- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Jul 23, 2001 (Vol. 6, #54 - Issue #289)
Urgent Alert! Code Red Worm
  This issue of W2Knews™ contains:
    • Urgent Alert! Code Red Worm
    • Code Red Worm - How does it look? What do I do?
    • Incident Response - You've been hacked. What now?
SecureIIS protects Microsoft IIS Web servers from known and unknown
attacks. It wraps around IIS and works within it, verifying and
analyzing incoming and outgoing Web server data for any possible
security breaches. SecureIIS combines the best features of Intrusion
Detection Systems and Conventional Network Firewalls all into one,
with very low overhead. Cost? Just $495. This would have stopped
the Code Red Worm from compromising your servers! Download here:
Visit SecureIIS for more information.

Urgent Alert! Code Red Worm

Hi All,

This is a Security Special Flash that takes the space of the Monday issue. We're sending this early and I hope you are getting this on time, but if you don't here are some hints to protect yourself and/or fix this nasty little critter.

In the last issue (#288) you just got, the Tech Briefing described a new malicious worm. It replicated like a firestorm, and the estimates are that now hundreds of thousands of IIS webservers are compromised. I even have a picture of a Microsoft Windows Update server that was hit by this one. You can see that here, this is how it looks, and check the URL, that's a real one!


In short, what is it? The www.incidents.org describes it as follows, but the numbers they have in this piece of copy are already old:

"The CODE RED worm is a malicious piece of software that replicates and propagates to unpatched Microsoft IIS webservers running on Windows NT or 2000. Once the worm has infected a machine it begins scanning random IP addresses looking for other IIS servers to infect. The worm is currently estimated to have infected at least 50,000 servers and is spreading fast. The scanning traffic generated by the worm is now causing denial of service effects on many networks. An analysis of the worm's programs indicates that all infected machines will begin waging a flooding attack against www.whitehouse.gov sometime tomorrow (July 20th). The effect of this many machines operating in concert in a DdoS attack could possibly be devastating to the Internet infrastructure".

The White House System Admins were warned by Marc Maiffret and changed their IP's so that attack was foiled, but this thing will re-infect your servers, so here is my urgent suggestion:


Warm regards,

Stu Sjouwerman (email me with feedback: [email protected])

Moving from NT to W2K? Consolidating Servers? Implementing a new
Storage Architecture like a SAN? Sunbelt Software Services can help
you get the job done. Our experienced System Engineers can come to your
site, and migrate all your data to your new platform in a SECURE way.
Check out this page, and then get in touch with Julie, our Services
Coordinator for a quote. Want to see her million dollar smile? Click:
Visit NEED TO MIGRATE YOUR DATA? for more information.

Code Red Worm - How does it look? What do I do?

Here is the short technical backgrounder by a few of the developers of eEye, a security software developer that has a few products Sunbelt carries (SecureIIS and Retina). Credit: Ryan Permeh and Marc Maiffret.


As stated earlier the .ida "Code Red" worm is spreading throughout IIS Web servers on the Internet via the .ida buffer-overflow attack that was published last month.

The following are the steps that the worm takes once it has infected a vulnerable Web server:

  1. Setup initial worm environment on infected system.
  2. Setup 100 threads of the worm.
  3. Use the first 99 threads to spread the worm (infect other Web servers).
    • The worm spreads itself by creating a sequence of random IP addresses. However, the worm's list of IP addresses to attack is not all together random. In fact, there seems to be a static seed (a beginning IP address that is always the same) that the worm uses when generating new IP addresses. Therefore every computer infected by this worm is going to go through the same list of "random" IP addresses.
      Because of this feature, the worm will end up re-infecting the same systems multiple times, and traffic will cross traffic back and forth between hosts ultimately creating a denial-of-service type effect. The denial-of-service will be due to the amount of data being transferred between all of the IP addresses in the sequence of random IP addresses.
      The worm could have done truly random IP generation and that would have allowed it to infect many more systems much faster. We are not sure why this was not done, but a friend of ours did pose an interesting idea: If the person who wrote this worm owned an IP address that was one of the first hundred or thousand to be scanned, then they could setup a "sniffer" and anytime and IP address tried to connect to port 80 on their server they would get confirmation that the IP address that connected to them was infected with the worm.
      With this knowledge, they would be able to create a list of the majority of systems that were infected by this worm.
  4. The 100th thread checks to see if it is running on an English (US) Windows NT/2000 system.
    • If the infected system is found to be a English (US) system, the worm will proceed to deface the infected system's website. The local Web server's Web page will be changed to a message that says: "Welcome to http://www.worm.com!, Hacked By Chinese!". This hacked Web page message will stay "live" on the Web server for 10 hours and then disappear. The message will not appear again unless the system is re-infected by another computer.
    • If the system is not an English (US) Windows NT/2000 system, the 100th worm thread is also used to infect other systems.
  5. Each worm thread checks for c:\notworm.
    • If the file c:\notworm is found, the worm goes dormant.
    • If the file is not found, each thread will continue to attempt to infect more systems.
  6. Each worm thread checks the infected computer's system time.
    • If the date is past the 20th of the month (GMT), the thread will stop searching for systems to infect and will instead attack www.whitehouse.gov. The attack consists of the infected system sending 100k bytes of data (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) to port 80 of www.whitehouse.gov.
      This flood of data (410 megabytes of data every 4 and a half hours per instance of the worm) would potentially amount to a denial-of- service attack against www.whitehouse.gov.
    • If the date is between the 1st and the 19th of the month, this worm thread will not attack www.whitehouse.gov and will continue to try to find and infect new Web servers.
We have calculated that the worm can attempt to infect roughly half a million IP addresses a day. This is a rough estimate generated by testing on a very slow network.

At the time of writing this document (July 19th, 3:00pm), we have had reports from administrators that have been probed by over 196 thousand unique hosts. This leads us to believe that this worm has infected at least 196 thousand computers.

During testing we noticed that sometimes the worm does not execute "normally" and will continue to spawn new threads until the infected machine crashes and has to be rebooted, effectively killing itself. We have not been able to isolate the cause of this behavior.

I have been infected by this worm, what can I do?
The first thing you must do is go to the Microsoft security site, as referenced below, and install the .ida patch as soon as possible. The worm will remain in memory until you reboot your server so make sure to reboot after installing the .ida patch.

I think I am infected, how can I tell?
An infected system will show an increase in load (processor/network). It will also show a number of external connections (or attempts) to port 80 from random IP addresses. You can see this by doing a "netstat -an" from a MS-DOS prompt. Either way, do not take any chances; if your system is missing the .ida patch, install it and reboot.

Microsoft's bulletin on the ida vulnerability is here:

And if you want to protect your IIS-boxes against all these kinds of attacks in one fell swoop, I suggest you check out this new category "application firewall" tool. It's called SecureIIS and just $500 per server. This code red worm is a good example you can use to justify a small insurance policy like this. Here's the eval:


Incident Response - You've been hacked. What now?

This is one of the first books available that explains what to do after you've been hacked. Written by FBI insiders, this book reveals the computer forensics process and offers authoritative solutions designed to counteract and conquer hacker attacks. You will learn the strategies for recovering from computer crime incidents, respond to security breaches and hacker attacks the right way with help from this insightful and practical guide. You'll get details on the entire computer forensic process and learn the importance of following specific procedures immediately after a computer crime incident occurs. Investigate various software including UNIX, Windows NT, Windows 2000, and application servers.