Viruses: The Code Red Worm

Subscribe Now

Receive alert message from us when new articles submitted to our site for free.

Viruses: The Code Red Worm

By: Richard Lowe

Article Word Count: 1278 words [Comments (0)]
Total Views: 47 Views

Years from now, we will all look back on the summer of 2001 as

one of the strangest summers in the history of the internet. We

will surely laugh at the frantic gyrations of system

administrators and security professionals because of a worm

called "Code Red". We system administrators will most certainly

chuckle as we fondly reminisce on the late evenings spent

patching server after server at the urging of our security

professionals. And hey, that blue screen or two that resulted

was so much fun to research, and the reinstalls that we had to

do the next day will certainly be the topic of campfire

conversations for years to come! Not!

During late July and early August, Microsoft, CERT (Computer

Emergency Response Team) and the FBI issued emergency bulletins

urging all system administrators to patch their web servers

immediately. The press was alerted and asked to help spread the

word that the internet itself was in extreme danger. Every

security and antivirus company on the planet was busy sending

out notices to everyone they could find that the problem had to

be fixed immediately, or dire consequences would result.

The predictions were that internet speed would be reduced to a

crawl for days while billions (trillions?) of meaningless

packets were thrown at the Whitehouse web site an attempt to

knock it off the air.

What was the cause of this three-ring circus?

It's very simple really. The same old story. Microsoft had a bug

in their web server code. Well, saying they had a bug

dramatically understates the magnitude of the problem.

To put it into perspective, let's say you hired a contractor to

build a new bank (you are the bank manager). Naturally, your

bank is outfitted with state of the art technology (so says the

brochure), including a shiny, well-publicized security system.

The project was expensive, but you're happy because, hey, it's

the new, improved, extra special XP bank. Besides, the

contractor is the biggest one on the planet and, frankly, you

paid them an exorbitant rate to ensure that you got the best

there was.

After your bank is robbed, you find out that the contractor had

"accidentally" left an eight foot hole in the right wall. This

isn't just a small hole, it's a huge, gaping crevice leading

directly to the vault. It's in plain view to everyone, except,

seemingly, the contractor. When you confront the contractor to

ask them how they could do such a stupid thing, they politely

tell you, after a three hour wait on hold and a $295 charge on

your credit card, that it's really your fault because you didn't

follow the instructions in their special security bulletin two

months ago. Didn't you send a couple of your employees to the

BSE (Bank Systems Engineer) classes to learn that they need to

purchase the extra-special, super spectacular BankNet

knowledgebase CDs?

Okay, all kidding and sarcasm aside, there is a bug in the

Indexing service (the component that creates searchable indexes)

in the Microsoft Internet Information Server (the program which

displays web pages on a web server) which is supplied with

Windows NT and Windows 2000. This bug allows allows anyone who

can send a special string of characters to a web server to "take

control" and, basically, cause the web server to do anything

that the attacker desires.

The bug is something commonly known as a "buffer overflow",

which simply means you can send more characters to the web

server than it is capable of receiving. When a program receives

characters it writes them to memory in a place called a buffer.

If a poorly written program receives more characters than it is

designed to handle, it will, under special conditions, cause the

extra characters to be executed with privileges.

To put it very simply, it was discovered that you could cause

the Indexing Service to "overflow it's buffers" and execute

selected code as a privileged user. This allows a special hacker

program (which is reported to have required all of a half hour

to write) to gain control of a server.

You have to understand that buffer overflows are nothing new to

the world of computing. In fact, I am sure that the first

programmer is also the first person to experience this

condition. This is well known to competent quality control

departments, programmers, designers and, of course, hackers.

To put it bluntly, buffer overflows should not occur in any

program written by any programmer who has passed "programming

102". In addition, any quality assurance person who has taken

"quality control 101" should be able to check for and spot the

problem from a mile away. All right already, so what is the

infamous Code Red worm?

Code Red is a clever little program which takes advantage of

this gaping hole in the Index Server. What the program does is

search for systems with the flaw. It's easy to find those

systems and Code Red is very good at it's job. So good, in fact,

that in early August 2001 it is estimated that it infected over

300,000 machines!

Once the worm finds a machine, it executes the buffer overflow

condition and causes itself to be installed on the machine.

Remember the Wrath of Kahn movie where the beetle with the big

pincers crawled into Checkov's ear? It's something like that.

Once the bug got into his brain, oh sorry ... once the worm has

installed itself it does a number of different things depending

upon the day of the month. Some days near the beginning of a

month it will search for new systems to infect. Towards the

middle the worms will all launch an attack against the

Whitehouse web site. At the end of the month, all of these

malicious little programs will sleep, waiting for the next month.

Interestingly, the Code Red worm has a couple of small flaws.

First, it's attack is directed at a single IP address. Thus,

during the first waves of attacks in July the Whitehouse "dodged

the bullet" by simply changing their address.

Second, the worm only installs itself in memory. This means it's

simply a matter of rebooting the server to rid it of the pesky

infection. Of course, if you don't install the patch (a fix to

repair the problem, conceptually like the piece of rubber used

to patch a hole in a tire), it's just a matter of time until

your system gets infected again.

Naturally, a new worm called "Code Red II" worm has been

reported in the wild, and almost certainly does not include

these flaws. Hopefully system administrators will comply and

install their patches so their systems will not be assimilated

into the Code Red and Code Red II attacks.

Grab this articles

<h1>Viruses: The Code Red Worm</h1> Years from now, we will all look back on the summer of 2001 as one of the strangest summers in the history of the internet. We will surely laugh at the frantic gyrations of system administrators and security professionals because of a worm called "Code Red". We system administrators will most certainly chuckle as we fondly reminisce on the late evenings spent patching server after server at the urging of our security professionals. And hey, that blue screen or two that resulted was so much fun to research, and the reinstalls that we had to do the next day will certainly be the topic of campfire conversations for years to come! Not! During late July and early August, Microsoft, CERT (Computer Emergency Response Team) and the FBI issued emergency bulletins urging all system administrators to patch their web servers immediately. The press was alerted and asked to help spread the word that the internet itself was in extreme danger. Every security and antivirus company on the planet was busy sending out notices to everyone they could find that the problem had to be fixed immediately, or dire consequences would result. The predictions were that internet speed would be reduced to a crawl for days while billions (trillions?) of meaningless packets were thrown at the Whitehouse web site an attempt to knock it off the air. What was the cause of this three-ring circus? It's very simple really. The same old story. Microsoft had a bug in their web server code. Well, saying they had a bug dramatically understates the magnitude of the problem. To put it into perspective, let's say you hired a contractor to build a new bank (you are the bank manager). Naturally, your bank is outfitted with state of the art technology (so says the brochure), including a shiny, well-publicized security system. The project was expensive, but you're happy because, hey, it's the new, improved, extra special XP bank. Besides, the contractor is the biggest one on the planet and, frankly, you paid them an exorbitant rate to ensure that you got the best there was. After your bank is robbed, you find out that the contractor had "accidentally" left an eight foot hole in the right wall. This isn't just a small hole, it's a huge, gaping crevice leading directly to the vault. It's in plain view to everyone, except, seemingly, the contractor. When you confront the contractor to ask them how they could do such a stupid thing, they politely tell you, after a three hour wait on hold and a $295 charge on your credit card, that it's really your fault because you didn't follow the instructions in their special security bulletin two months ago. Didn't you send a couple of your employees to the BSE (Bank Systems Engineer) classes to learn that they need to purchase the extra-special, super spectacular BankNet knowledgebase CDs? Okay, all kidding and sarcasm aside, there is a bug in the Indexing service (the component that creates searchable indexes) in the Microsoft Internet Information Server (the program which displays web pages on a web server) which is supplied with Windows NT and Windows 2000. This bug allows allows anyone who can send a special string of characters to a web server to "take control" and, basically, cause the web server to do anything that the attacker desires. The bug is something commonly known as a "buffer overflow", which simply means you can send more characters to the web server than it is capable of receiving. When a program receives characters it writes them to memory in a place called a buffer. If a poorly written program receives more characters than it is designed to handle, it will, under special conditions, cause the extra characters to be executed with privileges. To put it very simply, it was discovered that you could cause the Indexing Service to "overflow it's buffers" and execute selected code as a privileged user. This allows a special hacker program (which is reported to have required all of a half hour to write) to gain control of a server. You have to understand that buffer overflows are nothing new to the world of computing. In fact, I am sure that the first programmer is also the first person to experience this condition. This is well known to competent quality control departments, programmers, designers and, of course, hackers. To put it bluntly, buffer overflows should not occur in any program written by any programmer who has passed "programming 102". In addition, any quality assurance person who has taken "quality control 101" should be able to check for and spot the problem from a mile away. All right already, so what is the infamous Code Red worm? Code Red is a clever little program which takes advantage of this gaping hole in the Index Server. What the program does is search for systems with the flaw. It's easy to find those systems and Code Red is very good at it's job. So good, in fact, that in early August 2001 it is estimated that it infected over 300,000 machines! Once the worm finds a machine, it executes the buffer overflow condition and causes itself to be installed on the machine. Remember the Wrath of Kahn movie where the beetle with the big pincers crawled into Checkov's ear? It's something like that. Once the bug got into his brain, oh sorry ... once the worm has installed itself it does a number of different things depending upon the day of the month. Some days near the beginning of a month it will search for new systems to infect. Towards the middle the worms will all launch an attack against the Whitehouse web site. At the end of the month, all of these malicious little programs will sleep, waiting for the next month. Interestingly, the Code Red worm has a couple of small flaws. First, it's attack is directed at a single IP address. Thus, during the first waves of attacks in July the Whitehouse "dodged the bullet" by simply changing their address. Second, the worm only installs itself in memory. This means it's simply a matter of rebooting the server to rid it of the pesky infection. Of course, if you don't install the patch (a fix to repair the problem, conceptually like the piece of rubber used to patch a hole in a tire), it's just a matter of time until your system gets infected again. Naturally, a new worm called "Code Red II" worm has been reported in the wild, and almost certainly does not include these flaws. Hopefully system administrators will comply and install their patches so their systems will not be assimilated into the Code Red and Code Red II attacks. More <a href="http://www.articlesroom.com">free articles</a> from <a href="http://www.articlesroom.com">http://www.articlesroom.com</a>

Subscribe Now

Sponsors

Categories

Home / Computer Programming / Site Security

Viruses: The Code Red Worm

Grab this articles

Related articles

Newest Articles

Most Popular Articles