|Date||July 13th, 2001|
|Platform||Microsoft IIS Server|
|Damage costs||$2.75 billion|
CodeRed is a worm that caused possible billions of dollars of damage in the summer of 2001. It contains the text string "Welcome to worm.com Hacked by Chinese!", which is displayed on web pages that the worm defaces. It is also one of the few worms able to run entirely in memory, leaving no files on the hard drive or any other permanent storage (although some variants do this).
CodeRed arrives at a server as a GET /default.ida request on TCP port 80. The request contains code that exploits a known buffer overflow vulnerability in the indexing software in Microsoft's Internet Information Server (IIS), allowing the worm to run code from within the IIS server (described by Microsoft here). The worm runs entirely in memory, and cannot be found on the disk. It is about 3,569 bytes long.
The signature of CodeRed will appear in access logs as:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090 %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0
Using the CreateThread API, the worm tries to create 100 threads or copies of itself, but due to a bug in its code it may actually create many more. Infected computers are likely to have high CPU loads because of this. Each of the threads checks for the file, C:\Notworm. If the file exists, the worm does not run and the thread goes into an infinite sleep state. It is uncertain what the exact significance of the Notworm file is. There is some speculation that this file may have only existed on one or more of the creator's computers in order to prevent it from infecting them.
If the date is between the 20th and 28th of any month, the worm sends junk data to port 80 on 184.108.40.206, then the IP address of whitehouse.gov (it was changed because of the worm). After the 28th, it goes into an infinite sleep mode and cannot be awakened unless deliberately executed.
The 100th thread of the worm will check the language of the local page of the server. If the language is US English, it will change the page to look like it is hacked by the Chinese.
If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* . If the default language of the computer is American English, further threads cause Web pages to appear defaced. First, the thread sleeps for two hours and then hooks a function that responds to the HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.
"<html><head><meta http-equiv="Content-Type" content="text/html; charset=english"><title>HELLO!</title></head><bady>
<hr size=5/><fontcolor="red">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html> " This hook lasts for 10 hours and is then removed. However, re-infection or other threads can rehook the function.
The worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit the buffer overflow in the Indexing Service.
The original CodeRed worm stopped propagating on 2001.07.28, going into "Infinite Sleep Mode". It is believed that the worm will not "awaken" and will not spread again unless deliberately executed.
This variant is very similar to the original with only two major differences. The signature of CodeRed.II replaces the multiple N's with X's. This variant also drops a trojan called VirtualRoot, which can give a hacker access and control to the server.
eEye believed that the worm originated in Makati City, Philippines, the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm.
CodeBlue uses the "Web Server Folder Traversal" Vulnerability (described by Microsoft here to infect new machines. This variant targets random IP addresses and sends an FTP to get a request to the target machine. The request causes the target machine to download the file HTTPEXT.dll to an IIS folder with privileges to execute certain commands on the server (scripts, msadc, iisadmin, _vti_bin, iissamples, iishelp, webpub). The worm on the infecting machine executes the .dll file with a URL request, causing the DLL to drop the file SVCHOST.exe into C:\ (the hard drive on most systems, not in any folders). This makes CodeBlue different from CodeRed, as it is written to the hard drive.
Note: There is a legitimate SVCHOST.exe file in the System folder, do not mistake it for CodeBlue, as it is an important system file. CodeBlue will be located at the root of C:\ (just the hard drive and not in any folders.)
The worm creates a HKEY_LOCAL_MACHINE registry key with a subdirectory "Domain Manager" and adds the value "c:\svchost.exe" so that the worm runs when the machine is started. SVCHOST.exe drops a VBS file, D.VBS, which removes the IIS service mappings .ida, .idq, and .printer.
If the time is between 10:00AM to 11:00AM, the worm starts a denial of service attack against http://www.nsfocus.com/, a Chinese security website.
CodeRed.B uses a remote-buffer overflow vulnerability in Internet Information Service (IIS) Web servers to give system-level privileges to an attacker. It does not deface Web sites and has an improved random IP address generator.
This worm contains a download command that accesses the Indexing Service (IDA) for the Internet Server API (ISAPI) with parameters greater than the allowed size and arrives in the packet data. The IIS (Internet Information Service) attempts to process the bulk of the data, which then causes a buffer overflow.
The data contains the preferred address used to replace the system instruction pointer during the overflow. It also contains an executable binary code known as the shellcode. The buffer overflow allows the execution of the shellcode with system-level privilege.
This worm searches for a KERNEL32.DLL file where the kernel image is located in an operating system. It then searches for a GetProcAddress API and other APIs or functions it needs for propagation. Aside from the kernel, it needs the following three libraries to function properly:
- INFOCOMM.DLL � IIS Common DLL
- W3SVC.DLL (IIS core engine) � Web Services
- WS2_32.DLL � Winsock V 2.0
When the binary code executes, it spawns 99 threads. These threads share the worm�s code, thus the worm makes several copies of itself. Each spawned copy of the worm checks for the file C:\NOTWORM. If this file exists, the worm becomes dormant. This is achieved by sleeping, or calling the Sleep() API, for 24.85 days and performing another sleep routine when it wakes up. If the file does not exist, it checks the system date for its payloads. It executes a DDoS attack on the system dates 20 through 28. If the current date is less than 20, the worm sends copies of itself to other computers. If the system date is greater than 28, the worm becomes dormant or inactive.
In the DDoS attack, the worm opens and connects to the IP address 220.127.116.11 (www1.whitehouse.gov), where it sends 96KB of random data. The worm thread sleeps for 1 second after each byte is sent. After all, data is sent, the worm sleeps for 4.66 hours and repeatedly checks the conditions for payload execution.
To execute the payload when the date is less than 20, the worm generates random IP addresses. This variant fixes a bug in variant A (CodeRed.A), which goes through the same list of arbitrarily generated IP addresses. Although the seed of the random number generator is still the same, the new polynomial formula that is used to generate the random IP addresses has fewer chances of repetition. Given the ability to select more random IP addresses, this variant infects more systems. It attempts to connect to this generated IP address and if successful, sends copies of itself to the address.
The worm prevents re-infection by filtering which IP addresses are processed. The worm will not process IP addresses in the form of 127*.*.* and 224.*.*.*. By not processing the first form, the worm avoids the loopback function.
After spawning itself, the worm (or the 100th thread of the worm) checks the default language ID of the system. If it is equal to 1033 or English, this worm does not change the local Web page of the server because it does not patch the import address of the TcpSockSend() API in the W3SCVC.DLL in memory. It functions like its other threads, which check for the payload conditions and infect other computers using randomly generated IP if the default language is not English.
CodeRed.III (also known as CodeRed.F) makes use of a remote-buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that can give system-level privileges to an attacker. It drops a backdoor program on an infected Web server, giving an attacker full access to this Web server, thereby compromising network security.
The only difference between this variant and CodeRed.II is the trigger date when it restarts the system. The second variant restarts the system if the year is greater than in 2002. CodeRed.III variant, on the other hand, executes the same routine if the year is greater than or equal to 34952.
This worm exploits several IIS vulnerabilities. According to Microsoft, the following systems are affected:
- Microsoft Index Server 2.0
- Indexing Service in Windows 2000
- Microsoft Internet Information Server 4.0
Any IIS 4.0 server that does URL redirection is affected by a vulnerability exploited by this worm, which can only be exploited if IIS is running. The code within IIS 4.0 that performs URL redirection does not properly handle a request's actual length. Such a request triggers an access violation, resulting in the failure of the service.
Default installations of Windows NT 4.0 and Windows 2000 Professional do not install the IIS package. As such, these platforms are typically non-vulnerable, unless configured to run IIS. However, default installations of Windows 2000 server and Windows XP Release Candidate 1 do install the IIS package, making them vulnerable.
Windows 2000 Service Pack 3 includes all patches for vulnerabilities exploited by this worm.
CodeRed infected between 1 and 2 million computers and resulted in an estimated $2.75 billion in clean-up costs and lost productivity. This is out of a possible 6 million, as that is the number of IIS servers in existence at the time. It was the most costly malware of 2001.
eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter worm). The defaced web pages strongly suggest that it might come from China.
The virus's name originated from the Code Red Mountain Dew drink.
The webpage reappears in the ResonateII virus.
The Indian media stated that CodeRed originated at the University of Foshon.
CodeRed was deemed by the FBI to be so dangerous that it could bring down the entire Internet due to the increased traffic from the scans.
The phrase "Hacked by Chinese", the payload of the original CodeRed, became a cliché to indicate an online defeat.
- Map of the Code Red virus (2001 Jul 19th)
Map of CodeRed
- CodeRed Windows Worm
Kaspersky Labs , Viruslist.com, Net-Worm.Win32.CodeRed.a
CERT, CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL 2001.07.19 - 2002.01.17
CIAC, L-117: The Code Red Worm 2001.07.19
Cliff Changchun Zou, Weibo Gong, Don Towsley. "Code Red Worm Propagation Modeling and Analysis". University of Massachusetts, 2002.
Science Daily, "System Halts Computer Viruses, Worms, Before End-user Stage". 2003.11.12
John W. Lockwood, James Moscola, Matthew Kulig, David Reddick, and Tim Brooks. Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware
Eric Chien. Symantec.com, CodeRed Worm.
Brian Cashell, William D. Jackson, Mark Jickling, Baird Webel, Government and Finance Division. CRS Report for Congress, Received through the CRS Web, "The Economic Impact of Cyber-Attacks". 2004.04.01
McAfee Antivirus. W32/CodeBlue.worm
Michelle Delio. Wired, "Code Blue Targets China Firm". 2001.09.07
-. -, The Hunt for the Worm Writers. 2001.08.09