TUCoPS :: Malware :: ciacl117.txt

CIAC L-117 Code Red Worm


                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                                ADVISORY NOTICE

                               The Code Red Worm

July 19, 2001 24:00 GMT                                           Number L-117
PROBLEM:       The Code Red worm is spreading on the Internet utilizing the 
               .ida (indexing service) vulnerability in the Microsoft Internet 
               Information Server IIS. After infection the worm attacks other 
               systems and does a denial of service attack on 
PLATFORM:      Web servers utilizing the IIS server on Windows NT and Windows 
               2000 with the index server or indexing service enabled. 
DAMAGE:        Infected machines will randomly attack other web servers and 
               perform a denial of service attack on www.whitehouse.gov. The 
               home page of infected machines will be defaced. 
SOLUTION:      Disable the indexing server or apply the patches as recommended 
               in Microsoft Security Bulletin MS01-033 or CIAC Bulletin L-098, 
               "Microsoft Index Server ISAPI Extension Buffer Overflow". 
               Reboot the system to eliminate the worm from memory. 
VULNERABILITY  The risk is HIGH. The worm is spreading rapidly around the 
ASSESSMENT:    Internet. 
[Update to L-120 on July 29, 2001 with additional tool information]
A tool has been released for the detection of the Code Red Worm.
You may download this tool from the following location:

The Code Red Worm

The Code Red Worm has been detected spreading to systems throughout the 
Internet. From the number of different hosts detected performing attacks, 
it is apparent that many thousands of systems worldwide are infected by 
this worm. A disassembly and analysis of this worm was performed by Marc 
Maiffret of eEye Digital Security and friends. This bulletin is based on 
that analysis. The complete analysis including an annotated disassembly
listing is available at 


Worm Operation

The worm exploits the Index Server (.ida) buffer overflow vulnerability 
reported in CIAC Bulletin L-098, Microsoft Index Server ISAPI Extension 
Buffer Overflow and Microsoft Security Bulletin MS01-033, Unchecked Buffer 
in Index Server ISAPI Extension Could Enable Web Server Compromise.  The 
buffer overflow allows the worm to execute code within the IIS server to 
spread itself, to deface the server's home page, and to run a denial of 
service attack on www.whitehouse.gov.

The worm arrives at the web server as a Get /default.ida request. That 
request exploits the .ida vulnerability and starts the worm code executing. 
The worm code executes only in memory and is not written to disk so no 
residue of the worm will be found by examining the disk. 

The worm first starts 100 worm threads in memory. That is, there are 100 
copies of the worm running at the same time. Next, it checks for the 
existence of c:\notworm. If that file exists, the worm goes dormant. This 
is apparently to prevent the worm from spreading on the developer's system. 
Next, the worm gets the current date from the system clock and if the date 
is before the 20th of the month the worm starts infecting new systems. 
If the date is between the 20th and 27th of the month the worm starts a 
denial of service attack on www.whitehouse.gov.  

The worm attacks other systems by randomly generating an IP address and 
then probing that address to see if it can connect to port 80. If it can, 
it sends a copy of the buffer overflow attack to that machine. The random 
IP address generator appears to always start with the same random seed 
so the list of machines attacked by the worm is identical for every copy 
of the worm. The result is that machines whose IP addresses are low on 
the list of random IP addresses will be probed over and over again by 
each thread of the worm in every infected machine, creating an effective 
denial of service attack. Also, vulnerable systems can be compromised 
multiple times, resulting in multiple copies of the worm running in them 
each with 100 separate threads. After each attack, the worm again checks 
the date and decides to either attack another machine or attack 

The denial of service attack on www.whitehouse.gov is performed by 
sending 98,304 (18,000h) packets to the www.whitehouse.gov server. 
After sending these packets, the worm goes to sleep for 4 1/2 hours 
and then does it again. All 100 threads of the worm code participate 
in the denial of service attacks which continue until the system is 
rebooted. Note that a system can sustain multiple infections so a single 
system may be responsible for many times the 100 * 98,304 packets every 
4 1/2 hours.

The 100th thread of the worm code defaces the web server's home page. It 
only does this if the operating system's code page is U.S. English. The 
100th thread first sleeps for 2 hours, apparently to let the attacking 
threads to spread the worm before it shows a visible presence by changing 
the home page. After 2 hours, the worm replaces a link in the executing 
code in memory that returns data to a web client. That link is then pointed 
to worm code that produces the web page below, which indicates that the web 
page was hacked by the Chinese.

<meta http-equiv="Content-Type" content="text/html; charset=english">
<bady><hr size=5><font color="red">
<p align="center">Welcome to http://www.worm.com !<br>
Hacked By Chinese!</font></hr>

The change remains in effect for ten hours and then the web server is 
returned to normal operation. Note that the change in the home page is not 
done by changing the home page disk files, but is done by hacking the code 
in memory that returns data to a user to return the html codes for the 
defaced web page instead. The result is that the defaced web page is returned 
to anyone who makes any request to the web server. 

Detecting the Worm

As the worm runs only in memory, you will not be able to find a file  or 
other tell-tale evidence on the disk that indicates the worms presence. 
If the worm is active in a server, the server will show a heavy load and 
will show a lot of external connections to port 80 on other machines. 
Execute the following command in a command window to see what external 
connections a system currently has open.

  netstat -a

If you are using an intrusion detection system, it should be able to detect 
the worm's attacks. The beginning of the worm's attack packet looks like the 


Removing the Worm and Patching a System

This worm is only in memory on a system and is not written to disk, so 
simply rebooting a system removes the worm and restores the system. 
However, due to the large number of infected systems and the fact that 
they attack the same list of IP addresses, the odds are that a system 
will be reinfected as soon as it reboots. To protect a system you have 
two options: 1) disable .ida processing or 2) patch the .ida processor. 
If you are not using the index server, you should disable .ida 
processing otherwise you must patch your system. After disabling .ida 
processing or patching a system, be sure to reboot the system to insure 
that the worm is removed from memory. 

See the following bulletins for information on disabling and patching 
systems for this vulnerability. 

  CIAC Bulletin L-098, Microsoft Index Server ISAPI Extension Buffer 
  Microsoft Security Bulletin MS01-033, Unchecked Buffer in Index 
    Server ISAPI Extension Could Enable Web Server Compromise 

Note: You can remotely test a server to see if .ida processing is 
enabled or not by making a request to the server for an ida file that 
does not exist. Type the following request in a web browser with your 
server replacing the one in the request.


if it returns the following text, .ida processing is enabled. 

  The IDQ file default.ida could not be found. 

On the other hand, if .ida processing has been disabled, the server 
will return a 404 file not found error. 

  HTTP Error 404
  404 Not Found

Realize that this does not tell you if you have the patched version 
of the .ida processor only if .ida processing is disabled or not.


CIAC wishes to thank Marc Maiffret of eEye Digital Security and his friends 
for the hours they spent disassembling and analyzing this worm which provided 
the information contained in this bulletin.

CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-108: Oracle 8i TNS Listener Vulnerability
L-110: HP Open View Event Correlation Services Vulnerability
L-111: FreeBSD Signal Handling Flaw
l-109: VPN-1/FireWall-1 RDP Communication Vulnerability
L-112: Cisco SN 5420 Storage Routers Vulnerabilities
L-113: Microsoft Outlook View Control Exposes Unsafe Functionality
L-115: Hewlett-Packard login Vulnerability
L-116: Lightweight Directory Access Protocol (LDAP) Vulnerabilities
L-118: Hewlett-Packard ftpd and ftp Vulnerability
L-119: Hewlett-Packard mkacct Program Vulnerability

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH