Welcome to fedrix.com on July 12 2009.
This is an internet experiment running to monitor browsing habbits of individuals through wikipedia contents.

Code Red (computer worm)

From Wikipedia, the free encyclopedia

  (Redirected from Code Red worm)
Jump to: navigation, search
Computer security portal

The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server. The CodeRed worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. They named the worm CodeRed because they were drinking Pepsi's Mountain Dew CodeRed over the weekend they analyzed it and because of the worms references to China. Specifically the worm code contained the phrase "Hacked By Chinese!" (see Red Scare) with which the worm defaced websites. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.[1]

Contents

[edit] How it worked

[edit] Exploited vulnerability

The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.

The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine.

[edit] Worm payload

The payload of the worm included:

  • defacing the affected web site to display:

    HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

    (The last sentence became a meme to indicate an online defeat)
  • trying to spread itself by looking for more IIS servers on the Internet.
  • waiting 20-27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.[1]

When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it were running IIS at all. Apache access logs from this time frequently had entries such as these: [2]

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

[edit] Similar worms

Main article: Code Red II

On August 4, 2001 Code Red II appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.

eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).

[edit] References

  1. ^ a b Moore, David; Colleen Shannon (2001?). "The Spread of the Code-Red Worm (CRv2)". CAIDA Analysis. http://www.caida.org/research/security/code-red/coderedv2_analysis.xml. Retrieved on 2006-10-03. 
  2. ^ The worm's payload is the string following the last 'N'. A vulnerable host interprets this string as computer instructions

[edit] See also

[edit] External links

Retrieved from "http://en.wikipedia.org/wiki/Code_Red_(computer_worm)"
Personal tools
Visit joltnews for the latest headlines
Visit bloit.com for company information
Geed Media does computer consulting on long island.
This page viewed times. See Logs