Code-red worm

1. Code-red worm Attack on Computers

2. Overview • The focus of this presentation will be to research the code-red worm attack. I have created an audit report. My audit report included a detailed technical background and how the threat compromised the target. This is the Power Point presentation which is included in the summary of my findings. The essay also focuses on a background and then how the code-worm looked, this Power Point presentation and then the conclusion which will follow.

3. Background • The code-red work attack was a malware virus that took place on computers during 2001 mainly (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). The specific date of the code-red worm attack is July 15, 2001 (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

4. Background Cont’d… • The company of eEye Digital Security were the first to discover that the code-red worm attack of malware was spreading across the computer systems that ran Microsoft’s IIS web server (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). The reason why the malware attack is named code-red is because the people who discovered the malware were drinking Code Red Mountain Dew at the time of the code-red worm malware attack (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). The code-red worm attack was released on July 13, 2001 (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

5. Background Cont’d… • It took six days after that on July 19, 2001 for the largest number of computers that were running the Microsoft IIS web server to be affected with the code-red worm malware (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). On July 19, 2001, the number of computers that were attacked with the code-red malware was approximately 359,000 computers (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

6. How the Worm Looked on Computers • The effects of the code-red worm attack would literally destroy the front page of a website (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). What would appear on the front page of a website would be the following. HELLO! Welcome to http://www.worm.com! Hacked By Chinese! (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

7. How the Worm Looked on Computers Cont’d… • On August 4, 2001, Code Red II appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer. • eEye believed that the worm originated in Makati City, Philippines, the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm. (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). This is exactly how the code-red worm was able to spread so fast and so quickly (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

8. Conclusion • The focus of this essay was to research the code-red worm attack. I created an audit report. My audit report include detailed technical background and how the threat compromised the target. A Power Point presentation was also included in the summary of my findings. This essay also focused on a background and then how the code-worm looked, the Power Point presentation and then the conclusion here.

9. References • Berghel, H. (2001). The code red worm. Communications of the ACM, 44(12), 15-19. Retrieved • from: http://dl.acm.org/citation.cfm?doid=501317.501328 • Cowie, J., Ogielski, A., Premore, B., & Yuan, Y. (2001). Global routing instabilities during Code • Red II and Nimda worm propagation. Retrieved from: • http://course.ccert.edu.cn/reference/Worms/Global%20Routing%20Instabilities%20during%20Code%20Red%20II%20and%20Nimda%20Worm.pdf • Kc, G. S., Keromytis, A. D., & Prevelakis, V. (2003, October). Countering code-injection attacks • with instruction-set randomization. In Proceedings of the 10th ACM conference on Computer and communications security (pp. 272-280). ACM. Retrieved from: http://www.cs.columbia.edu/~gskc/publications/isaRandomization.pdf • Long, N., & Thomas, R. (2001). Trends in denial of service attack technology. CERT • Coordination Center. Retrieved from: http://resources.sei.cmu.edu/asset_files/WhitePaper/2001_019_001_52491.pdf • Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., & Weaver, N. (2003). Inside the • slammer worm. IEEE Security & Privacy, 99(4), 33-39. • Moore, D., & Shannon, C. (2002, November). Code-Red: a case study on the spread and victims • of an Internet worm. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet • measurment (pp. 273-284). ACM. Retrieved from: http://dl.acm.org/citation.cfm?id=637244 • Weaver, N., Paxson, V., Staniford, S., & Cunningham, R. (2003, October). A taxonomy of • computer worms. In Proceedings of the 2003 ACM workshop on Rapid malcode (pp. 11-18). ACM. Retrieved from: http://dl.acm.org/citation.cfm?id=948190 • Zou, C. C., Gong, W., & Towsley, D. (2002, November). Code red worm propagation modeling • and analysis. In Proceedings of the 9th ACM conference on Computer and communications security (pp. 138-147). ACM. Retrieved from: http://home.eng.iastate.edu/~daji/seminar/papers/ZGT02.ACMCCS.pdf