Viruses: The Code Red Worm

- Richard Lowe

Years from now, we will all look back on the summer of 2001 as one of the
strangest summers in the history of the internet. We will surely laugh at
the frantic gyrations of system administrators and security professionals
because of a worm called “Code Red”. We system administrators will most
certainly chuckle as we fondly reminisce on the late evenings spent patching
server after server at the urging of our security professionals. And hey,
that blue screen or two that resulted was so much fun to research, and the
reinstalls that we had to do the next day will certainly be the topic of
campfire conversations for years to come! Not!

During late July and early August, Microsoft, CERT (Computer Emergency
Response Team) and the FBI issued emergency bulletins urging all system
administrators to patch their web servers immediately. The press was alerted
and asked to help spread the word that the internet itself was in extreme
danger. Every security and antivirus company on the planet was busy sending
out notices to everyone they could find that the problem had to be fixed
immediately, or dire consequences would result.

The predictions were that internet speed would be reduced to a crawl for
days while billions (trillions?) of meaningless packets were thrown at the
Whitehouse web site an attempt to knock it off the air.

What was the cause of this three-ring circus?

It’s very simple really. The same old story. Microsoft had a bug in their
web server code. Well, saying they had a bug dramatically understates the
magnitude of the problem.

To put it into perspective, let’s say you hired a contractor to build a new
bank (you are the bank manager). Naturally, your bank is outfitted with
state of the art technology (so says the brochure), including a shiny,
well-publicized security system. The project was expensive, but you’re happy
because, hey, it’s the new, improved, extra special XP bank. Besides, the
contractor is the biggest one on the planet and, frankly, you paid them an
exorbitant rate to ensure that you got the best there was.

After your bank is robbed, you find out that the contractor had
“accidentally” left an eight foot hole in the right wall. This isn’t just a
small hole, it’s a huge, gaping crevice leading directly to the vault. It’s
in plain view to everyone, except, seemingly, the contractor. When you
confront the contractor to ask them how they could do such a stupid thing,
they politely tell you, after a three hour wait on hold and a $295 charge on
your credit card, that it’s really your fault because you didn’t follow the
instructions in their special security bulletin two months ago. Didn’t you
send a couple of your employees to the BSE (Bank Systems Engineer) classes
to learn that they need to purchase the extra-special, super spectacular
BankNet knowledgebase CDs?

Okay, all kidding and sarcasm aside, there is a bug in the Indexing service
(the component that creates searchable indexes) in the Microsoft Internet
Information Server (the program which displays web pages on a web server)
which is supplied with Windows NT and Windows 2000. This bug allows allows
anyone who can send a special string of characters to a web server to “take
control” and, basically, cause the web server to do anything that the
attacker desires.

The bug is something commonly known as a “buffer overflow”, which simply
means you can send more characters to the web server than it is capable of
receiving. When a program receives characters it writes them to memory in a
place called a buffer. If a poorly written program receives more characters
than it is designed to handle, it will, under special conditions, cause the
extra characters to be executed with privileges.

To put it very simply, it was discovered that you could cause the Indexing
Service to “overflow it’s buffers” and execute selected code as a privileged
user. This allows a special hacker program (which is reported to have
required all of a half hour to write) to gain control of a server.

You have to understand that buffer overflows are nothing new to the world of
computing. In fact, I am sure that the first programmer is also the first
person to experience this condition. This is well known to competent quality
control departments, programmers, designers and, of course, hackers.

To put it bluntly, buffer overflows should not occur in any program written
by any programmer who has passed “programming 102″. In addition, any quality
assurance person who has taken “quality control 101″ should be able to check
for and spot the problem from a mile away.
All right already, so what is the infamous Code Red worm?

Code Red is a clever little program which takes advantage of this gaping
hole in the Index Server. What the program does is search for systems with
the flaw. It’s easy to find those systems and Code Red is very good at it’s
job. So good, in fact, that in early August 2001 it is estimated that it
infected over 300,000 machines!

Once the worm finds a machine, it executes the buffer overflow condition and
causes itself to be installed on the machine. Remember the Wrath of Kahn
movie where the beetle with the big pincers crawled into Checkov’s ear? It’s
something like that.

Once the bug got into his brain, oh sorry … once the worm has installed
itself it does a number of different things depending upon the day of the
month. Some days near the beginning of a month it will search for new
systems to infect. Towards the middle the worms will all launch an attack
against the Whitehouse web site. At the end of the month, all of these
malicious little programs will sleep, waiting for the next month.

Interestingly, the Code Red worm has a couple of small flaws. First, it’s
attack is directed at a single IP address. Thus, during the first waves of
attacks in July the Whitehouse “dodged the bullet” by simply changing their
address.

Second, the worm only installs itself in memory. This means it’s simply a
matter of rebooting the server to rid it of the pesky infection. Of course,
if you don’t install the patch (a fix to repair the problem, conceptually
like the piece of rubber used to patch a hole in a tire), it’s just a matter
of time until your system gets infected again.

Naturally, a new worm called “Code Red II” worm has been reported in the
wild, and almost certainly does not include these flaws. Hopefully system
administrators will comply and install their patches so their systems will
not be assimilated into the Code Red and Code Red II attacks.

About the Author

Richard Lowe Jr. is the webmaster of Internet Tips And Secrets at
http://www.internet-tips.net - Visit our website any time to read
over 1,000 complete FREE articles about how to improve your
internet profits, enjoyment and knowledge.