XenonStack Recommends

Security Intelligence

What is CodeRed Virus? How to stop it?

Parveen Bhandari | 20 August 2022

CodeRed Worm

What is CodeRed Worm?

Marc Maiffret and Ryan Permeh of eEye Digital Security first found and analyzed the Code Red worm, which exploited a vulnerability reported by Riley Hassell. They called it "Code Red" while drinking Code Red Mountain Dew.

The worm was introduced on July 13th, 2001 and the biggest number of affected machines was discovered on July 19th, 2001. The total number of infected hosts reached 359,000 on this day.

In the summer of 2001, a worm known as CodeRed caused billions of dollars in damage. It includes the text string "Hacked by Chinese!" which appears on web pages defaced by the malware. It's also one of the few worms that can run totally in memory, with no data left on the hard disc or other permanent storage (although some variants do).

Propagation

Code Red is a worm that spreads by exploiting a vulnerability in Microsoft's Internet Information Server (IIS). When a server is infected, it begins scanning for other vulnerable servers and infecting them. The worm only spreads for a short time before launching a Denial-of-Service (DoS) attack against www1.whitehouse.gov and finally suspending all activities, and this happens once a month.

Suppose the infected servers on the Internet have wrong date settings and are already hunting for vulnerable hosts. The worm could resume its infection phase

Behavior of Code Red

Code Red's Behavior Code Red sends a GET /default.ida request via TCP port 80 to the server. The code is written to take advantage of a buffer overflow vulnerability in Microsoft's indexing software, Internet Information Server (IIS). As a result, the code will run within the IIS server. The worm virus runs entirely in memory and is not detectable on the hard drive. It's 3,569 bytes in size.

The payload of the worm includes the distorts of the infected website to display:

HELLO! http://www.worm.com/welcome.html Chinese hacked!

It tries to expand its infection between Day 1 and Day 19 by searching the Internet for other IIS servers.

From day 20 to day 27, it infects the system associated with specified IP addresses using Denial of Service Attacks.

From the 28th of the month onwards, there are no active attacks.

The worm did not check to determine if the server was running on a remote workstation and running a vulnerable version of IIS or even if it was running IIS at all when scanning for vulnerable machines. Access logs for Apache.\

CodeRed Variants

Following are the different variants that can have different affects on your system. 

Codered.II

Codered.II is similar to the original version, although it differs in two significant aspects. The signature of CodeRed II infects the host with a trojan called Virtual Root, which allows hackers to get access to and control the host server through a backdoor. It substitutes X's for multiples of N's.

Codeblue

Behaviour of Code RedCodeblue uses the "Web Server Folder Traversal" vulnerability to infect new machines. This new variation sends FTP requests to the victim systems and randomly targets IP addresses. The FTP get request causes the infected machine to download HTTPEXT.dll to an IIS folder, which allows the server to run specified commands. This guarantees that the.dll file is run with the URL.

Codegreen

Codegreen is an anti-worm that enters the target machine on its own.

Cyber Security Services
End-to-End Proactive Solutions for empowering Advanced Threat Protection and Intelligence with Real-Time Analytics, Cyber Security Services

Preventative Actions

Install the most recent security patch for Windows. (Microsoft provided a security patch update to defend susceptible systems from Code Red attacks.)

Implement an effective internet security suite that includes antivirus software to scan, detect, and remove unknown threats, a firewall that terminates suspicious outbound data traffic from the IIS webserver to stop the spread of malware and other types of attacks, and most importantly, containment technology – which quarantines suspicious threats and executes in an isolated environment to provide complete protection from threats like Code red. Because there is now a recognized signature for this, you should update your virus definitions.
Use the WFPF (Windows File Protection Features) and sfc.exe (System File Checker) programs.

Strong authentication techniques should be used to prevent unauthorized users from making changes to the system. End consumers who utilize an Internet Service Provider (ISP) for service, such as AOL, should contact their ISP and inquire if they are updating their servers and following the recommendations below.

When you are not using your computer, it is preferable to turn it off or, better yet, disconnect it if you have a cable modem connection—the less exposed to the virus, the less likely to become infected.

Conclusion

Code Red is a worm that should have served as a wake-up call to all system administrators and individual users. Systems management and patch updates should be prerequisites for any security policy and a requirement. However, either the word did not get out, or users/administrators ignored the warnings about the known vulnerabilities and their potential to cause catastrophic damage to systems and the network as a whole.

Code Red II was the "I told you so" version, as it inserted a backdoor into all unpatched computers. This worm served as a reminder to Intrusion Detection System vendors to be more flexible in their signature analysis and look ahead to new versions of known vulnerabilities.

Click here to explore more critical Viruses and their Remediations