The Code Red Worm

1
The Code Red Worm

• Chris Price
• Brandon Walters
• March 3, 2006

2
Outline

• Microsoft Vulnerability
• Background
• Code Red Worm Disassembly
• Statistics
• Prevention

3
The Vulnerability

• Microsoft IIS unchecked buffer (idq.dll)
• Reported by eEye Digital Security Labs
• June 18, 2001 MSB MS01-033

4
Whos at risk?

• Microsoft IIS Server 4.0 5.0
• Windows NT
• Windows 2000
• Windows XP Beta

5
Background

• July 13, 2001 2 sysadmins experience LARGE
  amount of web traffic (CAS)
• Sysadmins send web logs to eEye Digital Security
• eEye realizes its a worm, that exploits the
  month old vulnerability

6
The Code Red Worm

• Reversed engineered at eEye Digital Security
• Worm is memory resident only
• Worm doesnt destroy data

7
Naming Scheme

• Code Red named by two eEye Digital Security
  Researchers
• Hacked by Chinese!
• Mountain Dews Code Red
• Guangdong, China

8
Worm Disassembly

• 1. Create 100 threads
• 2. Use 99 threads to spread worm
• V1 pseudo-random IP addresses
• V2 pseudo-random IP addresses
• 3. 100th thread
• If English (US) -gt Hacked by Chinese!
• Else spread worm

9
Worm Disassembly Continued

• 4. If C\notworm folder exists then halt
• 5. If system date is past the 20th of the month
  then flood www.whitehouse.gov

10
Statistics

• 500,000 IP addresses can be probed by the worm
  per day
• July 19, 2001 sysadmins were being probed by
  196,000 unique hosts (infected machines)

11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
Prevention

• Windows updates
• Anti-virus updates
• Folder c\notworm
• Stay Informed