Code Red (computer worm)

Quality 0.50 · 1 view · Updated 2 months ago

Computer worm

title: "Code Red (computer worm)" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["hacking-in-the-2000s", "2001-in-computing", "july-2001", "windows-malware", "exploit-based-worms", "cybercrime-in-india"] description: "Computer worm" topic_path: "technology/computing" source: "https://en.wikipedia.org/wiki/Code_Red_(computer_worm)" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

::summary Computer worm ::

::data[format=table title="infobox computer virus"]

FieldValue
imageWebsite defaced by Code Red worm.png
captionA website defaced by the worm
common_nameCode Red
technical_nameCRv and CRvII
typeServer Jamming Worm
::

|image = Website defaced by Code Red worm.png |caption = A website defaced by the worm |common_name = Code Red |technical_name = CRv and CRvII |alias = |family = |classification = |type = Server Jamming Worm |subtype = |origin = |author = |ports_used = |platform = |file_size = |language =

Code Red was a computer worm observed on the Internet on July 15, 2001. It attacked computers running Microsoft's IIS web server. It was the first large-scale, mixed-threat attack to successfully target enterprise networks.

The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because they were drinking Mountain Dew Code Red at the time of discovery.

Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On that day, the number of infected hosts reached 359,000.

The worm spread worldwide, becoming particularly prevalent in North America, Europe, and Asia (including China and India).

Concept

Exploited vulnerability

The worm showed a vulnerability in software distributed with IIS, described in Microsoft Security Bulletin MS01-033 (CVE-2001-0500), for which a patch had become available a month earlier.

The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for his discovery.

Worm payload

The payload of the worm included:

  • Defacing the affected web site to display:

HELLO! Welcome to http://www.worm.com ! Hacked By Chinese!

  • Other activities based on the day of the month:
    • Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet.
    • Days 20–27: Launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among these.
    • Days 28-end of month: Sleeps, no active attacks.

When scanning for vulnerable machines, the worm did not test whether the server running on a remote machine was running a vulnerable version of IIS, or even whether it was running IIS at all. Apache access logs from this time frequently had entries such as these:

The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interpreted this string as computer instructions, propagating the worm.

Similar worms

Main article: Code Red II

On August 4, 2001, Code Red II appeared. Although it used the same injection vector, it had a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.

eEye believed that the worm originated in Makati, Philippines, the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm.

References

References

  1. Trend Micro. "Enterprise Prevention and Management of Mixed-Threat Attacks".
  2. [https://web.archive.org/web/20110722192419/http://www.eeye.com/Resources/Security-Center/Research/Security-Advisories/AL20010717 ANALYSIS: .ida "Code Red" Worm (archived copy from July 22, 2011)], Euaa advisory, eEye Digital Security, July 17, 2001
  3. (c. 2001). "The Spread of the Code-Red Worm (CRv2)". [[CAIDA]] Analysis.
  4. "Discoveries – Video – The Spread of the Code Red Worm".
  5. [https://web.archive.org/web/20060831221910/http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx MS01-033 "Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise"], Microsoft Corporation, June 18, 2001
  6. Lemos, Rob. "Virulent worm calls into doubt our ability to protect the Net". CNET News.
  7. (July 17, 2001). "CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL". CERT/CC.

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::

hacking-in-the-2000s2001-in-computingjuly-2001windows-malwareexploit-based-wormscybercrime-in-india