Years from now, we will all look back on the summer of 2001 as
one of the strangest summers in the history of the internet. We
will surely laugh at the frantic gyrations of system
administrators and security professionals because of a worm
called “Code Red”. We system administrators will most certainly
chuckle as we fondly reminisce on the late evenings spent
patching server after server at the urging of our security
professionals. And hey, that blue screen or two that resulted
was so much fun to research, and the reinstalls that we had to
do the next day will certainly be the topic of campfire
conversations for years to come! Not!
During late July and early August, Microsoft, CERT (Computer
Emergency Response Team) and the FBI issued emergency bulletins
urging all system administrators to patch their web servers
immediately. The press was alerted and asked to help spread the
word that the internet itself was in extreme danger. Every
security and antivirus company on the planet was busy sending
out notices to everyone they could find that the problem had to
be fixed immediately, or dire consequences would result.
The predictions were that internet speed would be reduced to a
crawl for days while billions (trillions?) of meaningless
packets were thrown at the Whitehouse web site an attempt to
knock it off the air.
What was the cause of this three-ring circus?
It’s very simple really. The same old story. Microsoft had a bug
in their web server code. Well, saying they had a bug
dramatically understates the magnitude of the problem.
To put it into perspective, let’s say you hired a contractor to
build a new bank (you are the bank manager). Naturally, your
bank is outfitted with state of the art technology (so says the
brochure), including a shiny, well-publicized security system.
The project was expensive, but you’re happy because, hey, it’s
the new, improved, extra special XP bank. Besides, the
contractor is the biggest one on the planet and, frankly, you
paid them an exorbitant rate to ensure that you got the best
After your bank is robbed, you find out that the contractor had
“accidentally” left an eight foot hole in the right wall. This
isn’t just a small hole, it’s a huge, gaping crevice leading
directly to the vault. It’s in plain view to everyone, except,
seemingly, the contractor. When you confront the contractor to
ask them how they could do such a stupid thing, they politely
tell you, after a three hour wait on hold and a $295 charge on
your credit card, that it’s really your fault because you didn’t
follow the instructions in their special security bulletin two
months ago. Didn’t you send a couple of your employees to the
BSE (Bank Systems Engineer) classes to learn that they need to
purchase the extra-special, super spectacular BankNet
Okay, all kidding and sarcasm aside, there is a bug in the
Indexing service (the component that creates searchable indexes)
in the Microsoft Internet Information Server (the program which
displays web pages on a web server) which is supplied with
Windows NT and Windows 2000. This bug allows allows anyone who
can send a special string of characters to a web server to “take
control” and, basically, cause the web server to do anything
that the attacker desires.
The bug is something commonly known as a “buffer overflow”,
which simply means you can send more characters to the web
server than it is capable of receiving. When a program receives
characters it writes them to memory in a place called a buffer.
If a poorly written program receives more characters than it is
designed to handle, it will, under special conditions, cause the
extra characters to be executed with privileges.
To put it very simply, it was discovered that you could cause
the Indexing Service to “overflow it’s buffers” and execute
selected code as a privileged user. This allows a special hacker
program (which is reported to have required all of a half hour
to write) to gain control of a server.
You have to understand that buffer overflows are nothing new to
the world of computing. In fact, I am sure that the first
programmer is also the first person to experience this
condition. This is well known to competent quality control
departments, programmers, designers and, of course, hackers.
To put it bluntly, buffer overflows should not occur in any
program written by any programmer who has passed “programming
102″. In addition, any quality assurance person who has taken
“quality control 101″ should be able to check for and spot the
problem from a mile away. All right already, so what is the
infamous Code Red worm?
Code Red is a clever little program which takes advantage of
this gaping hole in the Index Server. What the program does is
search for systems with the flaw. It’s easy to find those
systems and Code Red is very good at it’s job. So good, in fact,
that in early August 2001 it is estimated that it infected over
Once the worm finds a machine, it executes the buffer overflow
condition and causes itself to be installed on the machine.
Remember the Wrath of Kahn movie where the beetle with the big
pincers crawled into Checkov’s ear? It’s something like that.
Once the bug got into his brain, oh sorry … once the worm has
installed itself it does a number of different things depending
upon the day of the month. Some days near the beginning of a
month it will search for new systems to infect. Towards the
middle the worms will all launch an attack against the
Whitehouse web site. At the end of the month, all of these
malicious little programs will sleep, waiting for the next month.
Interestingly, the Code Red worm has a couple of small flaws.
First, it’s attack is directed at a single IP address. Thus,
during the first waves of attacks in July the Whitehouse “dodged
the bullet” by simply changing their address.
Second, the worm only installs itself in memory. This means it’s
simply a matter of rebooting the server to rid it of the pesky
infection. Of course, if you don’t install the patch (a fix to
repair the problem, conceptually like the piece of rubber used
to patch a hole in a tire), it’s just a matter of time until
your system gets infected again.
Naturally, a new worm called “Code Red II” worm has been
reported in the wild, and almost certainly does not include
these flaws. Hopefully system administrators will comply and
install their patches so their systems will not be assimilated
into the Code Red and Code Red II attacks.