- Code Red (computer worm)
Code Red Type Server Jamming Worm
The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. The worm was named the .ida "Code Red" worm because Code Red Mountain Dew was what they were drinking at the time, and because of the phrase "Hacked by Chinese!" with which the worm defaced websites.
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.
How it worked
The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.
The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for such. 
The payload of the worm included:
- defacing the affected web site to display:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
- Other activities based on day of the month:
When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it were running IIS at all. Apache access logs from this time frequently had entries such as these:
- GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
- %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
The worm's payload is the string following the last 'N'. A vulnerable host interprets this string as computer instructions.
On August 4, 2001 Code Red II appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
- Notable computer viruses and worms
- Nimda Worm
- ^ ANALYSIS: .ida "Code Red" Worm, Section Technical Details, Introduction
- ^ a b Moore, David; Colleen Shannon (2001?). "The Spread of the Code-Red Worm (CRv2)". CAIDA Analysis. http://www.caida.org/research/security/code-red/coderedv2_analysis.xml. Retrieved 2006-10-03.
- ^ Lemos, Rob. "Virulent worm calls into doubt our ability to protect the Net". Tracking Code Red. CNET News. http://news.cnet.com/2009-1001-270471.html. Retrieved 14 March 2011.
- ^ "CERT Advisory CA-2001-19". CERT/CC. 2001. http://www.cert.org/advisories/CA-2001-19.html. Retrieved 2010-06-29.
- defacing the affected web site to display:
Wikimedia Foundation. 2010.
Look at other dictionaries:
Code Red — can refer to: Music Code Red (band), a 1990s British boyband Code Red (DJ Jazzy Jeff the Fresh Prince album) (1993), by American hip hop duo DJ Jazzy Jeff the Fresh Prince Code Red (Russian band), Russian dance band located in Bonn, debuting in… … Wikipedia
Code Red II — Type Server Jamming Worm Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, although similar in behavior to the original, analysis showed it to be a new worm instead of a variant. The … Wikipedia
Code Red II (computer worm) — Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4 2001, although similar in behavior to the original, analysis showed it to be a new worm instead of a variant. The worm was designed to… … Wikipedia
Code Red (Computerwurm) — Code Red ist eine Familie von Computerwürmern, die sich ab dem 12. Juli 2001 im Internet verbreitete. Die ersten befallenen Rechner wurden am 13. Juli an eEye Digital Security gemeldet, wo Marc Maiffret und Ryan Permeh die erste Analyse… … Deutsch Wikipedia
SQL slammer (computer worm) — The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000… … Wikipedia
Melissa (computer worm) — The Melissa worm, also known as Mailissa , Simpsons , Kwyjibo , or Kwejeebo , is a mass mailing macro virus, hence leading some to classify it as a computer worm.HistoryFirst found on March 26, 1999, Melissa shut down Internet mail systems that… … Wikipedia
Nimda (computer worm) — Nimda is a computer worm, isolated in September 2001. It is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks such as Code Red. Multiple propagation vectors allowed Nimda to become the Internet’s most … Wikipedia
Voyager (computer worm) — The Voyager worm is a computer worm that was posted on the Internet on October 31, 2005, and is designed to target Oracle databases. Known variants * First, non malicious, example October 31, 2005 * Second example December 29, 2005 which attempts … Wikipedia
Timeline of computer viruses and worms — Contents 1 1960–1969 1.1 1966 2 1970–1979 2.1 1 … Wikipedia
Timeline of notable computer viruses and worms — This is a timeline of noteworthy computer viruses and worms.1970 1979Early 1970s* Creeper virus was detected on ARPANET infecting the Tenex operating system. Creeper gained access independently through a modem and copied itself to the remote… … Wikipedia