
)
Template:Pre
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)