Code Red

On July 16, 2001 Code Red started propagating on Microsoft Windows systems with ISS installed. It exploited IIS-enabled systems susceptible to the vulnerability described in CERT advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. Other systems not vulnerable to this exploit. Reports indicate that two variants of the "Code Red" affected more than 250,000 hosts.

If you want to watch the spread of the "Code Red" worm, here are the URL's you need. The bottom line is that it is definitely out there and spreading exponentially, it may be capable of matching the extent of the last outbreak, a new version is capable of spreading much more quickly, the exponential growth may be leveling off, but it will be a week before anybody knows anything for sure, and so long as there remain large numbers of unfixed servers, there is nothing to prevent any of endless thousands of individuals from releasing an even more sophisticated worm that fixes the remaining obvious mistakes in the one that's circulating now. That said, there has been a whole lot of uninformed panic caused by (among other things) inaccurate reports that all Windows NT and Windows 2000 machines are at risk of infection. Only machines running Microsoft's IIS server program are at risk, and only some of them, and only if they haven't been patched and I suppose power cycled. At the same time, everyone is at risk of a bad day if either the worm's probes or its later DDOS attacks clog up the net or crash routers.

Code Red Status (heavy load on this site is making it slow to respond) http://www.incidents.org/ "Code Red" growth (the drop at 17:30UTC was caused by their own defenses against the traffic) http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif log-scale version of the graph showing its nice exponential growth http://www.caida.org/analysis/security/code-red/aug1-live-hosts-log.gif

Recommended Links

In case of broken links please try to use Google search. If you find the page please notify us about new location

CERT Advisory CA-2001-19 Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service DLL

Symantec Security Response - CodeRed Worm

CAIDA Analysis of Code-Red - CAIDA - ANALYSIS - security - code-red

SANS Security Alert: Code Red Is Set to Come Storming Back!(Jul 30, 2001)

F-Secure Computer Virus Information Pages- CodeRed

LinuxPlanet: .comment: The Weakest Link(Jul 25, 2001)

Red Rock Eater: "Code Red" Worm(Jul 21, 2001)

Code Red Threat FAQ http://www.incidents.org/react/code_red.php Cisco Security Advisory: "Code Red" Worm http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml end

News reports in reverse chronological order.

Code Red May Be Picking Up Speed http://news.cnet.com/news/0-1003-200-6738969.html
Code Red Update -- The Worm Movement Continues http://www.nipc.gov/pressroom/pressrel/cred2.htm "
Code Red" Effects Go Undetected http://www.washingtonpost.com/wp-srv/aponline/20010801/aponline001140_000.htm

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: June 02, 2008