Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Scan Information

	Policy Guidelines

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

ALERTS

Viruses

Code Red (and .BOMB) Worm

Systems that are Vulnerable
How Code Red Works
Variants (including the Noxious Code Red II Version)
What to Do if Your IIS Web Server Becomes Infected
Patch Your System to Prevent a Code Red Infection

_____________

The Code Red Worm is a self-reproducing program that spreads from one Internet Information Server (IIS) Web server to another by exploiting well-known vulnerabilities in IIS. During the late part of July 2001 it has infected numerous IIS web servers here at LBNL. It did not cause any damage, but it spread rapidly throughout our network, causing slowdowns and disrupting operations. Code Red even is programmed to direct a denial-of-service attack aimed at www.whitehouse.gov.

Systems that are Vulnerable

Any Windows NT or Windows 2000 system that runs IIS is potentially vulnerable to a Code Red attack. (It is also conceivable that a Windows 98 system running Index Server could be vulnerable, although almost no Windows 98 systems at LBNL run Index Server.) To check your Windows NT and Windows 2000 systems, go from Start to Run, then enter "cmd" in the Run Menu. Once the command prompt appears, enter "net start | more" (without the quotes, of course). If the IIS Admin Service is one of the services listed, your system is potentially vulnerable.

How Code Red Works

The "Code Red" worm attacks other IIS Web servers in the following manner:

1. It scans the victim host to see if TCP port 80 is active.

2. It sends a specially constructed HTTP GET request to the victim, attempting to
exploit a buffer overflow problem in the Indexing Service.

3. If step 2 works, Code Red starts to run on the victim system. The developers of this program built in a feature that prevents Code Red from infecting an already infected system, however, by creating a file named c:\notworm file in each infected system. If Code Red finds this file, the worm aborts.

4. Code Red than starts scanning the network for other systems in which TCP port 80 is active.

5. After a delay, Code Red checks the language used on the web server. If English is the language, it then defaces all web pages on the victim host with the message

HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

Variants

There are already several variants of this worm, some of which do not work in exactly the manner described above. Some appear to work only between the 1st and 20th days of each month. Some had a built-in expiration date of July 28, and so are gone.

Code Red II. It was expected that other variants would start spreading on and after July 31. 2001. This has turned out to be the case. A new version of Code Red, Code Red II, has already infected several Windows systems at LBNL. It is similar to the original version of the Code Red worm, except that it installs a back door program on infected machines that enables remote hackers to control them. It also installs special mappings that this worm needs. Because of these changes in infected systems, cleaning up a system from Code Red II requires doing more than simply rebooting an infected server.

Microsoft has released a utility ("redfix") that not only removes Code Red II from the infected system's memory, but also deletes the back door program and the special mappings. It also can permanently disable IIS on the server if you choose to do this. Click here to download this tool.

What to do if Your IIS Web Server Becomes Infected

So far no versions of this worm damage systems, applications, data files, and so on. The worm resides entirely in the victim system's memory, so rebooting a victim system will eradicate the worm. If you need to shut down an infected system, be sure to use the normal shutdown function rather than powering it off. This will prevent damage to the system's hard drive. Be sure to patch your system right away (see below), or it will immediately become reinfected.

You also need to report what happened to your division's security liaison (see http://www.lbl.gov/itsd/security/people.htm).

Patch Your System to Prevent a Code Red Infection

Promptly patching your IIS Web server is the best preventative measure. The LBNL CIO Office requires that on every LBNL IIS Web server at least five fixes/patches that correct the following vulnerabilities are installed:

A vulnerability in IIS' RDS (Remote Data Service) can allow unauthorized ODBC data access.
This vulnerability requires a configuration change to eliminate it, rather than a patch. See Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-025)
An IIS Unicode translation error can allow unauthorized remote command execution.
This vulnerability requires a patch. See Microsoft Security Bulletin (MS00-078): Patch Available for 'Web Server Folder Traversal' Vulnerability
An IIS URL decoding error could allow remote execution of unauthorized programs. This vulnerability requires a patch. See Microsoft Security Bulletin MS01-026, 14 May 2001 Cumulative Patch for IIS.
The showcode.asp sample file distributed with IIS and SiteServer could allow remote access to the IIS server's source code. This vulnerability requires a patch. See Microsoft Knowledge Base Article - 232449 (Sample ASP Code May be Used to View Unsecured Server Files).
A vulnerability in the Index Server's webhits.dll can be exploited to reveal the source of ASP files to unauthorized users. This vulnerability requires a patch. See Windows 2000, Critical Update, February 17, 2000.

Additionally, you need to configure your IIS web server's IP filter list (which is accessible via your system's Internet Service Manager--the exact path to this filter depends on which version of IIS your system is running) to block any connections from LBNL IIS Web servers. This will serve as an additional safeguard to protect your IIS web server from other IIS web servers here at LBNL that may become infected with Code Red or other worms.

The patch that fixes the bug that Code Red exploits is available at Microsoft Security Bulletin MS01-033
(Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
Given the threat that Code Red introduces and in case you have not seen this before, you may also want to know that NTBugTraq has released a hardening tool for IIS 4.0 to assist administrators in configuring IIS 4.0 more securely. The tool implements many of the recommendations in Microsoft's IIS 4.0 security checklist. Click here to download the tool.
Download the Microsoft's IIS 4.0 security checklist.
Microsoft also supplies the HFCheck tool, which allows IIS 5.0 Webmasters to ensure that their servers are up to date on all security patches. The tool can be run continuously or periodically against a local machine or a remote one, using either a database on the Microsoft Web site or a locally-hosted copy. When this tool discovers a patch that has not been installed, it can display a dialogue box or write a warning to the Event Log. Click here to download.
Be sure to keep up with the vulnerabilities in the IIS web server; new ones are constantly being found. New versions of Code Red that exploit new vulnerabilities are almost certain to surface.
Code Red II: Microsoft has released a utility that not only removes Code Red II from the infected system's memory, but also deletes the back door program and the special mappings. It also can permanently disable IIS on the server if you choose to do this. Click here to download this tool.

Top