One of the first console games I got into growing up was Halo.
You know, back when the games came in those cool cases with artwork inside,
and there was no downloadable content you had to pay extra for.
Just one game, you bought it, and that was it.
solo or with others on Xbox Live, which was just a dumpster fire of trash talk, or we'd be at
someone's place huddled around a huge heavy CRT TV playing split screen. Honestly, it was a blast.
And whenever we got together, there were two snacks that I'll never forget. Orange Cheetos
and Mountain Dew. I mean, what a combo for feeling sick and not sleeping. Now you might be wondering
how Cheetos and Mountain Dew could possibly tie into what we're talking about today.
Well, it works because today's topic is the Code Red Worm, which was actually named after a can of
Mountain Dew, Code Red. My name is Josh, and welcome to In The Shell. Every other week, I bring you a new
story from the archives about hackers, malware, and the people who've shaped the tech world as we know
it. But for now, let's jump back into this week's episode. Let's take a step back to June 18th, 2001.
That's when the Code Red Worm story really began, and it all started with a vulnerability.
Riley Hassel, who worked at a company called iDigital Security, spelled E-E-Y-E, was running
some custom auditing code. His goal? To test i's Microsoft IIS web server for any hidden vulnerabilities.
And guess what? He found one. A pretty serious one, actually. A buffer overflow vulnerability
in a section of code that dealt with input parameters. Specifically, it was in the IS API
extension. This allowed an attacker to launch a buffer overflow attack, basically taking control
of the server, and running any code they wanted. But before we get deeper into the story, let me
explain a couple of key concepts so this all makes sense. First, Microsoft IIS is a software used to
run web servers. It's how a company's public website got hosted. Back then, and even now,
a lot of companies used Windows Server to manage things like user accounts, email, websites, you name
it. So if a company had a website, it was likely running on IIS. Another big web server at the time,
and still today, that you might have heard of was Apache. So now that we know what Microsoft IIS is,
let's break down what a buffer overflow is. Let's start with a high-tech analogy. Think of a bucket.
And you're filling it with a hose. At some point, the bucket's full. But if you keep the water running,
the bucket overflows, and that extra water starts spilling into places where it doesn't belong.
In the same way, when a program gets more data than it's expecting, that data can spill into other
parts of memory where it shouldn't be. These parts of memory might hold important instructions or data.
And if someone controls that overflow, they can change how the program behaves, potentially making
it do something harmful, like letting an attacker take control of the system. So with that out of the
way, let's jump back to June 18th, 2001. After discovering this vulnerability, I did
digital security released an advisory. They warned users that there was a buffer overflow issue in
Microsoft IIS, and if exploited, it could allow an attacker to take control of the server just by
sending a specially crafted request. Basically, someone could type in the right string in the
URL bar, and they'd have full access to the system. This meant the attacker could do anything,
run programs, mess the web server's database, change files, or even alter web pages.
I advised everyone to download a patch from Microsoft that would fix the issue,
but of course they did not.
after. I think we really need to deal with these problems before they happen and not think we can
throw insecure software out there, patch it, and magically make it better, because that's not
working. Just over three weeks later, on July 12th, after the advisory was announced, the Code
Red Worm version 1, and yes, there were multiple versions, started infecting Microsoft IIS web
servers. The worm was first discovered by two other employees at iDigital Security, Mark Myfre and
Ryan Permay. They noticed that Code Red version 1 was exploiting the vulnerability their colleague
Ryle Hassel had found. And the name? Well, it just so happened they were drinking Mountain Dew Code Red
the time. Plus, when the worm defaced certain websites, it displayed the message,
hacked by Chinese, so the name stuck. Let's dive into how version 1 worked.
Once the worm found and exploited a vulnerable server, it would first check the server's date
and see if it was between the 1st and the 19th of the month. If so, it used a static seed to
generate a random list of IP addresses to probe and infect. And that's where the worm part comes
in. Every infected host would then try to infect other hosts. The odd thing about version 1 is that
it used a static seed to generate the list of random IPs, meaning every infected host generated
the exact same list of IP addresses to target.
You can think of a seed like giving 10 different people the same cookie recipe.
You're going to end up with 10 batches of identical cookies.
Normally, you would use a random seed, so you get a different list each time,
but they did not do that for some reason.
So that's what happened between the 1st and 19th day of the month.
On the 20th of the month, version 1 stopped spreading to new machines.
Instead, it was programmed to launch a DDoS attack,
a distributed denial of service, against the White House website,
and this was supposed to happen between the 20th and 28th day of each month.
After that, they would pause and start the cycle all over again on the 1st of the next month.
Red is the latest in a series of worms used to attack computer systems in order to launch
distributed denial-of-service attacks.
In such attacks, the victim computers are being used without the operator's knowledge
to flood a website and overload it.
But the White House managed to dodge the attack by simply changing the website's IP address
for the domain being targeted.
Since the worm was coded to check for a valid connection before launching the attack,
this move made the DDoS attempt completely ineffective.
Along with the infection, version 1 also defaced some webpages with a text
Welcome to HTTP colon forward slash forward slash www.
Worm.com, exclamation point, new line, hacked by the Chinese, exclamation point.
But in the end, version 1 didn't do much damage.
Why?
Because infected systems kept trying to reinfect each other due to the worm using a static seed,
which stopped the worm from spreading as far as it could have.
Plus, version 1 only lived in the computer's memory.
It didn't write itself to the hard disk, so just rebooting the machine could get rid of the worm.
So, Jim, if someone's computer or their server is hit by this code red worm, what can they do?
Well, code red deactivates as soon as you reboot the machine, but of course it could get reinfected.
There is a patch available at Microsoft's web.
website that takes code red off and prevents that vulnerability from being exploited.
This brings us to version 2. It was discovered at 10 a.m. on July 19th, and it made one key change.
Instead of using the static seed like version 1, version 2 used a random number for the seed.
Now that might sound like a minor tweak, but it made a huge difference. With a random seed,
each infected machine generated a different list of IP addresses to target, which dramatically
sped up its spread. In just 14 hours, version 2 infected more than 359,000 machines.
The first attack July 19th infected about 300,000 systems in nine hours. At its peak,
was infecting 2,000 new hosts every minute. And it didn't just hit IIS servers. Devices like DSL
modems, printers, switches, and routers were also affected. While these devices weren't actually
infected, they crashed when they received a copy of the worm from an infected machine,
causing a denial of service. Even though version 2 was more effective than version 1,
it still had the same weakness. A simple reboot could remove it. Now let's talk about Code Red 2.
Not version 2, but Code Red Roman numeral 2. Less than two weeks after version 2, on August 4th,
2001, Code Red 2 appeared, exploiting the same IIS vulnerability.
It was different from the original version, but it still carried the CodeRed name because the
source code had the string CodeRed2 in it. Unlike the earlier versions, CodeRed2 didn't
deface webpages or launch a DDoS attack. Instead, it was far more dangerous. Here's what made it so
menacing. First, it checked if the host had already been infected and whether the system
language was set to Chinese. If the system was in Chinese, it would spread for 48 hours using 600
threads to do so. If it wasn't set to Chinese, it spread for 24 hours using 300 threads. Now a thread
is basically a worker in a computer that carries out a task, so the worm was sending out either
300 or 600 workers to spread itself. But it didn't stop there. CodeRed 2 was designed to
disable file system protections, exposing the C and D drives, the C drive being the main storage
and the D drive often used for extra storage on Windows computers, and it made those drives
accessible as public webpages, meaning anyone could view sensitive files through a browser.
On top of that, it installed the Trojan, a malicious program that opened a security hole
in the system, allowing an attacker to access it remotely, and it would run whenever File Explorer
was used, making the system a sitting duck for future attacks or any malicious code execution.
Although the worm has only been used for denial-of-service attacks, an attacker can exploit the vulnerability to gain control over web server or alter or steal critical corporate and private data.
Since Code Red didn't just live in memory like earlier versions, removing it was a bit more involved.
You had to patch the machine and manually remove the worm, which made Code Red 2 much more serious and long-lasting compared to version 1 and version 2.
In response to the growing threat, representatives from Microsoft and U.S. security agencies held a press conference urging users to download the patch from Microsoft.
They even went so far as to call it a civic...
duty cnn and other news outlets picked up the message strongly advising users to patch their
systems the last time it surfaced around mid-july it affected hundreds of thousands of computers
around the world resulting in a slight slowdown of traffic on the internet it also tried to deface
the white house webpage this time experts say it could infect just as many if not more computers
but a last-minute campaign to get companies to install the security software fix may slow its
spread but despite all the attention a lot of system administrators waited until the worm was
already wreaking havoc before they finally patched their servers even though the fix had already been
available for five weeks before code red even started
In total, the worldwide cost of Code Red was estimated at $2.6 billion for July and August.
Over 1 million out of the 5.9 million Microsoft IIS web servers in existence were infected by
some version of Code Red. As for who was behind it, that's still unclear. Some suspect China
because of the hacked by Chinese message, while others think it might have been launched by
someone who attended the DEF CON Hacker Conference in Las Vegas. While Code Red caused a lot of chaos
for systems administrators and organizations, it also served as a wake-up call about the
importance of securing web servers and applying patches on time. And honestly, even two decades
Later, patching servers in a timely manner is still a huge issue, kind of like Cheetos
and Mountain Dew.
And that's the story of Code Red.
Until next time, in case you never heard it, I'll leave you with a clip of the epic original
Halo theme song, which is cemented in my childhood.
I'll see you next time.
Thank you.