Code Red for security

A virulent worm infects 350,000 servers, calling into doubt our ability to protect the Net.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
14 min read

Virulent worm calls into doubt our ability to protect the Net

By Rob Lemos
Special to CNET News.com
July 27, 2001, 4:00 a.m. PT

For one moment last week, the Internet stood still.

At midnight Thursday, July 19 GMT, more than 350,000 servers infected with the so-called Code Red worm stopped hammering the Internet with scans searching for vulnerable computers. Instead, the servers targeted an Internet address used as the hub for the White House's public Web site with a denial-of-service attack of such proportions that some feared parts of the Internet would shut down, unable to cope with the unprecedented flood of data.

"If this goes along what it's looking like, parts of the Net will go down," predicted Marc Maiffret, chief hacking officer at network-protection company eEye Digital Security. A month earlier, the Aliso Viejo, Calif., company discovered the flaw exploited by the worm in Microsoft's Web servers and was the first to decode the malicious program.

In the end, a design flaw in the worm's programming stymied the attack, but the potential threat of hundreds of thousands of servers flooding the wires with garbage data has resurrected concerns about security among those who consider themselves the guardians of the Internet.

The Internet was lucky this time, as this particular Code Red program squandered its advantage and left itself vulnerable to security measures. That will not always be the case, said Vern Paxson, staff computer scientist at the Lawrence Berkeley National Laboratory, who analyzed Code Red's quick spread.

"This could have been so much worse," he said.

Worms have become the tool of choice among malicious vandals on the Internet, but the Code Red strain has proven particularly fast and effective in commandeering a significant portion of the Internet. Unlike other worms that hide in e-mail attachments, such as LoveLetter and SirCam, Code Red does not require fooling an unwitting recipient into opening a document.

Paxson said a better author could have clogged the entire Net with garbage data or hit critical parts of the global network with a more effective denial-of-service attack--things that the inevitable variants of this version could still do.

"We are in for bumpy times," he said. "I don't see any way out of that."

Like many new worms, Code Red took full advantage of its element of surprise.

On Thursday, July 12, things were going smoothly at the Black Hat Security Briefings in Las Vegas, where several hundred consultants in the computer-security industry hobnobbed with one another. The day before, one researcher had predicted that worms would continue to threaten the Internet. Most considered it an obvious conclusion.

Unknown to the attendees, however, that day a program had started infecting computers running Microsoft's Internet Information Server. The servers had a security hole that had been discovered the month before, leaving them open to attack if not repaired with Microsoft's specific software patch.

The security hole, known officially as the Index Server ISAPI vulnerability, allowed

Click here to Play

DOJ cracks down on cybercrime
John Ashcroft, U.S. attorney general
an attacker--whether a network intruder or a worm--to take control of a server by specially formatting a Web page request.

Each hole in the vast number of vulnerable IIS servers on the Web represented a chink in the armor of the Internet that allowed the worm to spread.

That Thursday, the intrusion-detection system at publishing company Chemical Abstract Services recorded three illegal Web access attempts from a single Internet address. The original attacker's address apparently belongs to a server at the University of Foshan in China, though Ken Eichman, senior security engineer for CAS, stressed that an online vandal could have infected the server from practically anywhere.

Eichman didn't notice the scans until the next day, July 13, when 611 attacks from 27 sources appeared in the company's logs. "It wasn't really intense, and it really didn't bother me," he said.

By the end of the day, however, the scans started getting worse. At one point, Eichman thought that hostile hackers were targeting his company's network. On Saturday, when the number of servers attacking his system jumped from 27 the day before to more than 1,000, he knew it was no minor mischief.

"By Saturday night, it was getting more intense," Eichman said. "By Sunday morning, I got up and hoped it would be gone, but it wasn't."

That Sunday, Eichman sent his findings to a security mailing list hosted by intrusion-detection project DShield.org. He described the attacks affecting servers that used the most common service on the Internet: the Web. He expected help; what he got in return was derision and sarcasm.

"You never heard about Web browsers?" wrote one person on the list. "Please Worm has Net seeing Red get real. (That's) a Web browser, not an attack," another offered.

But Eichman was a frequent contributor to DShield, which used his logs to correlate disparate incidents on the Net in an effort to identify some sort of patterns. Because he seemed knowledgeable, he was taken seriously by Johannes Ullrich, editor of DShield and the chief technology officer of the Internet Storm Center for the System Administration Networking and Security Institute (SANS).

"The first suspicion was that there was something wrong with his firewall," Ullrich said. "But he was a longtime submitter, so we kept notifying the people" who were attacking CAS' network, he added.

On Monday, July 16, researchers got the first confirmation that Eichman was right. The immediate conclusion: It was a worm.

A worm is a program, most often malicious, that can spread from computer to computer without needing to infect files first.

One of the most infamous examples caused a password-collection program to become the Cornell Internet Worm, which spread to between 3,000 and 4,000 servers, or about 5 percent of the Internet, in November 1988. Created by then-graduate student Robert T. Morris, the worm exploited flaws in two well-known Internet services and attempted to masquerade as a legitimate user by trying passwords stolen from other systems.

Lured by the efficiency of self-propagating worms' ability to spread code widely, online vandals have begun using such worms to deface and hack servers. Starting with the Linux Ramen worm in January, a steady stream of such programs has leveraged widespread flaws in computer systems to spread across the Internet.

When Microsoft announced June 18 that a flaw had been found in the company's IIS Web server software--the software basis of nearly 6 million Web sites--it seemed only a matter of time before virus writers and vandals created a worm to attack it.

So for eEye's Maiffret, it came as no surprise when Internet hosting service Left Coast Systems reported the discovery of just such a worm a month later.

The British Columbia-based company discovered that one of its servers had been infected Friday, July 13, by a new worm exploiting the vulnerability. The company decided to directly contact eEye, the company that had found the flaw.

Maiffret immediately asked for a copy of the program to analyze, but his investigation was delayed by the weekend. The worm kept working overtime, though, infecting almost 3,600 hosts by Sunday night.

On Monday, several programmers at eEye began analyzing the code, working through the night on adrenalin fed by large amounts of "Code Red"-branded Mountain Dew, a highly caffeinated soft drink that has become a staple among the code warriors of Silicon Valley. The group dubbed the worm Code Red in honor of the drink and in wry political reference to the worm's habit of defacing Web sites with pages that read "Hacked by Chinese!"

By Tuesday morning, the bleary eEye crew had discovered how the worm worked.

Patchwork security special report A worm that already had infected a server would scan the Internet using 100 "threads," or sub-programs. When one of the threads located a vulnerable computer, the worm would infect it and begin the process all over again.

The company also discovered two important properties of the worm: Code Red defaces Web pages, and the part of the program used to generate a list of random addresses to attack had an error. Each instance of the worm, once it had infected a server, would not randomly attack the Internet but instead follow the same path as all its brethren.

Any computer attacked by the first Code Red worm would, in the end, be attacked by each of its offspring.

The error had an interesting side effect. The owner of any computer attacked by the worm could make a definitive list of compromised machines, because every infected server would eventually attack the computer. This allowed eEye and others to track the growth of the worm, though it could also allow a person with malicious intent to build a list of known vulnerable systems.

Throughout the day, eEye continued to decode the worm. By Tuesday evening, worm infections had topped 10,000.
Click to read next page


July 12: The first Net address from which attacks emanate is later determined to apparently be from Foshan University in China.

July 13: Senior security engineer Ken Eichman notices strange traffic coming in on a port normally used by Web servers.

July 14: Eichman reports the traffic to incident-handling community DShield.org and immediately gets sarcastic responses. "You never heard about Web browsers?" said one.

July 15: DShield.org's Johannes Ullrich gets confirmation that some computers are indeed infected by a worm.

July 16: eEye Digital Security obtains a copy of the worm and begins decoding.

July 17: After spending all night reverse-engineering the binary code and staying awake with "Code Red"-labeled Mountain Dew, eEye releases a partial analysis of the worm it dubbed Code Red. Growth of the worm slows.

July 18: eEye discovers that at 5 p.m. PDT July 19, the worm will direct infected servers to flood the White House Web site with data.

July 18: The virus spread reaches about 12,000.

July 19: Between 1 a.m. and 7 a.m. PDT, someone modifies the worm, fixing a problem with its random-number generator. The new worm spreads faster, leaping from 15,000 infections that morning to almost 350,000 infections by 5 p.m. PDT.

July 19: System administrators for the White House place their Web site on a different IP address: from to

July 19: At 5 p.m. PDT, servers infected by the worm direct their attacks at the original IP address used by Whitehouse.gov. However, the White House's preparations enable its site to dodge the worm. A design flaw causes the worm to send a much-reduced amount of data.

July 19: The worm continues its unsuccessful attack, but it stops infecting other machines, as designed. However, a few infected servers continue to scan the Net, apparently because the administrators had set the time wrong.

July 22: Eichman still detects some active Code Red worms, but their numbers continue to decline.

Source: CNET News.com research  

Year of the Worm

Microsoft reveals Web server hole

"Code Red" worm claims 12,000 servers

Code Red worm set to flood Internet

Web worm targets White House

Code Red stopped--for now

Microsoft career site hacked

Code Red worm set to return
The Industry Standard

Vigilantes strike back at worm

Hackers try to shut down White House Web site
Los Angeles Times

Editors: Mike Yamamoto, Lara Wright, Scott Martin
Design: Jeff Quan
Production: Mike Markovich


Virulent worm calls into doubt our ability to protect the Net


For eEye's Maiffret, the virulent spread of the worm drove home a point that the security community had been making for at least two decades: System software must be patched regularly. And when flaws are found in software as widely used as Microsoft's in Web servers, fixing the problem is even more critical.

"We were telling people how bad it was, and Microsoft was telling people how bad it was, but they still didn't install the patch," Maiffret said July 18.

Scott Culp, program manager for Microsoft's security response center, also put out a dire warning to customers: Patch now, or else.

"We are going back out to customers and telling them that if they didn't put the patch on before, this is all the reason they need to put the patch on now," he said.

However, many security researchers are questioning that common wisdom. If the spread of the Internet worm shows anything, it's that publicizing vulnerabilities and trying to persuade system administrators to plug the holes doesn't work, said LBNL's Paxson.

"I would not at all be surprised if 30 percent or 50 percent (of system administrators) have no clue," he said.

Even the most diligent administrators have trouble keeping abreast of security holes and patches. "Just watching a single site like LBNL--where part of the mission is cybersecurity--they take it seriously," Paxson said. "It's really so hard."

Yet, with new attacks that spread quickly, system administrators have taken on the mantle of responsibility--however reluctantly--not only for their systems, but also for what their systems do to the Internet.

The Code Red worm proved that individual, insecure systems can quickly become a global problem.

On Wednesday, July 18, after completely dissecting the worm, eEye's team discovered it had a new mission: The next day, at midnight GMT, every worm would stop attempting to infect other computers on the Net and instead level a denial-of-service attack at an IP address used by the White House Web site.

Still worse, each copy of the worm--which totaled almost 14,000 by Wednesday evening--would send 400MB of garbage data every 4.5 hours.

Many thought the massive influx of data could slow parts of the Internet to a crawl. Others thought the Web could handle the load.

Then, on Thursday morning, the worm soared from slow growth to an epidemic. To experts, it was obvious what had happened: Someone had created a variant of Code Red and fixed the random-number generator, enabling the worm to spread much faster.

Within three hours, the worm had topped 100,000 infections, and by the midnight GMT deadline--5 p.m. PDT--the worm had hit more than 359,000 computers, according to an analysis by David Moore, staff researcher at the Cooperative Association for Internet Data Analysis.

"Had the worm not been programmed to stop spreading at midnight, additional hosts would have been compromised," Moore said in the analysis.

Of those machines, almost 44 percent were in the United States, 11 percent in South Korea, 5 percent in China and the rest scattered around the globe. At its peak, around 9 a.m. PDT, the worm had infected more than 2,000 servers every minute.

The worm's growth slowed as midnight GMT approached, indicating it had saturated the Net, LBNL's Paxson said. Otherwise, every unpatched server would eventually have been infected.

"If you were vulnerable, you were nailed," he said.

While there are almost 6 million Web sites hosted on Microsoft's IIS software, according to Internet survey firm Netcraft, it's uncertain how many servers that equates to, because a single server can host several sites.

Although system administrators should take responsibility for the security of their systems, software makers need to start taking more responsibility for their software as a whole, according to the Computer Emergency Response Team (CERT) Coordination Center, the group responsible for passing information between corporate security managers.

System administrators should not have to deal with the unending task of patching the holes in such software, CERT Coordination Center manager Jeffrey Carpenter said in a statement.

"As we've seen with the 'Code Red' worm and other distributed attacks, even sites that do everything correctly can be severely impacted when new vulnerabilities are discovered," he said.

Microsoft and the IIS flaw were not mentioned by name, but the criticism was clearly aimed at the software giant and the 40 bugs the company has acknowledged in the first seven months of this year.

"The kinds of problems caused by Code Red will continue until vendors substantially reduce the number of vulnerabilities in their products in the first place," Carpenter said.

Microsoft agreed with CERT that software quality needs to improve, but stressed that perfection is an impossible goal.

"As long as software is built by human hands, there will always be software bugs, and some of those bugs will result in security vulnerabilities," said Microsoft's Culp.

Microsoft was not even immune to its own software's flaws. Several of the giant's own sites--including some servers related to the company's update and support Web site--fell prey to the worm.

Whether the White House Web site ran on Microsoft's IIS Web server didn't matter, however.

On Thursday at 5 p.m. PDT, servers infected with Code Red were scheduled to overwhelm the Whitehouse.gov site, and potentially parts of the Internet, with a flood of data, according to the analysis by eEye.

As reports came in that the worm's phenomenal growth had started affecting various companies' network performance, White House system administrators worked to defend against the attack.

In the end, a simple flaw in the makeup of the worm saved the White House from the deluge of data that could have taken it down for days.

By design, the worm would try to connect to the original address and unleash its deluge of data only if the server responded. Since the worm targeted the specific IP address for the White House's Web site-- for the site dodged the onslaught by apparently moving Year of the Wormthe site to a neighboring IP address,

By playing a shell game with the site's IP address, and junking any data sent to the original address, the White House's system administrators dodged the attack. White House spokesman Jimmy Orr acknowledged that the site's technicians took precautions but would not discuss the address switch.

The attack goes on, however. Though it was unsuccessful, the worm's programming will keep attempting to access the Whitehouse.gov site until Friday at 5 p.m. PDT, when the worm will go into hibernation until the end of the month, according to eEye.

Although the White House sidestepped the deluge of data, an old debate resurfaced, and eEye found itself under attack by critics of its "tell-all" policy regarding security holes.

The company says it didn't reveal the recipe of how to turn the security hole into a worm, but details in its original June 18 advisory were indirectly responsible for causing the rewrite of the Code Red worm, said Russ Cooper, self-proclaimed "Surgeon General for the Internet" and the editor of NTBugtraq mailing list for security service provider TruSecure.

"Their original analysis contained everything required to place code in an executable position within IIS, as well as necessary information about how to make that code properly execute," Cooper said in a post to the NTBugtraq mailing list.

eEye may not have given a blueprint to worm writers, but they certainly provided pointers on how to exploit the code. In a section of the June 18 advisory titled "The Exploit, as taught by Ryan 'Overflow Ninja' Permeh," the company outlined several issues that hamper programs that may seek to exploit the hole.

But Maiffret says such details are necessary to outline the danger the vulnerability could cause.

"You're damned if you do and damned if you don't," eEye's chief hacking officer said. "If you have a program that tells people there is a hole and a tool that leaves a file on their hard drive, it's the file that will convince them to patch their server."

CAS security guru Eichman agreed that responsible disclosure of information is a hard balance to maintain. "It's a fine line," he said. "It's tough to stay on that line without pissing someone off in one direction or another."

Though Microsoft questioned the necessity of the details of eEye's advisory, the software giant did praise the company for alerting it first and giving its developers a month to create a fix before going public.

Yet, like the problems for Internet security, the worm won't go away.

On Monday, July 31, at 5 p.m. PDT, the worm will awake and again attempt to infect servers. Worse, malicious programmers will likely be modifying the worm's code with an even more devastating payload.

Have system administrators, software makers and security professionals taken to heart the lesson of the Code Red attack? LBNL's Paxson fears that the lesson may not have been driven home.

"If it had attacked Whitehouse.gov successfully, that might have been more effective in the long run," he said, pointing out that the failure of the worm to shut down the site may actually hurt security because the resurgence could be worse.

"There is some sort of tension between an ugly public-security event that teaches and one that hurts people," he said. "This one probably wasn't visible enough to really change our mind-set, so really, we haven't learned anything."