More Malicious Code: Code Red
Code Red appeared in the middle of 2001, to devastating effect. On July 29,
the U.S. Federal Bureau of Investigation proclaimed in a news release that "on July 19, the
Code Red worm infected more than 250,000 systems in just nine hours. . . . This
spread has the potential to disrupt business and personal use of the Internet
for applications such as e-commerce, e-mail and entertainment" [BER01]. Indeed, "the Code Red worm struck
faster than any other worm in Internet history," according to a research
director for a security software and services vendor. The first attack occurred
on July 12; overall, 750,000 servers were affected, including 400,000 just in
the period from August 1 to 10 [HUL01].
Thus, of the 6 million web servers running code subject to infection by Code
Red, about one in eight were infected. Michael Erbschloe, vice president of
Computer Economics, Inc., estimates that Code Red's damage will exceed $2
billion [ERB01].
Code Red was more than a
worm; it included several kinds of malicious code, and it mutated from one
version to another. Let us take a closer look at how Code Red worked.
What It Did
There are several versions of
Code Red, malicious software that propagates itself on web servers running
Microsoft's Internet Information Server (IIS) software. Code Red takes two
steps: infection and propagation. To infect a server, the worm takes advantage
of a vulnerability in Microsoft's IIS. It overflows the buffer in the dynamic
link library idq.dll to reside in the server's memory. Then, to propagate, Code
Red checks IP addresses on port 80 of the PC to see if that web server is
vulnerable.
What Effect It Had
The first version of Code Red
was easy to spot because it defaced web sites with the following text:
HELLO!
Welcome to
http://www.worm.com !
Hacked by Chinese!
The rest of the original Code
Red's activities were determined by the date. From day 1 to 19 of the month,
the worm spawned 99 threads that scanned for other vulnerable computers,
starting at the same IP address. Then, on days 20 to 27, the worm launched a
distributed denial-of-service attack at the U.S. web site, www.whitehouse.gov. A denial-of-service attack
floods the site with large numbers of messages in an attempt to slow down or
stop the site because the site is overwhelmed and cannot handle the messages.
Finally, from day 28 to the end of the month, the worm did nothing.
However, there were several
variants. The second variant was discovered near the end of July 2001. It did
not deface the web site, but its propagation was randomized and optimized to
infect servers more quickly. A third variant, discovered in early August,
seemed to be a substantial rewrite of the second. This version injected a
Trojan horse in the target and modified software to ensure that a remote
attacker could execute any command on the server. The worm also checked the
year and month so that it would automatically stop propagating in October 2002.
Finally, the worm rebooted the server after 24 or 48 hours, wiping itself from
memory but leaving the Trojan horse in place.
How It Worked
The Code Red worm looked for
vulnerable personal computers running Microsoft IIS software. Exploiting the
unchecked buffer overflow, the worm crashed Windows NT-based servers but executed
code on Windows 2000 systems. The later versions of the worm created a trapdoor
on an infected server; the system was then open to attack by other programs or
malicious users. To create the trapdoor, Code Red copied %windir%\cmd.exe to
four locations:
c:\inetpub\scripts\root.ext
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.ext
d:\progra~1\common~1\system\MSADC\root.exe
Code Red also included its
own copy of the file explorer.exe, placing it on the c: and d: drives so that
Windows would run the malicious copy, not the original copy. This Trojan horse
first ran the original, untainted version of explorer.exe, but it modified the
system registry to disable certain kinds of file protection and to ensure that
some directories have read, write, and execute permission. As a result, the
Trojan horse had a virtual path that could be followed even when explorer.exe
was not running. The Trojan horse continued to run in background, resetting the
registry every 10 minutes; thus, even if a system administrator noticed the
changes and undid them, the changes were applied again by the malicious code.
To propagate, the worm
created 300 or 600 threads (depending on the variant) and tried for 24 or 48
hours to spread to other machines. After that, the system was forcibly
rebooted, flushing the worm in memory but leaving the backdoor and Trojan horse
in place.
To find a target to infect,
the worm's threads worked in parallel. Although the early version of Code Red
targeted www.whitehouse.gov, later
versions chose a random IP address close to the host computer's own address. To
speed its performance, the worm used a nonblocking socket so that a slow
connection would not slow down the rest of the threads as they scanned for a
connection.
What Was Learned
As of this writing, more than
6 million servers use Microsoft's IIS software. The Code Red variant that
allowed unlimited root access made Code Red a virulent and dangerous piece of
malicious code. Microsoft offered a patch to fix the overflow problem and
prevent infection by Code Red, but many administrators neglected to apply the
patch. (See Sidebar 3-6.)
Some security analysts
suggested that Code Red might be "a beta test for information
warfare," meaning that its powerful combination of attacks could be a
prelude to a large-scale, intentional effort targeted at particular countries
or groups [HUL01a]. For this reason,
users and developers should pay more and careful attention to the security of
their systems. Forno [FOR01] warns that
security threats such as Code Red stem from our general willingness to buy and
install code that does not meet minimal quality standards and from our
reluctance to devote resources to the large and continuing stream of patches
and corrections that flows from the vendors. As we see in Chapter 11, this problem is coupled with a lack
of legal standing for users who experience seriously faulty code.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.