Saturday, November 19, 2005

Code Red

Long after the Morris worm wreaked havoc across the Internet, a devastating worm appeared with symptoms similar to Morris, infecting systems using Microsoft’s IIS (Internet Information Server) software.
Code Red started attacking Internet hosts in July 2001 by exploiting the Index Server (.IDA) buffer overflow vulnerability in IIS-based servers. By using this tactic, Code Red tries to spread its code among servers, deface web pages of sites run by Web servers, and uses these servers and a DoS (denial of service) routine to attack a White House Web Site.
Executing only in system memory, Code Red checks the system clock, and if the current date falls before the 20th of the month, the worm opens 100 copies of itself on the infected system and begins scanning for and attacking other systems. Although the different instances of the worm scan for and attack random systems, the worm’s code forces all open instances to attack the same list of servers, resulting in relatively slow propagation. If the date (as read by the system clock) falls between the 20th and 27th of the month, Code Red slams the IP (Internet Protocol) address associated with the White House’s site with connection attempts to try to disable the web site.
Because of its somewhat slow propagation, Code Red did not cause serious damage, although it did deface some web pages with a “Welcome to! Hacked by Chinese!” message. But shortly after Code Red appeared in the wild, a more dangerous variant, dubbed Code Red version 2 began infecting computers with incredible speed. Code Red version 2 uses an alternate method to infect computers; instead of attacking the same list of servers, each infected computer infects a completely different random list. According to the CAIDA (Cooperative Association for Internet Data Analysis), this single alteration resulted in the infection of more than 359,000 computers in 14 hours.
Weeks later, a new worm bearing the Code Red name appeared, carrying even more potential for damage and downtime. Although it’s unrelated to the original Code Red worm, this new worm featured the string “CodeRedII” in its source code, so experts began calling the worm just that: Code Red II. Where the original Code Red scans 100 systems at a time, Code Red II scans between 300 and 600 sites with each infection and deposits a backdoor Trojan horse application onto infected systems.
Code Red II doesn’t deface web pages, nor does it launch a DoS attack on a predetermined site. However, the backdoor Trojan horse application it plants in victimized computers can allow complete remote access to computers so hackers can use them for DoS attacks or similar strikes against other computers. This Trojan horse executes a number of instructions, including the disablement of WFP (Windows File Protection), which prevents the replacement of certain system files.
To make matters worse, users cannot completely remove Code Red II by simply rebooting the computer, like they can with Code Red and Code Red version 2. Instead, it’s necessary to manually remove the worm and then install a patch to prevent re-infection.


Post a Comment

<< Home