Code Red, the Chinese called “Code Red”, on July 15, 2001 on the Internet found a network worm. It attacks computers running Microsoft IIS Web server.
Code Red worm was first discovered and eEye Digital Security research employee of Marc Maiffret and Ryan Permeh. They put it fame “Code Red” because they found was drinking Code Red Mountain Dew when the virus. Although the worm was issued in July 13, but the largest group of computers infected, but at July 19, 2001. On this day, the number of hosts within 14 hours of infected up to 35900. In the peak of infection, every second has more than 2,000 new infected hosts. Of which 43% came from the United States, 11 percent from South Korea, followed by China 5%, 4% in Taiwan.
The worm through a common loophole “buffer overflow” to spread itself. It does this by repeating the letter “N” in the long string buffer overflow, allowing the worm to execute arbitrary code and infect the machine. Kenneth D.Eichman is the first to discover how to stop it spread, and because of this discovery and invited to the White House.
Once the system is infected, it will copy itself and TCP port 80 starts scanning random IP addresses looking for IIS servers to infect other. At the same time, the infected machine’s home page will be replaced. In addition, it is also a certain time frame specified IP address to perform denial of service attacks.
Code Red Worm first version of the OS:
“The worm attempts to connect to a random selection of the host TCP port 80, it is assumed will find web server. Once connected, the attacking host will send an HTTP GET request to the victims. The request will take advantage of a buffer overflow vulnerability to cause the worm to perform on the system. The worm will not be written to disk, but it will infect and executed directly from memory.
Worm package like this:
GET / default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN% u9090% u6858% ucbd3% u7801% u9090% u6858% ucb
d3% u7801% u9090% u6858% ucbd3% u7801% u9090% u9090% u8190% u00c3% u0003% u
8b00% u531b% u53ff% u0078% u0000% u00 = a
“Once executed, the worm checks the file c: \ notworm If the file exists, the thread enters an infinite sleep. On the contrary, a new thread will be created. Each thread may cause another thread generation, resulting in the creation of up to 100 threads constantly.
“If the date is before the 20th of each month, the next 99 threads will attempt to random IP addresses to attack against multiple systems.
“If the default system language is English (United States), the first 100 will be replaced with the worm code thread web server pages. First, the thread sleeps for two hours, and then hooked one of the response function http requests. The link will then direct you to the worm code. Web page changes are not due to physical disk file to complete, but a memory code. This situation will be maintained 10 hours, and then deleted.
“If the date is between 20-28 days, then the thread activity by sending large amounts of junk data 98,304 packets attempting to cause a denial of service attack include in particular the IPD www.whitehouse.gov address 188.8.131.52.
“If the date is 28 days to the end of the month, then the worm thread will be directed to an endless sleep.
How do I delete Code Red?