Code Red Worm

In apparent confirmation of the theory that one of these machines was feeding intel back to the originator, a second variant (Crv2) was discovered in the wild late on July 19, 2001. This variant used a truly random sequence to create its target list, and does not deface the website. Approximately 300,000 servers are believed to have been compromised, based on the number of distinct IP addresses attacking various networks. The change to the original virus was a mere 13 bytes.

An additional weakness of the worm is that is lives entirely in memory on a server. Removing the virus is simply a matter of applying the patch (at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp), and rebooting the system. However, this would only clear the Code Red worm, and not clear out any other compromises. Since your machine has been advertising itself to the world as compromisable, it may have been attacked by a human, as well.

As it is (now) after the 20th of the month, the machines are in attack mode, attempting to connect to the former White House web server IP address. Due to a small bug in the code, after attacking (until the 28th), the worm will go into sleep mode until the first. However, the sleep mode will cause the server to freeze until rebooted, thus preventing the machine from returning to attack mode on the 1st.

On August 1, the worm reawoke, despite the valiant efforts to stamp it out. Within three hours, somewhere between 100,000 and 300,000 hosts were reinfected^*. Since then, the number of infected machines appears to be holding at steady state.

Analysis of the Worm: http://www.eeye.com/html/Research/Advisories/AL20010717.html

• The origin of the name is both for the alleged Chinese origin, and the Mountain Dew beverage. Eeye named it, and credit both reasons in their analysis. A reporter (CNN, I believe) turned this into a "rumor."
• Before the 20th of the month, the threads are in infect mode. After the 20th they are in attack mode.

^* Errors in reporting have roots in a number of problems:

• Some data collectors (principally folks with Class A nets) are categorizing all port 80 traffic to Code Red, especially if the target machine did not exist. Thus, people scanning for web servers are being counted as infected machines.
• Some machines appear to be on dynamic addresses, because they are on home networks. When they reconnect, are given a new IP address, and get reinfected, they count as a new address.

Code Red II

The Code Red worm works by exploiting the .ida overflow bug (which had been patched for weeks before the discovery of the worm) in order to overwrite the worm's code into one of IIS's DLLs. Once there, it spawns 100 threads:

Threads 1 - 99:

If time is before 20:00 UTC, attempt to infect random¹ other IPs.

If time is greater than 20:00 UTC, flood whitehouse.gov².

Thread 100:

If server is set to the enUS codepage (US English), alter some DLL so that it will load a page from within's the worm's memory rather than http://localhost/index.* (see Stavr0's writeup in Code Red).

Else act like threads 1 through 99.

1: Although the list of IPs appears random, the worm has a hardcoded seed for its random number generator. It has been speculated that the worm's author chose a seed that would have eir IP high on the list so ey could get a list of infected servers.

2: The DDoS attack was directed at a hardcoded IP previously used by whitehouse.gov, therefore in order to avoid the attack the administrators changed the IP of their server.

Some interesting features of this worm:

• It contains a lysine deficiency (type: Anti-Lysine) in that it will shut down if a particular file exists on the hard drive.
• It can infect a system more than once, creating yet another 100 threads.
• It has been seen on some of Microsoft's Windows Update servers, which means that Microsoft isn't applying its own security patches on one of the most important sites on the Net (crackers could get everyone updating Windows to download malicious code).

Also:

• There are two rumours³ why it's named "Code Red":
  • Mention of China in the defacement
  • The people who discovered it were drinking Mountain Dew Code Red at the time
• Slashdot is running a contest to guess the NYT and WSJ's headlines concerning the worm.

3: See cordelia's write-up, below.

Source: discussions on Slashdot and the security bulletin Stavr0 mentioned.

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53ff%u0078%u0000%u00=a

HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

Source: http://www.cert.org/advisories/CA-2001-19.html

The following is my letter to M. Forno in response:

M. Forno --

Thank you for your excellent article on the implications of the world's responses to Code Red. Microsoft has for too long gotten away with releasing seriously flawed software, and passing the costs of insecurity off to the consumer.

However, I must take issue with the idea that holding Microsoft legally liable for security holes is the best way to prevent future damage. Every software distributor -- from Microsoft to Red Hat to Cisco to OpenBSD -- has released software with holes. The precedent of holding software authors up for civil or even criminal (negligence) penalties would cast a chilling effect on all programmers, even those who are more careful.

Furthermore, Microsoft software is the focus of attacks not just because it contains more holes, but because it is so very popular. Take the example of viruses on desktop systems: For years, Macintosh users have poked fun at Windows for its susceptibility to viruses. In fact, Mac OS systems are just as susceptible -- it's just that there are fewer Macs in the world than Windows PCs, so virus authors do not bother writing viruses for them.

To put it bluntly: It's true that Microsoft code sucks, and that it sucks more than most of its competitors' code. It's also true, though, that when one platform takes on the role of monoculture (or monopoly) it will come under much greater examination by the black hats. Yes, Microsoft has used the "we're so popular that everyone wants to crack our systems" line to misdirect attention away from its systems' inherent poor security. However, no major OS today -- of the many better designed than Windows -- would make a secure monoculture.

IT folks are legendary for taking personal preferences -- favored operating systems, languages, even text editors -- as matters of religious writ. Large installations commonly "standardize" on single platforms such as Windows for "ease of maintenance", i.e. the convenience or preferences of the IT department. Yet when a worm comes to town, it is diversity -- or, in management-speak, "market fragmentation" and "incompatibility" -- which could save the day.

That, it seems to me, is the true lesson of Code Red.