CAIDA Analysis of Code-Red (original) (raw)
NOTE
This page describes the initial Code-Red worm (CRv1) on July 12, 2001. Be sure to see the follow-up analysis of the Spread of the Code-Red Worm (CRv2) with updated analysis and visualization.
Animations
The animations of the spread of Code-Red (CRv2) can be accessed at https://www.caida.org/archive/code-red/coderedv2_analysis#animations
About Code-Red
The first incarnation of the Code-Red worm (CRv1) began to infect hosts running unpatched versions of Microsoft's IIS webserver on July 12th, 2001. The first version of the worm uses a static seed for it's random number generator. Then, around 10:00 UTC in the morning of July 19th, 2001, a random seed variant of the Code-Red worm (CRv2) appeared and spread. This second version shared almost all of its code with the first version, but spread much more rapidly. Finally, on August 4th, a new worm began to infect machines exploiting the same vulnerability in Microsoft's IIS webserver as the original Code-Red virus. Although the new worm shared almost no code with the two versions of the original worm, it contained in its source code the string "CodeRedII" and was thus named CodeRed II. The characteristics of each worm are explained in greater detail below.
The IIS .ida Vulnerability
Detailed information about the IIS .ida vulnerability can be found at eEye (http://www.eeye.com/html/Research/Advisories/AD20010618.html).
On June 18, 2001 eEye released information about a buffer-overflow vulnerability in Microsoft's IIS webservers. The remotely exploitable vulnerability was discovered by Riley Hassell. It allows system-level execution of code and thus presents a serious security risk. The buffer-overflow is exploitable because the ISAPI (Internet Server Application Program Interface) .ida (indexing service) filter fails to perform adequate bounds checking on its input buffers.
A security patch for this vulnerability is available from Microsoft at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp.
Code-Red version 1 (CRv1)
Detailed information about Code-Red version 1 can be found at eEye (http://www.eeye.com/html/Research/Advisories/AL20010717.html).
On July 12, 2001, a worm began to exploit the aforementioned buffer-overflow vulnerability in Microsoft's IIS webservers. Upon infecting a machine, the worm checks to see if the date (as kept by the system clock) is between the first and the nineteenth of the month. If so, the worm generates a random list of IP addresses and probes each machine on the list in an attempt to infect as many computers as possible. However, this first version of the worm uses a static seed in its random number generator and thus generates identical lists of IP addresses on each infected machine. The first version of the worm spread slowly, because each infected machine began to spread the worm by probing machines that were either infected or impregnable. The worm is programmed to stop infecting other machines on the 20th of every month. In its next attack phase, the worm launches a Denial-of-Service attack against www1.whitehouse.gov from the 20th-28th of each month.
On July 13th, Ryan Permeh and Marc Maiffret at eEye Digital Security received logs of attacks by the worm and worked through the night to disassemble and analyze the worm. They christened the worm "Code-Red" both because the highly caffeinated "Code Red" Mountain Dew fueled their efforts to understand the workings of the worm and because the worm defaces some web pages with the phrase "Hacked by Chinese". There is no evidence either supporting or refuting the involvement of Chinese hackers with the Code-Red worm.
The first version of the Code-Red worm caused very little damage. The worm did deface web pages on some machines with the phrase "Hacked by Chinese." Although the worm's attempts to spread itself consumed resources on infected machines and local area networks, it had little impact on global resources.
The Code-Red version 1 worm is memory resident, so an infected machine can be disinfected by simply rebooting it. However, once-rebooted, the machine is still vulnerable to repeat infection. Any machines infected by Code-Red version 1 and subsequently rebooted were likely to be reinfected, because each newly infected machine probes the same list of IP addresses in the same order.
Code-Red version 2
Detailed information about Code-Red version 2 can be found at eEye (http://www.eeye.com/html/Research/Advisories/AL20010717.html) and silicon defense (link no longer available) - ).
At approximately 10:00 UTC in the morning of July 19th, 2001 a random seed variant of the Code-Red worm (CRv2) began to infect hosts running unpatched versions of Microsoft's IIS webserver. The worm again spreads by probing random IP addresses and infecting all hosts vulnerable to the IIS exploit. Code-Red version 2 lacks the static seed found in the random number generator of Code-Red version 1. In contrast, Code-Red version 2 uses a random seed, so each infected computer tries to infect a different list of randomly generated IP addresses. This seemingly minor change had a major impact: more than 359,000 machines were infected with Code-Red version 2 in just fourteen hours.
Because Code-Red version 2 is identical to Code-Red version 1 in all respects except the seed for its random number generator, its only actual damage is the "Hacked by Chinese" message added to top level webpages on some hosts. However, Code-Red version 2 had a greater impact on global infrastructure due to the sheer volume of hosts infected and probes sent to infect new hosts. Code-Red version 2 also wreaked havoc on some additional devices with web interfaces, such as routers, switches, DSL modems, and printers. Although these devices were not infected with the worm, they either crashed or rebooted when an infected machine attempted to send them a copy of the worm.
Like Code-Red version 1, Code-Red version 2 can be removed from a computer simply by rebooting it. However, rebooting the machine does not prevent reinfection once the machine is online again. On July 19th, the probe rate to hosts was so high that many machines were infected as the patch for the .ida vulnerability was applied.
CodeRedII
Detailed information about CodeRedII can be found at eEye (http://www.eeye.com/html/Research/Advisories/AL20010804.html) and http://aris.securityfocus.com/alerts/codered2/.
On August 4, 2001, an entirely new worm, CodeRedII began to exploit the buffer-overflow vulnerability in Microsoft's IIS webservers. Although the new worm is completely unrelated to the original Code-Red worm, the source code of the worm contained the string "CodeRedII" which became the name of the new worm.
Ryan Permeh and Marc Maiffret analyzed CodeRedII to determine its attack mechanism. When a worm infects a new host, it first determines if the system has already been infected. If not, the worm initiates its propagation mechanism, sets up a "backdoor" into the infected machine, becomes dormant for a day, and then reboots the machine. Unlike Code-Red, CodeRedII is not memory resident, so rebooting an infected machine does not eliminate CodeRedII.
After rebooting the machine, the CodeRedII worm begins to spread. If the host infected with CodeRedII has Chinese (Taiwanese) or Chinese (PRC) as the system language, it uses 600 threads to probe other machines. All other machines use 300 threads. CodeRedII uses a more complex method of selecting hosts to probe than Code-Red. CodeRedII generates a random IP address and then applies a mask to produce the IP address to probe. The length of the mask determines the similarity between the IP address of the infected machine and the probed machine. 1/8th of the time, CodeRedII probes a completely random IP address. 1/2 of the time, CodeRedII probes a machine in the same /8 (so if the infected machine had the IP address 10.9.8.7, the IP address probed would start with 10.), while 3/8ths of the time, it probes a machine on the same /16 (so the IP address probed would start with 10.9.). Like Code-Red, CodeRedII avoids probing IP addresses in 224.0.0.0/8 (multicast) and 127.0.0.0/8 (loopback). The bias towards the local /16 and /8 networks means that an infected machine may be more likely to probe a susceptible machine, based on the supposition that machines on a single network are more likely to be running the same software as machines on unrelated IP addresses.
The CodeRedII worm is much more dangerous than Code-Red because CodeRedII installs a mechanism for remote, root-level access to the infected machine. Unlike Code-Red, CodeRedII neither defaces web pages on infected machines nor launches a Denial-of-Service attack. However, the backdoor installed on the machine allows_any_ code to be executed, so the machines could be used as zombies for future attacks (DoS or otherwise).
A machine infected with CodeRedII must be patched to prevent reinfection and then the CodeRedII worm must be removed. A security patch for this vulnerability is available from Microsoft at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp. A tool that disinfects a computer infected with CodeRedII is also available: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=9B7A1710-2B5C-4754-94D4-BC6A81A9A054.
CAIDA Analysis
CAIDA's ongoing analysis of the Code-Red worms includes a detailed analysis of the spread of Code-Red version 2 on July 19, 2001, a follow-up survey of the patch rate of machines infected on July 19th, and dynamic graphs (no longer available) showing the prevalence of Code-Red version 2 and CodeRedII worldwide.
The Spread of the Code-Red Worm (CRv2)
by David Moore and Colleen Shannon
July 24, 2001An analysis of the spread of the Code-Red version 2 worm between midnight UTC July 19, 2001 and midnight UTC July 20, 2001.
On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. 43% of all infected hosts were in the United States, while 11% originated in Korea followed by 5% in China and 4% in Taiwan. The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%. We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm. Ananimation of the geographic expansion of the worm is available.
Animations
To help us visualize the initial spread of Code-Red version 2, Jeff Brown created an animation of the geographic spread of the worm in five minute intervals between midnight UTC on July 19, 2001 and midnight UTC on July 20, 2001.
The animations can be found at https://www.caida.org/archive/code-red/coderedv2_analysis#animations
Visualization
This Walrus visualization shows the number of hosts infected by the CodeRed worm in the IPv4 prefix 24.0.0.0/8, broken down by announced BGP prefix, on July 19, 2001.
Follow-up Survey
CAIDA performed a follow-up survey of IP addresses which were identified as having been infected with the Code-Red worm on July 19th, 2001. A random subset of the 359,000 IP addresses originally infected were examined each day to see if they are still vulnerable to the bug in IIS exploited by Code-Red. Results from this survey are available in our Code-Red: a case study on the spread and victims of an Internet worm paper.
USENIX WIP Slides
Slideson Code-Red version 2 presented at the 2001 Usenix Security Conference Work-In-Progress Session.
SIGCOMM/USENIX IMW Paper
Paperon the spread and victims of Code-Red and Nimda presented at the 2002 Sigcomm/Usenix Internet Measurement Workshop.
Acknowledgments
We would like to thank Pat Wilson and Brian Kantor of UCSD for data and discussion; Vern Paxson (LBL and ACIRI) for providing an additional view point of data; Jeff Brown (UCSD/CSE) for producing animations of worm spread; Bill Fenner (AT&T Research) for useful comments and fli2gif; and Stefan Savage (UCSD) and kc claffy (CAIDA) for suggestions. We would also like to thank Cisco for their generous support, without which these analyses would have been impossible. Support for this work was provided by DARPA ITO NGI and NMS programs, NSF ANIR, and CAIDA members.
Glossary
IP address space
the set of all possible IP addresses.
worm
a program that connects to other machines and replicates itself. worms have the potential to both damage infected machines and to interfere with networks and services due to congestion caused by the spread of the worm.
packet header
the data at the beginning of each IP packet containing the source and destination IP addresses, as well as information about the type of data contained in the packet.
IP packet
The fundamental unit of data transmission across a network. A chunk of data and control information headed from a source host to a destination host.
passive monitoring
study of network behavior without generating or otherwise interfering with traffic on the network.
router
a machine designed to direct packets from their source host to their destination.
seed
a starting point for a random number generator. a static seed causes a random number generator to output the same sequence of numbers each time the generator is invoked, although the numbers themselves are random in that they have no predictable relationship to each other. a random seed uses an unpredictable starting point, so it generates a random sequence of random numbers, rather than a predictable series of random numbers.
Listed below are press coverage and online articles related to the CAIDA Analysis of Code-Red. Press coverage are listed by author and by publication. Because an author’s article can be featured in any number of publications, read articles by author for unique articles.
David Moore and Colleen Shannon analyze the spread of the Code-Red (CRv2) Worm. We would like to thank Pat Wilson, Brian Kantor, Vern Paxson, Jeff Brown, Ken Keys, Bill Fenner, Stefan Savage, kc claffy.