Notes: This tutorial was written quickly in a short time cause of the
threat"s nearing awakening time and the tutorial can contain some grammatical
mistakes. Forgive me for any errors.
1) Remote ISS Index Server ISAPI Extension
2) The structure of Code Red and the way it works
3) Protecting your machine against the worm
4) Related links
On July 13, 2001, the first signs of a new threat to the computers was seen.
new threat is a worm called "Code Red" which can be re-initiated by a malicious
attacker between the 1st and 20th of every month. The worm tries to exploit the
ISS Indexing Vulnerability which was found by eEYE Digital Security (www.eeye.com)
on June 18, 2001.As the worm will be re-initiated on August 1, I will try to
give you an understanding of the worm and how to save yourself. Also the worm
will not stop or end its activity after August 1, so, readers must be warned
for a possible future attack.
1) Remote ISS Index Server ISAPI Extension Bufferoverflow:
eEYE Digital Security found a vulnerability in the ISS Indexing Service on
June 18 that gives full SYSTEM level access to a malicious attacker who
tries to exploit this hole. Internet Services Application Programming Interface
(ISAPI ) extensions allow for additional functionality to be added to IIS. This
vulnerability is a remotely exploitable buffer overflow in one of the ISAPI
extensions (IDQ.DLL) installed with IIS 4.0 and 5.0.It can be exploited in any
server that is running a default installation of Windows NT 4.0, Windows 2000,
or Windows XP and using Microsoft’s IIS Web server software.
During the installation of ISS, two DLL
files (.idq and .ida) are created. These files apply the ISAPI Index Server extension
a hook in order to integrate Microsoft Index Server with IIS. And by this way,
ISS server contains script mappings for .idq and .ida files which can let the
attackers exploit this vulnerability.
an Index Server ISAPI query is sent to an
unpatched-vulnerable ISS server, the query is parsed by ISS to find which
extension fits the request. After the mapping of the query to the correct
extension, the body of the request needs to be parsed. The vulnerability
occurs because of a lack of bounds checking on the length of the Index
Server ISAPI request. The Indexing Services don"t need to be running as
stated by Microsoft :
The buffer overrun occurs before any indexing functionality is
requested. As a result, even though idq.dll is a component of Index Server/Indexing
Service, the service would not need to be running in order for an attacker to
exploit the vulnerability. As long as the script mapping for .idq or .ida files
were present, and the attacker were able to establish a web session, he could
exploit the vulnerability.
There are two ways for an attack to exploit this vulnerability. By sending a
very long string to the Index Server ISAPI extension; a DoS attack can be
as a harder but advanced way of exploiting; a specially-crafted long request
can be sent to the vulnerable system in order to execute arbitrary code. With
the success of such attacks, attacker can gain full SYSTEM access with no restrictions.
Vulnerable systems are
Windows NT 4.0 with ISS 4.0 or ISS
Windows 2000 (Professional, Server, Advanced Server, Datacenter Server) with
Windows XP beta with ISS 6.0 beta
In order to read more detailed analysis of the vulnerability and the ways it
can be exploited, then visit: http://www.eeye.com/html/Research/Advisories/AD20010618.html
2) The structure of Code Red and the way it works:
Red is a worm that
tries to exploit ISS Index Server vulnerability. The worm"s first signs were
seen on July 13, but the real effect of the worm was not felt until July 19
when it infected over 300.000 computers in several hours. In this part we
will study how the worm works, how it infects the systems and what it did so
is not a single-versioned worm, and this makes it a more functioned and
dangerous worm. Also the way it spreads itself could have been much more
dangerous, effective and faster which makes it a little bit mysterious. There
are 3 known versions of the worm :the original one, 2a and 2b.The variants
contain many different properties from the original one and they"re very
similar to each
does not hide itself in a
file, it acts according to the system clock. And it also behaved differently
depending on the day of the month and will probably do
steps while trying to infect a system :
a) TCP port 80 of the victim host is scanned.
b) The attacking host sends the exploit string to the victim.
c) Now executing on the victim host and having the initial worm environment,
the worm creates 100 threads of itself.
d) 99 threads scan a sequence of random IP addresses to spread the worm and
infect other systems.
e) 100th thread checks the language of the box. If it"s an English (US) system,
then defaces all the web pages served by the infected victim host with this message
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
message will appear in the webpage for 10 hours and then disappear. If it is
re-infected by another system then the defacement will re-occur and the
message will appear again. If the box"s
language isn"t English, then no defacement of web page(s) will occur and the
100th thread will also be used for scanning to infect other
f) Every worm will check if "c:\noworm" exists on the machine and if this
exists, the worms will stop scanning and go dormant. But if the file doesn"t
exist, then each worm will continue their attempt to infect other
g) Each worm thread will check the system time of the box. If the day is past the
20th of the month (GMT), then the threads will stop trying to infect other
system will start launching a DoS attack by sending 100k bytes of data to the
port 80 of www.whitehouse.gov.To counteract the attack,
the White House Web site was moved to a different IP address, so the flooding
portion of the first wave of the Code Red worm was unsuccessful. Future variants
of the worm, however, could be configured with different addresses or Web sites
to flood. If the system date is between 1st and 19th of the month, then the system
will not DoS www.whitehouse.gov and the threads will continue to scan and infect
It is found by eEYE Digital Security that the worm can attempt to infect roughly
half a million IP addresses a day. But it could have been much more if it"s scanning
style was sensible. But there could be a reason for this style too. Let"s explain
the way Code Red scans IP addresses...
The threads created by the worm scan a list of sequence random IP addresses.
in fact, they"re not really random, cause the the beginning IP address is always
the same. Also, every other infected computer will scan the same list of "random"
IP addresses, thus causing a denial-of-service attack by making a heavy traffic
between the hosts back and forth. The huge amount of data transfer made by many
systems to a sequence of random IP addresses would cause such a DoS attack. If
the worm used a way of scanning that would allow it to do a real IP generation,
then both the number of the infected systems and the speed of spreading would
be much more than it is done now. We do not exactly know why a slower scan type
was selected but there can be two possible answers:
The programmer of the worm might not have only targeted to deface web servers
but also might have targeted to demolish any other service that can be offered
by the victim hosts that are in the list of arranged IP addresses to be
launching a DoS stated as above, the services available by the host before the
infection can be disabled. And this causes to disable the services of certain
hosts which makes it DoS smaller and less networks but in more devastating effects.
The creators of the worm might have tried to track how many and which systems
had been infected with the worm. If they are in the list of first hundred or
thousand IP addresses to be scanned, they can set up a sniffer to listen connections
from port 80 in order to track which and how many systems had been infected
by the worm.
But the new variants scan victim hosts different than the original worm. They
scan "random" IP addresses other than scanning a predictable set of systems
as the initial version did. This makes them far more dangerous than the initial
worm and by this way, more systems can be affected. This can also degrade Internet
The defacement of web hosts property isn"t used in new variants. Without the use
of this method, the worm will be noticed harder by the system administrators
cause there won"t be a message as it was in initial version that indicates the
infection of the worm to the system by defacing the web site(s). And by this
will spread quicker and wider.
Also the scan logic of the new variants will be better than the initial one.
new variants will be able to scan nearly the entire Internet address space,
which includes around 4 billion IP addresses. Despite of the improves logic of
scans, there is still a delay in the scanning portion of the code that limits
the worm’s propagation speed. If the selected IP address by the worm to
be scanned is not valid, or inaccessible, then there will be a 21 second timeout
before the worm attempts to scan a new IP address. It is found that if every
scan attempt made by the worm is timed out, in the worst case; each infected
system can scan 17,100 IP addresses in an hour, or 411,408 IP addresses per
The worm starts to spread slowly but with each other system infected, it will
be stronger and will scan quicker. The more systems infected by the worm, the
faster and wider will the worm spread. This is like the basic understanding of
a DDoS (Distributed Denial of Service) attack.
The worm goes through three phases: propagation, flooding, and finally sleep.
phase is permanent. Once the worm has entered sleep phase, it sleeps forever
and doesn"t wake up to scan and infect other systems. The phases according to
the system time is described below :
1st - 19th of month: Scanning/Propagating Phase
20th - 27th of month: Flooding (DDoS) Phase
Beginning on the 28th of month: "Sleep" Phase
3) Protecting your machine from the worm:
The affected systems are :
Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled
Systems running Microsoft Windows 2000 (Professional, Server, Advanced Server,
Systems running beta versions of Microsoft Windows XP
Systems running Cisco and Cisco Products with affected versions of ISS
You can secure your system by applying patches. The following are the patches
for specific operating systems :
For Microsoft Windows NT version 4.0 :
For Microsoft Windows 2000 Professional, Server and Advanced Server:
For information on how Cisco products are affected by the Code Red worm,
please refer to the Cisco Security Advisory at :
You can also secure you system or notice any worm installed in your system
by using tools like CodeRed Scanner ,Flex Check, BlackIce and ISS RealSecure
CodeRed Scanner :
Flex Check :
BlackIce update for Index ISS Service Vulnerability :
4) Related links:
Detailed information about ISS Index Service vulnerability by the founders
of the vulnerability :
Information about ISS Index Service vulnerability by CERT :
Microsoft"s bulletin about ISS Index Service :
Detailed Information About Code Red by eEYE Digital Security :
Information about CodeRed by CERT :
Closing Words by The Author:
Well, as the net grows and improves each day, we"ll face threats such as this
many times. The important thing is to secure yourself on net against such a threat
and have information about it in time. With the knowledge you need, there is
no power that can wipe the net clean of its users...Play nice and secure yourself
on the net!!!