Information Security News
mailing list archives
Code Red: Is This the Apocalypse?
From: InfoSec News <isn () c4i org>
Date: Tue, 31 Jul 2001 02:33:25 -0500 (CDT)
By Michelle Delio
6:09 a.m. July 30, 2001 PDT
If you do nothing else today, make sure you patch your computer system
against the Code Red worm.
Code Red, which reportedly has infected about 300,000 computers this
month, may begin to wreak more havoc on the Internet when the
time-conscious worm begins propagating again on Wednesday at midnight
Greenwich Mean Time (July 31 at 7:00 p.m. EDT).
Then again, Code Red might just deface some Web pages, cause a lot of
extra work for systems administrators and slow the Internet down a
tad, just like it did through the month.
Microsoft, the FBI's National Infrastructure Protection Center, the
CERT Coordination Center, SANS Institute and several other groups
issued a joint alert Sunday evening, warning that the Code Red worm is
a "very real" threat to the Internet, and setting July 31 as the
deadline to protect systems against the worm.
"If there's even one infected computer out there it will start
infecting other computers again," Steve Trilling, director of research
at Symantec's antivirus center, said in a press release.
But Rob Rosenberger, webmaster of a site devoted to debunking myths
about computer viruses, believes that mass e-mail warnings about the
worm are more likely to gum up the works than the worm itself.
"I'll make a simple prediction. E-mail servers will clog up on Monday
and Tuesday with warnings about this 'horrifying' worm," Rosenberger
said in his article about the worm.
Rosenberger is happily planning to study the hysteria that he believes
will be spawned by worm alerts this week. Overwrought alert or not,
the patch that prevents against infection by Code Red should be
applied by anyone who runs Windows NT or Windows 2000 and Microsoft's
Internet Information Server (IIS) Web server software on their system.
The worm's effects during its first run of infections were not as
debilitating as some security experts predicted they would be. But
machines should be patched anyway. The vulnerability that the worm
takes advantage of also leaves systems open to attack by malicious
hackers, allowing them to remotely control an infected system.
Applying the patch is an easy download, can't hurt systems, and helps
fight the spread of the worm.
Even if your computer is not used as a server, IIS is installed
automatically by many applications.
Those who are unsure if they are running IIS can launch Task Manager
by pressing the Control-Alt-Delete keys at the same time. Click on
Task Manager in the dialog box, and select the Processes tab.
Look for Inetinfo.exe in the image name column. If Inetinfo.exe
appears, you are running IIS and need to install the necessary
patches. If not, you are not running IIS and don't need to patch your
To rid your machine of the worm, simply reboot your computer. To
protect your system from new symptoms or re-infection, install
Microsoft's Code Red vulnerability patch for Windows NT or Windows
Step-by-step instructions for applying the patch and purging systems
of the worm have been posted by Digital Island Net.
Since around July 13, several variants of the Code Red worm have been
wiggling their way across the Internet, attacking servers and slowing
Security company eEye Digital Security discovered the flaw in IIS that
Code Red exploits on June 18, and warned that an exploit would soon be
created to take advantage of the vulnerability. EEye also provided the
first complete analysis of the worm after it was released on the
Internet on or around July 13th.
The worm was named in honor of a super-caffeinated soft drink, Code
Red Mountain Dew, which the eEye crew drank during an all-night work
session as they struggled to understand what the worm was capable of
At least two new versions of the worm are also loose on the Net, and
appear to be spreading more quickly than the original version of Code
Red, said Marc Maiffret, chief hacking officer at eEye.
After infecting a system, the worm scans the Internet, identifies
other vulnerable systems, and then infects these systems by
automatically installing itself through Port 80. Each newly installed
worm then joins all the others in their search for more systems to
CERT'S new advisory on the Code Red worm states that tens of thousands
of systems are already infected or vulnerable to re-infection.
Because the worm propagates so quickly, CERT experts believe it is
likely that nearly all vulnerable systems will be compromised by Aug.
2, during the anticipated next run of infections.
Infected machines have the potential to disrupt business and personal
use of the Internet by slowing servers' ability to process
information, and perhaps bringing some systems to a complete halt.
The first version of the worm was coded so that each infected machine
would eventually return to and attack the machine that originally
infected it. EEye suspects this may allow the coder to track the
Using this feature of the worm, security experts at eEye were able to
accurately track the initial spread of the worm. Every machine that
was infected would eventually "call home," which allowed compromised
systems to be logged and tracked. New versions of Code Red do not
contain that coding error.
The worm is coded to be time sensitive; its activity occurs based on
the date (day of the month) of an infected system's clock.
The worm is in "propagation mode" from the first through the 19th of
the month. During that time, an infected computer attempts to send the
worm out to other randomly chosen IP addresses using one of the
computer's communication ports (TCP Port 80).
The worm goes into "flood mode" from the 20th through 27th of the
month, launching a denial-of-service attack against a specific IP
address that is embedded in the worm's program code. With current
versions of the worm, the attack is launched against the White House's
Last month the White House dodged the attack without going offline by
redirecting all Internet traffic to an IP address that the worm was
not programmed to recognize, and blocking all requests to the address
that the worm was coded to attack.
Clearing the worm from systems can be time-consuming. Last week, the
Pentagon temporarily shut down public access to all of its websites to
purge and patch its networks, an action that some security experts
felt was a bit of overkill.
The worm enters "termination" or "hibernation mode" after the 27th day
of the month, remaining in infected systems but otherwise staying
inactive until the first day of each month.
The first version of the worm, if it infects a Web server, also
defaces the contents of a website with the words "Hello! Welcome to
http://www.worm.com! Hacked by Chinese!"
The defaced page will stay in place for 10 hours, and then revert to
normal. New variants do not deface websites hosted by infected
computers, but are more apt to crash servers since they infect
computers multiple times, eEye's Maiffret said.
Microsoft's "windowsupdate.microsoft.com" site displayed that message
for a few hours on June 20, an obvious sign that the company did not
update all of its own servers with its own security patches.
Steve Lipner, head of Microsoft's security response center, said the
company is looking for new ways to distribute its security patches
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- Code Red: Is This the Apocalypse? InfoSec News (Jul 31)