A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be “infected”. Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user’s screen, spamming their contacts, or logging their keystrokes.
CodeRed is a worm type computer virus that caused possible billions of dollars of damage in the summer of 2001. It contains the text string “Hacked by Chinese!”, which is displayed on web pages that the worm defaces. It is also one of the few worms able to run entirely in memory, leaving no files on the hard drive or any other permanent storage (although some variants do). It attacked computers running Microsoft’s IIS web server. The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. They named it “Code Red” because Code Red Mountain Dew was what they were drinking at the time.
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000. The worm showed a vulnerability in the growing software distributed with IIS, described in Microsoft Security Bulletin MS01-033, for which a patch had been available a month earlier. The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated letter ‘N’ to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Kenneth D. Eichman was the first to discover how to block it, and was invited to the White House for his discovery.
Code Red infected between 1 and 2 million computers and resulted in an estimated $2.75 billion in clean-up costs and lost productivity. This is out of a possible 6 million, as that is the number of IIS servers in existence at the time. It was the most costly malware of 2001. It was deemed by the FBI to be so dangerous that it could bring down the entire Internet due to the increased traffic from the scans.
Consider its behaviour, the code red Codered arrives at a server as a GET /default.ida request on TCP port 80. The request contains code that exploits a known buffer overflow vulnerability in the indexing software in Microsoft’s Internet Information Server (IIS), allowing the worm to run code from within the IIS server The worm runs entirely in memory, and cannot be found on the disk. It is about 3,569 bytes long. Using the CreateThread API, the worm will try to create 100 threads or copies of itself, but due to a bug in its code it may actually create many more. Infected computers are likely to have high CPU loads because of this. Each of the threads checks for the file, C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state. It is uncertain what the exact significance of the Notworm file is. There is some speculation that this file may have only existed on one or more of the creator’s computers in order to prevent it from infecting them.
If the date is between the 20th and 28th of the month, the worm will send junk data to port 80 of 198.137.240.91, then the IP address of whitehouse.gov (it was changed because of the worm). After the 28th, it goes into an infinite sleep mode and cannot be awakened unless deliberately executed.The 100th thread of the worm will check the language of the local page of the server. If the language is US English, it will change the page.
This hook lasts for 10 hours and is then removed. However, re-infection or other threads can rehook the function. The worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit the buffer overflow in the Indexing Service. The original CodeRed worm stopped propagating on 2001.07.28, going into “Infinite Sleep Mode”. It is believed that the worm will not “awaken” and will not spread again, unless deliberately executed.
shipou 