Sunday, July 15, 2012

CODE RED

                 

  What is WORM???




    Worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.


WORM means (write once, read many). 




What is CODE RED??

        Code Red is a computer worm released on July 13,2001, also known as I-Worm. Code red was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. CODE RED is one of the worst virus attack of ALL TIMES. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. The number of infected hosts reached 359,000.




             The name CODE RED was taken from a drink name Code Red Mountain Dew because that was they were drinking at the time when they discover the virus. The technical name of this virus is CRv1 and CRv2, type are Server Jamming Worm and originated in China. It contains the text string “Hacked by Chinese”, which is displayed on web pages that the worm defaces.



The Code Red worm had instructions to do three things:
  • Days 1 - 19: Trying to spread itself by looking for more IIS severs on the Internet.
  • Days 20 - 27: Launch denial of server attacks on server fixed IP addresses. The IP address of the White House web sever was among those.
  • Days 28 - end of month: Sleeps, no active attacks. It is  believed that the worm will not "awaken" and will not spread again, unless deliberately executed again.

How the attack Works??

The "Code Red" worm attacks other IIS Web servers in the following manner:

1. It scans the victim host to see if TCP port 80 is active.

2. It sends a specially constructed HTTP GET request to the victim, attempting to exploit a buffer overflow problem in the Indexing Service.

3. If step 2 works, Code Red starts to run on the victim system. The developers of this program built in a feature that prevents Code Red from infecting an already infected system, however, by creating a file named c:\notworm file in each infected system. If Code Red finds this file, the worm aborts.

4. Code Red than starts scanning the network for other systems in which TCP port 80 is active.

5. After a delay, Code Red checks the language used on the web server. If English is the language, it then defaces all web pages on the victim host with the message



The signature of Code Red will appear in the signature logs as:

  GET
  /default.ida?
 NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
 NNNNNNNNNNNNNNNNNNNNNNN
 %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0


               The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Kenneth D. Eichman was the first to discover how to block the worm.


New Version  of CODE RED


CODE RED VERSION 2

           On August 4, 2001 Code Red II appeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely different payload. It pseudo-randomly choose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.


The signature of Code Red II will appear in the signature logs as:

             GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
             %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
             %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0



Did you know that worm and virus are not the same??

        Both Worm and Virus are manmade not by nature. Virus attaches itself to a program or file and spread itself from one computer to another. In other hand Worm is similar to a virus by design and considered to be a sub-class of a virus and it also spread from one computer to another computer. Worm has a capacity to spread without any human action unlike virus. Computer viruses are like human virus that can spread in any circumstance. It attacked organs and destroyed human system. In a computer, virus and worm can attack the hardware, software and file of your computer, it spread like an epidemic.

        To prevent from these viruses you should have a firewall. A firewall is a system that prevents unauthorized use and access to your computer. Firewall can be either hardware or software that can protect your computer.

        Viruses are dangerous to our computer so be careful in opening or downloading any unwanted or unknown file or site because it will cost you a lot of money to repair the damage that has been done.

        Think before sending or creating a virus because it is not funny if someone’s computer is corrupted.





References:
http://computer.howstuffworks.com/virus5.htm
http://virus.wikia.com/wiki/CodeRed
http://en.wikipedia.org/wiki/Code_Red_(computer_worm)
http://www.lbl.gov/cyber/vulnerabilities/virus-archive_code-red.html



Posted by at 10 comments:
Subscribe to: Posts (Atom)