Rabu, 10 Agustus 2011

Information on the Code Red Virus

The Code Red worm was first discovered and researched by eEye Digital Security employees, Marc Maiffret and Ryan Permeh. The worm was named the .ida "Code Red" worm because Code Red Mountain Dew was what they were drinking at the time, and because of the phrase "Hacked by Chinese!" with which the worm defaced websites.

Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.

Code Red has defacing many Web sites with the message "Hacked By Chinese," experts said. Despite the message, the origin of the virus is unknown.

The ultimate goal of the virus, known as a "worm," is to gather strength by infecting more computers and then have them all attack a numerical Internet address that represents the White House Web site. The assault, which was set to go off Thursday at 8 p.m. EDT, is a denial of service attack, designed to hamper or shut down a computer system by flooding it with huge amounts of data.


This is original Code Red web worm (the A variant) found originally in July 2001.


UPDATE ON 1ST OF AUGUST, 2001
By 15:00 GMT, 15 hours after widespread Code Red infections restarted, the situation is getting rapidly worse. The worm has gone worldwide again, infecting vulnerable web sites at an increasing rate. The number of infected servers almost doubles every hour, and has passed 20,000 infected machines.

In comparison, on 19th of July, Code Red infected around 300,000 servers, and was only stopped because the worm stopped infections by itself. This time around the worm won't stop spreading for another three weeks.

UPDATE ON 1ST OF AUGUST, 2001
By 12:00 GMT, 12 hours after the new spreading phase for the Code Red worm restarted, no visible effects of the worm could be seen. The worm did restart spreading, as feared, but initial rate of infections was not very fast.

The worm might gain more ground later on, but it's likely that the number of reinfected web servers will be lower than in July, and effects of the worm to general public will be minimal.

Propagation
Code Red is a worm that exploits a security hole in Microsoft Internet Information Server (IIS) to spread. When it infects a server it starts to scan for other vulnerable servers and infects them. During a certain period of time the worm only spreads, then it initiates a Denial-of-Service (DoS) attack against www1.whitehouse.gov and finally suspends all the activities.



This repeats every month. The time zone in the above picture is GMT.

The worm can resume into infection phase at midnight July 31st, if there is infected servers in the Internet with incorrect date settings causing that they already are scanning for vulnerable hosts; or the worm is restarted manually by a malicious party.

The front page of an infected server might have been changed by the worm to following:



On August 4, 2001 Code Red II appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.

eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).

Reference :
http://www.f-secure.com
http://abcnews.go.com/
http://en.wikipedia.org


EmoticonEmoticon