Date: 01/01/2001
Code Red (computer worm)Code Red was a computer worm observed on the Internet on July 15, 2001. It attacked computers running Microsoft’s IIS web server.
The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh, the Code Red worm exploited a vulnerability discovered by Riley Hassell. They named it “Code Red” because Code Red Mountain Dew was what they were drinking at the time.
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.
Concept
Exploited vulnerability
The worm showed a vulnerability in the growing software distributed with IIS, described in Microsoft Security Bulletin MS01-033, for which a patch had been available a month earlier.
The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated letter ‘N’ to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for his discovery.
Code Red II
Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, although similar in behavior to the original, analysis showed it to be a new worm instead of a variant. Different from the first the second has no attacking function, but a backdoor to allow attacks. The worm was designed to exploit a security hole in the indexing software included as part of Microsoft’s Internet Information Server (IIS) web server software.
A typical signature of the Code Red II worm would appear in a web server log as:
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
When the original worm tried to infect other computers at random, Code Red II tried to infect machines on the same subnet as the infected machine.
Microsoft had already released a security patch for IIS that fixed the security hole on June 18, 2001, however not everyone had patched their servers, including Microsoft themselves.
Nimda
Nimda is a file infecting computer worm. It quickly spread, surpassing the economic damage caused by previous outbreaks such as Code Red. Nimda utilized several types of propagation techniques and this caused it to become the Internet’s most widespread virus/worm within 22 minutes.
The worm was released on September 18, 2001. Due to the release date, exactly one week after the attacks on the World Trade Center and Pentagon, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.
Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000 or XP and servers running Windows NT and 2000.
The worm’s name origin comes from the reversed spelling of “admin”.
F-Secure found the text “Concept Virus(CV) V.5, Copyright(C)2001 R.P.China” in the Nimda code, suggesting its country of origin.
Methods of infection
Nimda was so effective partially because it—unlike other infamous malware like the Morris worm or Code Red—uses five different infection vectors:
Open network shares
Browsing of compromised web sites
exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server.)
Back doors left behind by the “Code Red II” and “sadmind/IIS” worms.