Lock IT Down: Code Red makes its return and finds fresh victims

Analyze the impact of the Code Red Worm and its variants

A slight variant of the Code Red worm has appeared and is wreaking havoc in systems around the world despite having no new feature that would defeat any properly patched system or virtually any antivirus software. The major change in this version is the removal of the year limitation, which means it will essentially be with us forever. The fact that Code Red II (the previous incarnation of the worm) had a date limitation and has stopped spreading apparently led some administrators and users to ignore the patches that have been available since mid-2001.

The original Code Red (now known as Code Red I) was designed to produce a distributed denial of service attack on the Web site, but it had no real effect because the payload targeted a specific IP. Once the worm was seen in the wild, the government simply changed the IP addresses for that server.

On June 18, 2001, Microsoft published a patch for the buffer overflow vulnerability in IIS file ldq.dll, which opened servers to this attack. That patch can block Code Red I, Code Red II, and this latest variant, Code Red.F.

Code Red II, which was first seen on August 4, 2001, took advantage of the same buffer overflow vulnerability in unpatched older Microsoft IIS Web Server versions. The big difference between Code Red I and II was that the payload carried by Code Red II wasn’t a denial of service attack. Code Red II actually took over the server, allowing remote access to the infected system.

Code Red.F is a slight variant of the Code Red II worm. Like Code Red II, Code Red.F appears to differentiate between computers using the Chinese language and all others, but the difference is only one of timing and the intensity of the attack. After Code Red.F installs itself and its payload on Chinese systems, it sleeps for two or four days before it activates. On all other systems, it activates immediately upon installation.

It's likely that this Code Red variant is spreading once again because administrators of some infected machines don’t realize they have IIS installed and therefore don't have any patches or service packs applied.

This latest version of the worm is variously known as Code Red.v3, Code Red.C, Code Red III, W32.Bady.C, and Code Red.F. Symantec reports that the backdoor planted by Code Red.F, Trojan.VirtualRoot, exploits a Windows 2000 vulnerability. To clear this vulnerability, install the security patch found in MS00-052, Relative Shell Path Vulnerability.

F-Secure provides a detailed analysis of this new version of Code Red with specific attention to the removal of date restrictions that killed off the Code Red II version at the end of 2002.

Code Red history lesson
07/02/2001: "Microsoft reveals another vulnerability in IIS"
07/24/2001: "What you need to know about the Code Red worm"
07/25/2001: "Prepare for the impending Code Red worm variants"
08/13/2001: "Code Red worm raises doubts about administrators"
08/20/2001: "Watch out for the backdoor left by Code Red II"

In addition to Microsoft IIS 4.0 and 5.0 installations, other systems that are used to create Web pages, including those with FrontPage, may have IIS installed, perhaps without the knowledge of the user or administrator.

Risk level—high
This worm carries a Trojan horse payload, which gives a remote attacker complete access to the infected system.

Mitigating factors
Any administrator who has applied any cumulative patch or service pack for IIS in the past 17 months has already blocked the Code Red worm attack vector. Antivirus software signatures for the Code Red I and Code Red II worms will detect and block this variant.

Patch and remove
There are links to a cumulative patch at MS01-044. This patch should be applied to all affected IIS servers. If you want the earlier patch just for the buffer overflow vulnerability exploited by Code Red variants, go to MS01-033.

Although Microsoft issued a patch for this vulnerability a long time ago, if you don’t trust its Code Red removal tool, you can check out Symantec Security Response's updated Code Red fix page. The company says that its existing Code Red Removal Tool (FixCRed.exe) will correctly detect and clean this new variant; specifically, it will locate the Code Red II and Code Red.F Trojan VirtualRoot on all systems. It's worth noting that Microsoft’s removal tool page doesn’t specifically report that it is effective against Code Red.F, as Symantec’s page does.

Removing all traces of Code Red can be a tedious undertaking without some sort of removal tool, but if you want or need to tackle the job manually, Symantec provides detailed instructions for manual removal.

Drink it up
If you’re interested in IT trivia, Sophos, a UK-based antivirus product vendor, reports, "One little known fact about the Code Red worm is that it acquired its name from the 'Code Red' cherry flavour of the Mountain Dew soft drink. One of the first researchers to analyse the worm consumed large amounts of the drink whilst examining the worm's code."

Final word
When it first appeared, the original Code Red worm became the fastest spreading worm seen up until that time. A vast number of systems were vulnerable and quickly infected. In the case of this newest variant, I was able to follow its spread for two days before it reached a critical level. This was obviously because the majority of installations have been patched or, at minimum, protected by antivirus programs.

Since IIS is installed on some Windows 2000 systems by default, even if it is not specifically being used, and because it is also installed on many systems used for Web site design, it's entirely possible that most of the infected machines this time around are vulnerable because the user or administrator isn’t even aware that IIS is installed. These people would, of course, not be watching for patches, although no one can be excused for failing to have antivirus software installed. The remaining infected systems are probably the result of inexperienced administrators or businesses that don’t even have a designated professional administrator who knows how to appropriately manage patches.

Editor's Picks