NOTE
The page previously found at
http://www.caida.org/analysis/security/code-red/ has been moved to
http://www.caida.org/research/security/code-red/coderedv2_analysis.xml
Animations
The animations previously found at
http://www.caida.org/analysis/security/code-red/#animations can be accessed
at http://www.caida.org/research/security/code-red/coderedv2_analysis.xml#animations
Outline:
About Code-Red
The IIS .ida Vulnerability
Code-Red v1 (CRv1)
Code-Red v2 (CRv2)
CodeRedII (CRII)
CAIDA Analysis
The Spread of the Code-Red Worm (CRv2)
Animations
Visualization
Dynamic Graphs
Follow-up Survey
USENIX WIPS Slides
SIGCOMM/USENIX IMW Paper
Acknowledgments
Glossary
The first incarnation of the Code-Red worm (CRv1)
began to infect hosts running unpatched versions of Microsoft's
IIS webserver on July 12th, 2001. The first version of the worm
uses a static seed for it's random number
generator. Then, around 10:00 UTC in the morning of July
19th, 2001, a random seed variant of the Code-Red
worm (CRv2) appeared and spread. This second version shared almost all of its
code with the first version, but spread much more rapidly. Finally, on
August 4th, a new worm began to infect machines exploiting the same
vulnerability in Microsoft's IIS webserver as the original Code-Red virus.
Although the new worm shared almost no code with the two versions of the
original worm, it contained in its source code the string "CodeRedII" and
was thus named CodeRed II. The characteristics of each worm are explained
in greater detail below.
Detailed information about the IIS .ida vulnerability can be found at eEye
(http://www.eeye.com/html/Research/Advisories/AD20010618.html).
On June 18, 2001 eEye released
information about a buffer-overflow vulnerability in Microsoft's IIS
webservers. The remotely exploitable vulnerability was discovered by Riley
Hassell. It allows system-level execution of code and thus presents a serious
security risk. The buffer-overflow is exploitable because the ISAPI
(Internet Server Application Program Interface) .ida (indexing service)
filter fails to perform adequate bounds checking on its input buffers.
A security patch for this vulnerability is available from Microsoft at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp.
Detailed information about Code-Red version 1 can be found at eEye (http://www.eeye.com/html/Research/Advisories/AL20010717.html).
On July 12, 2001, a worm began to exploit the aforementioned buffer-overflow
vulnerability in Microsoft's IIS webservers. Upon infecting a machine, the worm
checks to see if the date (as kept by the system
clock) is between the first and the nineteenth of the month. If
so, the worm generates a random list of IP addresses and probes
each machine on the list in an attempt to infect as many computers
as possible. However, this first version of the worm uses a static seed in its random number generator and
thus generates identical lists of IP addresses on each infected
machine. The first version of the worm spread slowly, because each
infected machine began to spread the worm by probing machines that
were either infected or impregnable. The worm is programmed to stop
infecting other machines on the 20th of every month. In its next attack
phase, the worm
launches a Denial-of-Service attack against www1.whitehouse.gov from the
20th-28th of each month.
On July 13th, Ryan Permeh and Marc Maiffret at eEye Digital Security
received logs of attacks by the worm and worked through the night
to disassemble and analyze the worm. They christened the worm
"Code-Red" both because the highly caffeinated "Code Red" Mountain
Dew fueled their efforts to understand the workings of the worm
and because the worm defaces some web pages with the phrase "Hacked
by Chinese". There is no evidence either supporting or refuting the
involvement of Chinese hackers with the Code-Red worm.
The first version of the Code-Red worm caused very little damage. The worm
did deface web pages on some machines with the phrase "Hacked by
Chinese." Although the worm's attempts to spread itself consumed resources
on infected machines and local area networks, it had little
impact on global resources.
The Code-Red version 1 worm is memory resident, so an infected machine can
be disinfected by simply rebooting it. However, once-rebooted, the machine is still
vulnerable to repeat infection. Any machines infected by Code-Red version
1 and subsequently rebooted were likely to be reinfected,
because each newly infected machine probes the same list of IP addresses in
the same order.
Detailed information about Code-Red version 2 can be found at eEye (http://www.eeye.com/html/Research/Advisories/AL20010717.html) and
silicon defense (http://www.silicondefense.com/cr/).
At approximately 10:00 UTC in the morning of July 19th, 2001 a random seed variant of the
Code-Red worm (CRv2) began to infect hosts running unpatched versions of
Microsoft's IIS webserver. The worm again spreads by probing random IP addresses
and infecting all hosts vulnerable to the IIS exploit. Code-Red version 2
lacks the static seed found in the random number
generator of Code-Red version 1. In contrast, Code-Red version 2 uses a random seed, so each infected computer tries to
infect a different list of randomly generated IP addresses. This seemingly minor
change had a major impact: more than 359,000 machines were infected with
Code-Red version 2 in just fourteen hours.
Because Code-Red version 2 is identical to Code-Red version 1 in
all respects except the seed for its random number generator, its
only actual damage is the "Hacked by Chinese" message added to top level webpages on some
hosts. However, Code-Red version 2 had a greater impact on global
infrastructure due to the sheer volume of hosts infected and probes
sent to infect new hosts. Code-Red version 2 also wreaked havoc
on some additional devices with web interfaces, such as routers,
switches, DSL modems, and printers. Although these devices were
not infected with the worm, they either crashed or rebooted when
an infected machine attempted to send them a copy of the worm.
Like Code-Red version 1, Code-Red version 2 can be removed from a computer
simply by rebooting it. However, rebooting the machine does not
prevent reinfection once the machine is online again. On July 19th, the
probe rate to hosts was so high that many machines were infected as the
patch for the .ida vulnerability was applied.
Detailed information about CodeRedII can be found at eEye (http://www.eeye.com/html/Research/Advisories/AL20010804.html)
and
http://aris.securityfocus.com/alerts/codered2/.
On August 4, 2001, an entirely new worm, CodeRedII began to exploit the
buffer-overflow vulnerability in Microsoft's IIS webservers. Although the
new worm is completely unrelated to the original Code-Red worm, the source
code of the worm contained the string "CodeRedII" which became the name of
the new worm.
Ryan Permeh and Marc Maiffret analyzed CodeRedII to determine its attack
mechanism. When a worm infects a new host, it first determines
if the system has already been infected. If not, the worm initiates its
propagation mechanism, sets up a "backdoor" into the infected machine,
becomes dormant for a day, and then reboots the machine. Unlike Code-Red, CodeRedII
is not memory resident, so rebooting an infected machine does not eliminate
CodeRedII.
After rebooting the machine, the CodeRedII worm begins to spread. If the host infected
with CodeRedII has Chinese (Taiwanese) or Chinese (PRC) as the
system language, it uses 600 threads to probe other machines. All
other machines use 300 threads. CodeRedII uses a more complex
method of selecting hosts to probe than Code-Red. CodeRedII
generates a random IP address and then applies a mask to produce
the IP address to probe. The length of the mask determines
the similarity between the IP address of the infected machine and
the probed machine. 1/8th of the time, CodeRedII probes a completely
random IP address. 1/2 of the time, CodeRedII probes a machine in
the same /8 (so if the infected machine had the IP address 10.9.8.7,
the IP address probed would start with 10.), while 3/8ths of the
time, it probes a machine on the same /16 (so the IP address probed
would start with 10.9.). Like Code-Red, CodeRedII avoids probing
IP addresses in 224.0.0.0/8 (multicast) and 127.0.0.0/8 (loopback).
The bias towards the local /16 and /8 networks means that an infected
machine may be more likely to probe a susceptible machine, based
on the supposition that machines on a single network are more likely
to be running the same software as machines on unrelated IP addresses.
The CodeRedII worm is much more dangerous than Code-Red because
CodeRedII installs a mechanism for remote, root-level access to
the infected machine. Unlike Code-Red, CodeRedII neither defaces
web pages on infected machines nor launches a Denial-of-Service
attack. However, the backdoor installed on the machine allows
any code to be executed, so the machines could be used as zombies
for future attacks (DoS or otherwise).
A machine infected with CodeRedII must be patched to prevent reinfection
and then the CodeRedII worm must be removed.
A security patch for this vulnerability is available from Microsoft at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp.
A tool that disinfects a computer infected with CodeRedII is also
available: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=9B7A1710-2B5C-4754-94D4-BC6A81A9A054.
CAIDA's ongoing analysis of the Code-Red
worms includes a detailed analysis of the spread of
Code-Red version 2 on
July 19, 2001, a follow-up survey of the patch rate of machines infected on
July 19th, and dynamic graphs showing the
prevalence of Code-Red version 2 and CodeRedII worldwide.
by David Moore and Colleen Shannon
July 24, 2001
An analysis of the spread of the Code-Red
version 2 worm between midnight
UTC July 19, 2001 and midnight UTC July 20, 2001.
On July 19, 2001 more than 359,000 computers were infected with the
Code-Red (CRv2) worm in less than 14 hours.
At the peak of the infection frenzy, more than 2,000 new hosts were
infected each minute. 43% of all infected hosts were in the United States,
while 11% originated in Korea followed by 5% in China and 4% in Taiwan.
The .NET Top Level Domain (TLD) accounted for 19% of all compromised
machines, followed by .COM with 14% and .EDU with 2%. We also observed 136
(0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm. An
animation of the geographic expansion of the
worm is available.
To help us visualize the initial spread of Code-Red version 2, Jeff
Brown created
an animation of the geographic spread of the worm in five minute
intervals between midnight UTC on July 19, 2001 and midnight UTC on July
20, 2001.
For the animation, infected hosts were mapped to latitude and
longitude values using ipmapper,
and aggregated by the number at each unique location. The radius
of each circle is sized relative to the infected hosts mapped to the center
of the circle using the formula 1+ln(total-infected-hosts). When smaller
circles are
obscured
by larger circles, their totals are not combined with the larger
circle; the smaller data points are hidden from view. Although we
attempted to identify the geographic location of each host as
accurately as possible, in many cases the granularity of the location
was limited to the country of origin. We plot these hosts at the
center of their respective countries. Thus, the rapidly expanding
central regions of most countries is an artifact of the localization
method.
The animation is available in
three formats: flipbook/flic (207kB), QuickTime (200k, QTv3 or newer), or
as an animated gif (4.1 MB)
Animations created by Jeff Brown (UCSD CSE department),
based on analysis by David Moore (CAIDA at SDSC).
Copyright UC Regents 2001.
Flipbook animation of geographic spread
of Code-Red worm (Preferred format 207k .fli)
Note: The recommended way to view the flipbook format is to
use xanim
on a Unix platform, or QuickTime Player 5 on Macintosh and Windows boxes.
Use
the "open URL" feature of a QuickTime player and paste in the URL.
Quicktime animation of growth by
geographic breakdown (200K .mov {requires QuickTime v3 or newer} )
Animated gif of geographic spread of
Code-Red worm (4.1 MB .gif)
Note: The animated gif does not display correctly in all
browsers.
This Walrus visualization shows the number of hosts infected by the CodeRed worm in the IPv4 prefix 24.0.0.0/8, broken down by announced BGP prefix, on July 19, 2001.
These
graphs show the spread of the Code-Red version 2 and CodeRedII worms
beginning August 1, 2001. The number of hosts actively probing to infect
new hosts in each ten minute window is shown in linear scale on the top graph
and logarithmic scale on the bottom graph. Note that Code-Red version 2
and CodeRedII cannot be distinguished from one another on these graphs.
Attempts to independently analyze Code-Red version 2 and CodeRedII are
underway.
CAIDA performed a follow-up survey of IP addresses which were identified as having been infected with the Code-Red worm on July 19th, 2001.
A random subset of the 359,000 IP addresses originally infected were
examined each day to see if they are still vulnerable to the bug in
IIS exploited by Code-Red. Results from this survey are available in our Code-Red: a case study on the spread
and victims of an Internet worm paper.
Slides
on Code-Red version 2 presented at the 2001 Usenix Security Conference
Work-In-Progress Session.
Paper
on the spread and victims of Code-Red and Nimda presented at the 2002
Sigcomm/Usenix Internet Measurement Workshop.
We would like to thank
Pat Wilson and Brian Kantor of UCSD for data and discussion;
Vern Paxson (LBL and ACIRI) for providing an additional view point of data;
Jeff Brown (UCSD/CSE) for producing animations of worm spread;
Bill Fenner (AT&T Research) for useful comments and fli2gif;
and Stefan Savage (UCSD) and kc claffy (CAIDA) for suggestions.
We would also like to thank Cisco for their generous support, without which
these analyses would have been impossible.
Support for this work was provided by DARPA ITO NGI and NMS programs,
NSF ANIR, and CAIDA members.
-
IP address space
- the set of all possible IP addresses.
-
worm
- a program that connects to other machines and replicates
itself. worms have the potential to both damage infected machines and
to interfere with networks and services due to congestion caused by the
spread of the worm.
-
packet header
- the data at the beginning of each IP packet containing the
source and destination IP addresses, as well as information about the type
of data contained in the packet.
-
IP packet
- The fundamental unit of data transmission across a network. A
chunk of data and control information headed from a source host to a
destination host.
-
passive monitoring
- study of network behavior without generating or otherwise
interfering with traffic on the network.
-
router
- a machine designed to direct packets from their source host to
their destination.
-
seed
- a starting point for a random number generator. a static seed
causes a random number generator to output the same sequence of numbers
each time the generator is invoked, although the numbers themselves are
random in that they have no predictable relationship to each other. a
random seed uses an unpredictable starting point, so it generates a random
sequence of random numbers, rather than a predictable series of random
numbers.
-
Cooperative Association for Internet Data Analysis (CAIDA)