Code Red Worm

Code Red is a ComputerWorm?, discovered in July 2001. It only infects Windows machines running MicrosoftIis? Web servers. It exploits a BufferOverflow, which was by no means new when the worm started to spread. However, still many Web servers were infected. Code Red starts a distributed server attack against an IP of the US American WhiteHouse?. However, this threat was easily neutralized by assigning a new IP to the Web address.


What is this and why do people keep telling me that I need to protect my Linux, BSD, and sunos and dunix boxes from it?

You can't protect your own box. You can only hope that other people stop their boxes from attacking yours.

Actually, you can protect your own box... just pull out the network plug. Some might see the solution as worse than the disease, though.

Alternatively, you can sacrifice a single box as firewall to prevent packets destined for port 80 from ever reaching your other boxes. This assumes you're not running a Web server of your own, of course. A more complex firewall/proxy setup could allow you to run an externally accessible Web server on a protected box; have the firewall/proxy accept the port 80 connection, read enough of it to see if it's a Code Red style probe, and only pass requests through if they're not. (Unfortunately, some ISPs doing this sort of proxying have had troubles with their proxy servers dying under the load, because they were accepting connections even for machines that didn't exist.)

There is something on http://www.linux.org.uk/diary/codered.shtml on what to do if you are running GnuLinux and an ApacheHttpd Server.


People who are running an IIS server under Windows NT or 2000 should be concerned about being infected and inadvertantly adding to the problem. A patch from Microsoft is available.


From BruceSchneier's CryptoGram?:

My network is regularly probed by Code Red-infected computers, trying to infect me. I can easily generate a list of those computers and their IP addresses. This is a list of computers vulnerable to the particular IIS exploit that Code Red uses. If I wanted to, I could attack every computer on that list and install whatever Trojan or back door I wanted. I don't have to scan the network; vulnerable computers are continuously coming to me and identifying themselves. How many hackers are piggybacking on Code Red in this manner?

Hmmm... theoretically, couldn't you also disinfect these computers by attacking them with a vaccine?

That is a little bit illegal, isn't it?

Is it? I'm not sure. You're not damaging the computers. In fact, you'd be fixing them. If I'm given root access (which is basically what's happening), then as long as I play nice I'm not really doing anything illegal, am I?

Whether or not it is or isn't technically legal, this is not the kind of thing I'd care to try explaining to Secret Service agents when they sequester all my gear and then lose it in their evidence room.

Thank god I live in Canada! ;-)

Wouldn't this just be an example of a GoodVirus?. Disinfecting their computers sounds more like community service than illegal...


Further links:

BruceSchneier's CryptoGram? about the Code Red worm: http://www.counterpane.com/crypto-gram-0108.html#1

CERT Coordination Center explanation of the Code Red worm: http://www.cert.org/archive/html/coderedannounce.html

Windows NT version 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

Windows 2000 Professional, Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Some eye opening graphs about the spread of this worm just in this month are at http://digitalisland.com/codered -- I predict this worm will be heckling the Internet for several months. -- ChrisGarrod

A teergrube for CodeRed: http://www.hackbusters.net/CodeRedneck.tgz (http://www.faqs.org/docs/jargon/T/teergrube.html)

Strangely, there is also a new cherry-flavored variety of MountainDew being test-marketed in a few places, including where I live. It is called CodeRed. -- EdwardKiser

Nothing strange about that. The people who first identified the Code Red Worm named it that because that's what they were drinking at the time they found it. The originator(s) of the worm have not been found and didn't seem to supply it with a name.


See also DefaultDotIda?

EditText of this page (last edited November 13, 2014) or FindPage with title or text search