Sign up for ISW's Newsletter
Info and Analysis of the 'Code Red' Worm by SilentBlade on 06/09/02

Notes: This tutorial was written quickly in a short time cause of the threat"s nearing awakening time and the tutorial can contain some grammatical mistakes. Forgive me for any errors.

Contents :
1) Remote ISS Index Server ISAPI Extension Buffer overflow
2) The structure of Code Red and the way it works
3) Protecting your machine against the worm
4) Related links

On July 13, 2001, the first signs of a new threat to the computers was seen. This new threat is a worm called "Code Red" which can be re-initiated by a malicious attacker between the 1st and 20th of every month. The worm tries to exploit the ISS Indexing Vulnerability which was found by eEYE Digital Security ( on June 18, 2001.As the worm will be re-initiated on August 1, I will try to give you an understanding of the worm and how to save yourself. Also the worm will not stop or end its activity after August 1, so, readers must be warned for a possible future attack.

1) Remote ISS Index Server ISAPI Extension Bufferoverflow:

eEYE Digital Security found a vulnerability in the ISS Indexing Service on June 18 that gives full SYSTEM level access to a malicious attacker who tries to exploit this hole. Internet Services Application Programming Interface (ISAPI ) extensions allow for additional functionality to be added to IIS. This vulnerability is a remotely exploitable buffer overflow in one of the ISAPI extensions (IDQ.DLL) installed with IIS 4.0 and 5.0.It can be exploited in any server that is running a default installation of Windows NT 4.0, Windows 2000, or Windows XP and using Microsoft’s IIS Web server software.

During the installation of ISS, two DLL files (.idq and .ida) are created. These files apply the ISAPI Index Server extension a hook in order to integrate Microsoft Index Server with IIS. And by this way, ISS server contains script mappings for .idq and .ida files which can let the attackers exploit this vulnerability.

When an Index Server ISAPI query is sent to an unpatched-vulnerable ISS server, the query is parsed by ISS to find which extension fits the request. After the mapping of the query to the correct extension, the body of the request needs to be parsed. The vulnerability occurs because of a lack of bounds checking on the length of the Index Server ISAPI request. The Indexing Services don"t need to be running as stated by Microsoft :

The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability.

There are two ways for an attack to exploit this vulnerability. By sending a very long string to the Index Server ISAPI extension; a DoS attack can be made. Or, as a harder but advanced way of exploiting; a specially-crafted long request can be sent to the vulnerable system in order to execute arbitrary code. With the success of such attacks, attacker can gain full SYSTEM access with no restrictions.

Vulnerable systems are :

Windows NT 4.0 with ISS 4.0 or ISS 5.0
Windows 2000 (Professional, Server, Advanced Server, Datacenter Server) with ISS 5.0
Windows XP beta with ISS 6.0 beta

In order to read more detailed analysis of the vulnerability and the ways it can be exploited, then visit:

2) The structure of Code Red and the way it works:

Code Red is a worm that tries to exploit ISS Index Server vulnerability. The worm"s first signs were seen on July 13, but the real effect of the worm was not felt until July 19 when it infected over 300.000 computers in several hours. In this part we will study how the worm works, how it infects the systems and what it did so far...

Code Red is not a single-versioned worm, and this makes it a more functioned and dangerous worm. Also the way it spreads itself could have been much more dangerous, effective and faster which makes it a little bit mysterious. There are 3 known versions of the worm :the original one, 2a and 2b.The variants contain many different properties from the original one and they"re very similar to each other.

The worm does not hide itself in a file, it acts according to the system clock. And it also behaved differently depending on the day of the month and will probably do so.

It takes these steps while trying to infect a system :

a) TCP port 80 of the victim host is scanned.

b) The attacking host sends the exploit string to the victim.

c) Now executing on the victim host and having the initial worm environment, the worm creates 100 threads of itself.

d) 99 threads scan a sequence of random IP addresses to spread the worm and infect other systems.

e) 100th thread checks the language of the box. If it"s an English (US) system, then defaces all the web pages served by the infected victim host with this message :

HELLO! Welcome to! Hacked By Chinese!

This message will appear in the webpage for 10 hours and then disappear. If it is re-infected by another system then the defacement will re-occur and the message will appear again. If the box"s language isn"t English, then no defacement of web page(s) will occur and the 100th thread will also be used for scanning to infect other systems.

f) Every worm will check if "c:\noworm" exists on the machine and if this
file exists, the worms will stop scanning and go dormant. But if the file doesn"t exist, then each worm will continue their attempt to infect other systems.

g) Each worm thread will check the system time of the box. If the day is past the 20th of the month (GMT), then the threads will stop trying to infect other systems. The system will start launching a DoS attack by sending 100k bytes of data to the port 80 of counteract the attack, the White House Web site was moved to a different IP address, so the flooding portion of the first wave of the Code Red worm was unsuccessful. Future variants of the worm, however, could be configured with different addresses or Web sites to flood. If the system date is between 1st and 19th of the month, then the system will not DoS and the threads will continue to scan and infect new hosts.

It is found by eEYE Digital Security that the worm can attempt to infect roughly half a million IP addresses a day. But it could have been much more if it"s scanning style was sensible. But there could be a reason for this style too. Let"s explain the way Code Red scans IP addresses...

The threads created by the worm scan a list of sequence random IP addresses. But in fact, they"re not really random, cause the the beginning IP address is always the same. Also, every other infected computer will scan the same list of "random" IP addresses, thus causing a denial-of-service attack by making a heavy traffic between the hosts back and forth. The huge amount of data transfer made by many systems to a sequence of random IP addresses would cause such a DoS attack. If the worm used a way of scanning that would allow it to do a real IP generation, then both the number of the infected systems and the speed of spreading would be much more than it is done now. We do not exactly know why a slower scan type was selected but there can be two possible answers:

Possibility 1)
The programmer of the worm might not have only targeted to deface web servers but also might have targeted to demolish any other service that can be offered by the victim hosts that are in the list of arranged IP addresses to be scanned. By launching a DoS stated as above, the services available by the host before the infection can be disabled. And this causes to disable the services of certain hosts which makes it DoS smaller and less networks but in more devastating effects.

Possibility 2)
The creators of the worm might have tried to track how many and which systems had been infected with the worm. If they are in the list of first hundred or thousand IP addresses to be scanned, they can set up a sniffer to listen connections from port 80 in order to track which and how many systems had been infected by the worm.

But the new variants scan victim hosts different than the original worm. They scan "random" IP addresses other than scanning a predictable set of systems as the initial version did. This makes them far more dangerous than the initial worm and by this way, more systems can be affected. This can also degrade Internet speeds.

The defacement of web hosts property isn"t used in new variants. Without the use of this method, the worm will be noticed harder by the system administrators cause there won"t be a message as it was in initial version that indicates the infection of the worm to the system by defacing the web site(s). And by this way, it will spread quicker and wider.

Also the scan logic of the new variants will be better than the initial one. The new variants will be able to scan nearly the entire Internet address space, which includes around 4 billion IP addresses. Despite of the improves logic of scans, there is still a delay in the scanning portion of the code that limits the worm’s propagation speed. If the selected IP address by the worm to be scanned is not valid, or inaccessible, then there will be a 21 second timeout before the worm attempts to scan a new IP address. It is found that if every scan attempt made by the worm is timed out, in the worst case; each infected system can scan 17,100 IP addresses in an hour, or 411,408 IP addresses per day.

The worm starts to spread slowly but with each other system infected, it will be stronger and will scan quicker. The more systems infected by the worm, the faster and wider will the worm spread. This is like the basic understanding of a DDoS (Distributed Denial of Service) attack.

The worm goes through three phases: propagation, flooding, and finally sleep. Sleep phase is permanent. Once the worm has entered sleep phase, it sleeps forever and doesn"t wake up to scan and infect other systems. The phases according to the system time is described below :

1st - 19th of month: Scanning/Propagating Phase
20th - 27th of month: Flooding (DDoS) Phase
Beginning on the 28th of month: "Sleep" Phase

3) Protecting your machine from the worm:

The affected systems are :

Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled
Systems running Microsoft Windows 2000 (Professional, Server, Advanced Server, Datacenter Server)
Systems running beta versions of Microsoft Windows XP
Systems running Cisco and Cisco Products with affected versions of ISS

You can secure your system by applying patches. The following are the patches for specific operating systems :

For Microsoft Windows NT version 4.0 :

For Microsoft Windows 2000 Professional, Server and Advanced Server:

For information on how Cisco products are affected by the Code Red worm, please refer to the Cisco Security Advisory at :

You can also secure you system or notice any worm installed in your system by using tools like CodeRed Scanner ,Flex Check, BlackIce and ISS RealSecure :

CodeRed Scanner :

Flex Check :

BlackIce update for Index ISS Service Vulnerability :

4) Related links:

Detailed information about ISS Index Service vulnerability by the founders of the vulnerability :

Information about ISS Index Service vulnerability by CERT :

Microsoft"s bulletin about ISS Index Service :

Detailed Information About Code Red by eEYE Digital Security :

Information about CodeRed by CERT :

Closing Words by The Author:

Well, as the net grows and improves each day, we"ll face threats such as this many times. The important thing is to secure yourself on net against such a threat and have information about it in time. With the knowledge you need, there is no power that can wipe the net clean of its users...Play nice and secure yourself on the net!!!

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.