Code Red Worm


An August 2001 SANS Whitepaper titled “What is Code Red Worm?” by security researcher Adrian Tham explores the infamous malware.

On June 18, 2001, eEye Digital Security reported the presence of a buffer overflow vulnerability in all versions of the Microsoft IIS server.

Microsoft released a patch for it within days.

On July 13, 2001, sysadmins everywhere woke up to the horror of the Code Red worm rapidly taking over their networks.

The following steps describe the flow of execution of the worm-

1. The worm attempts to connect to TCP port 80 on a randomly selected host assuming
that web server will be found.

Upon successfully connected, the attacking host sends a
HTTP GET request to the victim.

That request exploits the buffer overflow vulnerability
causing the worm to be executed on the system. The worm is not written to disk but
injected and executed directly from memory.

The beginning of the worm’s attack packet
looks like the following:
GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u
8b00%u531b%u53ff%u0078%u0000%u00=a

2. Once executed, the worm checks for the file c:\notworm.

If the file exists, the thread goes into an infinite sleep.

If the c:\notworm file does not exist, new threads are then created.

Each thread may cause another thread to be spawned causing continually thread creation to a number of 100.

3. The next 99 threads attempt to exploit more systems by targeting random IP addresses if the date is before 20th of the month.

4. The 100th thread of the worm code defaces the web server’s homepage if the system’s default language is US English.

5. If the date is between the 20th and 28th, the active threads then attempt a Denial of
Service attack on a particular IP address 198.137.240.91 (this once was www.whitehouse.gov) by sending a large amount of junk data, 98,304 packets.

6. If the date is greater than 28th, the worm’s threads are directed into an infinite sleep.

Conclusion

1. Patch the systems – keep up to date with security updates

2. Buffer overflows are dangerous and more common than one would assume

3. Close unused network ports.

4. Worms can reside in the memory for a long time in dormant mode without being detected

Reference

Tham, A. (2001). What Is Code Red Worm? Retrieved from https://www.sans.org/reading-room/whitepapers/malicious/code-red-worm-45