Code Red et al
go to Elijah Laboratories Inc Home Page

Code Red, Saphire, Blaster, et al

Code Red -- What is it, and what are the consequences?

R. J. Brown, Elijah Laboratories Inc.

The Code Red and Code Red II worms, and variants, have been attacking Microsoft based servers all over the internet. Code Red was described in June, and was responsible for a failed attack on the White House (Presidential palace of the United States) in July. It re-surfaced in August, but activity started to die down by August 3rd; however, another worm, the Code Red II worm, based on the same exploit, but with an entirely different payload, surfaced on Saturday, August 4th. A less malicious but much faster propagating worm, Slammer/Saphire, appeared in January of 2003. W32.blaster appeared on Monday, August 11, 2003.

The Code Red worm attack Microsoft IIS servers versions 4.0 and 5.0 on NT and OS/2000 hosts. On NT hosts, it crashes the webserver, but leaves the OS up. On OS/2000 hosts, it succesfully infiltrates and gains total control of the machine. It plants a back door permitting future intrusions, and then starts to propagate itself to other vulnerable servers.

During this propagation process, much internet packet traffic is generated, mostly on the class A and B subnets of the compromised host, but also on the internet at large. This high volume of traffic has been responsible for slowdowns in various regions of the internet from time to time.

It must be remembered that every IP address on the internet is theoretically equally likely to receive a probe from the worm. This is because of the algorithm used to generate the target addresses by the worm propagation process. This means that for every probe received by one machine, that there were over 4 billion other probes that were not addressed to that machine! This is a truley amazing amount of traffic.

The real danger of Code Red II is the huge number of compromised machines that will be left with a back door wide open. We can certainly expect some distributed denial of service (DDoS) attacks to some high profile targets in the near future. I wouldn't be too suprised if entire countries were cut off from the rest of the internet, or large corporations forced to resort to doing business without computer networks at all. The economic cost of this would be staggering. Furthermore, a threat to the financial stability, or even the national security, of many modern nations could possibly also result.

Here are some sites to visit for more detailed information:

    Graph of W32.blaster infection packets attacking the network of Elijah Laboratories Inc., along with some discussion.
    Analysis of the Saphire/Slammer (code blue) worm of Friday, January 24, 2003, which qualified as a "Warhol worm".
    One good place to go for up to the minute information on the incidence of incidents.
    A briefing on the Code Red and Code Red II internet worms.
    The CERT Incident Note on Code Red II.
    The official Microsoft Security Bulletin announcing the vulnerability before either Code Red worm struck.
    A good chronology of events around the Codes Red viruses.
    A seminal paper outlining how it would be possible to propagate a worm across the entire internet in 15 minutes to an hour.
    A follow up paper showing how to improve the speed of such a worm to 30 seconds.
    The book that first used the term "worm" (actually, "tapeworm") for a self-propagating malicious computer program.

  • go to Elijah Laboratories Inc Home Page
    Robert J. Brown
    Last modified: Fri Mar 7 11:41:08 CST 2003