Code Red Worm

Years from now, we will all look back on the summer of 2001 as one of the strangest summers in the history of the internet. We will surely laugh at the frantic gyrations of system administrators and security professionals  because of a worm called "Code Red".  We system administrators will most certainly chuckle as we fondly reminisce on the late evenings spent patching server after server at the urging of our security professionals. And hey, that blue screen or two that resulted was so much fun to research, and the reinstalls that we had to do the next day will certainly be the topic of campfire conversations for years to come! Not!

During late July and early August, Microsoft, CERT (Computer Emergency Response Team) and the FBI issued emergency bulletins urging all system administrators to patch their web servers immediately. The press was alerted and asked to help spread the word that the internet itself was in extreme danger. Every security and antivirus company on the planet was busy sending out notices to everyone they could find that the problem had to be fixed immediately, or dire consequences would result. 

The predictions were that internet speed would be reduced to a crawl for days while billions (trillions?) of meaningless packets were thrown at the Whitehouse web site an attempt to knock it off the air.

What was the cause of this three-ring circus? 

It's very simple really. The same old story. Microsoft had a bug in their web server code. Well, saying they had a bug dramatically understates the magnitude of the problem.

To put it into perspective, let's say you hired a contractor to build a new bank (you are the bank manager).  Naturally, your bank is outfitted with state of the art technology (so says the brochure), including a shiny, well-publicized security system. The project was expensive, but you're happy because, hey, it's the new, improved, extra special XP bank. Besides, the contractor is the biggest one on the planet and, frankly, you paid them an exorbitant rate to ensure that you got the best there was.

After your bank is robbed, you find out that the contractor had "accidentally" left an eight foot hole in the right wall. This isn't just a small hole, it's a huge, gaping crevice leading directly to the vault. It's in plain view to everyone, except, seemingly, the contractor. When you confront the contractor to ask them how they could do such a stupid thing, they politely tell you, after a three hour wait on hold and a $295 charge on your credit card, that it's really your fault because you didn't follow the instructions in their special security bulletin two months ago. Didn't you send a couple of your employees to the BSE (Bank Systems Engineer) classes to learn that they need to purchase the extra-special, super spectacular BankNet knowledgebase CDs?

Okay, all kidding and sarcasm aside, there is a bug in the Indexing service (the component that creates searchable indexes) in the Microsoft Internet Information Server (the program which displays web pages on a web server) which is supplied with Windows NT and Windows 2000. This bug allows allows anyone who can send a special string of characters to a web server to "take control" and, basically, cause the web server to do anything that the attacker desires.

The bug is something commonly known as a "buffer overflow", which simply means you can send more characters to the web server than it is capable of receiving. When a program receives characters it writes them to memory in a place called a buffer. If a poorly written program receives more characters than it is designed to handle, it will, under special conditions, cause the extra characters to be executed with privileges.

To put it very simply, it was discovered that you could cause the Indexing Service to "overflow it's buffers" and execute selected code as a privileged user. This allows a special hacker program (which is reported to have required all of a half hour to write) to gain control of a server.

You have to understand that buffer overflows are nothing new to the world of computing. In fact, I am sure that the first programmer is also the first person to experience this condition. This is well known to competent quality control departments, programmers, designers and, of course, hackers.

To put it bluntly, buffer overflows should not occur in any program written by any programmer who has passed "programming 102". In addition, any quality assurance person who has taken "quality control 101" should be able to check for and spot the problem from a mile away.

All right already, so what is the infamous Code Red worm?

Code Red is a clever little program which takes advantage of this gaping hole in the Index Server. What the program does is search for systems with the flaw. It's easy to find those systems and Code Red is very good at it's job. So good, in fact, that in early August 2001 it is estimated that it infected over 300,000 machines!

Once the worm finds a machine, it executes the buffer overflow condition and causes itself to be installed on the machine. Remember the Wrath of Kahn movie where the beetle with the big pincers crawled into Checkov's ear? It's something like that.

Once the bug got into his brain, oh sorry ... once the worm has installed itself it does a number of different things depending upon the day of the month. Some days near the beginning of a month it will search for new systems to infect. Towards the middle the worms will all launch an attack against the Whitehouse web site. At the end of the month, all of these malicious little programs will sleep, waiting for the next month.

Interestingly, the Code Red worm has a couple of small flaws. First, it's attack is directed at a single IP address. Thus, during the first waves of attacks in July the Whitehouse "dodged the bullet" by simply changing their address.

Second, the worm only installs itself in memory. This means it's simply a matter of rebooting the server to rid it of the pesky infection. Of course, if you don't install the patch (a fix to repair the problem, conceptually like the piece of rubber used to patch a hole in a tire), it's just a matter of time until your system gets infected again.

Naturally, a new worm called "Code Red II" worm has been reported in the wild, and almost certainly does not include these flaws. Hopefully system administrators will comply and install their patches so their systems will not be assimilated into the Code Red and Code Red II attacks.