analysis of the .ida "Code Red" worm
20 july 2000

This message is an alert to all IT administrators regarding a very dangerous
software worm that is propagating through the Internet. 
The following is a summary of an advisory issued by eEye today.
Please treat this information with the utmost urgency and immediately apply the
proper patches and fixes to your servers, if affected.

On Friday, July 13th eEye Digital Security received packet logs and
information from two network administrators whose servers were experiencing large
amounts of attacks targeting the recent .ida vulnerability that eEye Digital Security
discovered (http://www.eeye.com/html/Research/Advisories/AD20010618.html) on June 18, 2001.
After reviewing the logs sent to us, we determined that someone had released
a worm into the Internet that was spreading rapidly through IIS Web servers.

eEye Digital Security has been working with various government and private sector agencies
analyzing and dissecting the "Code Red" worm.
The full analysis of the .ida "Code Red" worm has provided numerous details 
as to the functionality and method of propagation of this worm.
The following will outline what we have found and the conclusions we have reached
during our research over the past twelve hours. 

1. This worm's purpose ultimately seems to be to perform a
   denial-of-service attack against www.whitehouse.gov.
2. Only US English Windows NT/2000 systems will show the defaced ("Hacked by Chinese!") Web page.
3. NIPC (National Infrastructure Protection Center) has issued
   an advisory regarding this worm that can be found here: 
4. Below are a list of articles relating to this story:

CNET: http://news.cnet.com/news/0-1003-200-6604515.html?tag=tp_pr\
Newsbytes: http://www.newsbytes.com/news/01/168003.html
ENT Online: http://www.entmag.com/breaknews.asp?ID=4739
EWeek: http://www.zdnet.com/eweek/stories/general/0,11011,2789405,00.html
CRN: http://www.crn.com/components/Nl/direct/article.asp?ArticleID=28301
Newsbytes: http://www.newsbytes.com/news/01/168089.html
Vnunet: http://www.vnunet.com/News/1124051?&_ref=1648103366

The only way to protect your server is to download
the Microsoft patch at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp and reboot the server.
It should be noted that although eEye clients running SecureIIS (www.eEye.com/SecureIIS) have been
protected from this worm before its discovery,
they should still make sure to download and install the above patch if they have not already done so.

This analysis was performed by Ryan Permeh and Marc Maiffret of eEye Digital Security.
The disassembly (complete with comments) was done by Ryan Permeh.

For more details and to see the detailed technical advisory,
go to www.eEye.com/html/Research/Advisories/AL20010717.html.   

Explanation
===========
As stated earlier, the .ida "Code Red" worm is spreading throughout IIS Web servers
on the Internet via the .ida buffer overflow attack that was published last month.

The following are the steps that the worm takes once it has infected a vulnerable Web server.

1. Setup initial worm environment on infected system.
2. Setup 100 threads of the worm.
3. The first 99 threads are used to spread the worm (infect other Web servers).
   The worm spreads itself by creating a sequence of random IP addresses.
   However, the worm's randomization of IP addresses to attack is not all together random.
   In fact, there seems to be a static seed (a beginning IP address that is always the same)
   that the worm uses when generating new IP addresses to try to attack.
   Therefore every computer infected by this worm is going to go through the same list
   of "random" IP addresses to try to infect.
   Because of this feature, the worm will end up re-infecting the same systems multiple times,
   and traffic will cross traffic back and forth between hosts ultimately
   creating a denial-of-service type effect.
   The denial-of-service will be due to the amount of data being transferred between
   all of the IP addresses in the sequence of random IP addresses.

4. The 100th thread of the worm checks to see if the current server is running
   an English (US) Windows NT/2000 system.
-  If the infected system is found to be an English (US) system,
   the worm will proceed to deface the system's website.
   The local Web server's Web page will be changed to a message that
   says "Welcome to http://www.worm.com !, Hacked By Chinese!".
   This hacked Web page message will stay "live" on the Web server for ten hours and then disappear.
   The message will not appear again unless the system is re-infected by another computer.
-  If the system is not an English (US) Windows NT/2000 system then the 100th worm thread
   is also sent out to infect other systems.

5. Each worm thread checks for the file c:\notworm
-  If the file c:\notworm is found, the worm becomes dormant.
-  If the file is not found then each thread will continue to attempt to infect more systems.

6. Each worm thread checks the infected computer's date.
-  When the date is July 20th, 2001, the thread will attack www.whitehouse.gov.
   The attack consists of the infected system sending 100k bytes of data to
   port 80 of www.whitehouse.gov, therefore potentially performing a denial-of-service
   attack against www.whitehouse.gov.
-  If the system time is before 20:00 UTC, the worm thread will continue to
   try to find and infect new Web servers.

In testing, we have calculated that the worm can attempt to infect
roughly half a million IP addresses a day.
This is a rough estimate generated by testing on a very slow network.

As of writing this document (July 19, 12:00pm) we have received reports from
administrators that have been probed by over twelve thousand unique hosts.
This leads us to believe that this worm has infected at least twelve thousand computers.

During testing we noticed that sometimes the worm does not execute "normally" 
and will continue to spawn new threads until the infected machine crashes
and has to be rebooted, effectively killing itself.
We have not been able to isolate the cause of this behavior.


How To Secure Your System From This .ida "Code Red" Worm
---------------------------------------------------------
Microsoft patch for this .ida vulnerability:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

The worm spreads itself to new vulnerable systems via the .ida vulnerability.
Applying the above patch will keep your server from being infected.
However, as stated earlier, because of the way the worm creates its
list of "random" IP addresses to attack, if your server appears on the list of IP addresses,
it could still be affected by a high traffic-overload denial-of-service.


I have been infected by this worm what can I do?
------------------------------------------------
The first thing you must do is go to the Microsoft security site,
as referenced above, and install the .ida patch as soon as possible.
The worm will remain in memory until you reboot your server,
so make sure to reboot after installing the .ida patch.


I think I am infected, how can I tell?
--------------------------------------
An infected system will show an increase in load (processor/network).
It will also show a number of external connections (or attempts) to
port 80 on the Web server from random IP addresses.
Do not take any chances; if you believe that your system is missing the .ida patch,
install it as soon as possible and reboot.


Credits
-------
Ken Eichman of Chemical Abstracts Service, Matthew Asham of Left Coast Systems Corp,
and a large handful of other administrators who gave us the data necessary to piece together this report.


If you have any comments or questions regarding this issue, please don't hesitate to contact us.

Signed,
eEye Digital Security
www.eeye.com
T.949.349.9062
F.949.349.9538