Hot on the Trail of ‘Code Red’ Worms

omeone turned the Code Red worm loose on the Internet in July, and in less than a day it infected hundreds of thousands of Web servers around the world. Using sophisticated techniques developed to detect denial-of-service attacks, researchers at SDSC’s Cooperative Association for Internet Data Analysis (CAIDA) tracked the progress of the infestation. More than 359,000 computers were infected with a version of the Code Red worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. The attack of this worm was relatively harmless, but the outbreak of the more virulent Code Red II worm in August put tens of thousands of computers at risk.

Figure 1. The First Infection This graph shows the rapid spread of the Code Red infestation. The worm was programmed to switch from an "infection phase" to an "attack phase" at midnight GMT on July 20. The abrupt leveling off of the infection appears to be due to this switch.

Some computer viruses, worms, and denial-of-service attacks amount to irritations. However, others can assault the infrastructure of modern society, destroying data and degrading the efficiency of networked computing and communications. "A key component of CAIDA’s mission is to provide tools, methodologies, and analyses that promote a robust and scalable Internet," said David Moore, SDSC senior network researcher and a principal investigator at CAIDA. "One way we do that is by looking for trouble spots, and denial-of-service attacks and other remote exploits are definitely trouble."

Figure 2. The World Sees Red This quantitative illustration shows the early (yellow), middle (orange), and late (red) stages in the spread of the Code Red worm on July 19. Copyright UC Regents, Jeff Brown for CAIDA, UCSD.

The Code Red worm infects computers by exploiting a security flaw in Microsoft Corporation’s Internet Information Services (IIS) and Personal Web Server (PWS) software. Only systems that run Microsoft Windows NT, Windows 2000, or Windows XP are vulnerable. Once the Code Red worm infects a host, it tries to reproduce by sending copies of itself to randomly generated Internet addresses. On the 20th day of the month, each copy of the worm abruptly shifts tactics. The worm stops reproducing and begins to bombard the White House website with messages in an attempt to overload its Web server. (The White House webmaster foiled this denial-of-service attack by changing the numeric IP address of the Web server.)

Figure 3. The Second Outbreak Each data point indicates the number of infected systems detected in a 10-minute measurement interval. The infestation appears to be declining, with interesting fluctuations that correlate with the business day in Europe, North America, and East Asia. Times are in GMT; 00:00 GMT = 17:00 PDT of the previous date.

"The Code Red worm was exquisitely designed for maximum annoyance, but minimum damage," said Pat Wilson, Network Security Manager for UCSD. "It doesn’t alter the files on a computer’s disk drive, and it resides only in memory. You can stop the active worm by rebooting, but of course that’s not going to protect you from getting infected again–only applying the patch will do that."

Tracking Internet Attacks

Earlier this year, Moore and his colleagues used a technique they had developed called "backscatter analysis" to detect and track denial-of-service attacks. In these attacks, each victim receives a spoofed packet and tries to send an appropriate response to the faked IP address; because the attacker’s source address is selected at random, the victim’s responses are scattered across the Internet, an effect called backscatter.

"By examining the message traffic directed at normally unused sections of the Internet, we were able to track the Code Red infection," said Moore. On July 19, CAIDA’s monitors detected an unusual burst of activity–not a denial-of-service attack, but thousands of copies of the worm trying to infect other computers. "We analyzed data from a 24-hour period, beginning midnight GMT July 19," said Moore (Figure 1). "When the worm tried to transplant itself into machines at randomly generated IP addresses, some of them were in the sections we were monitoring."

Figure 4. Cycles of desktop Infection Many infected computers in various time zones seem to be turned on and off according to local business hours, implying that they are not Web servers, which operate continuously.

Moore’s study collected data from two sources–the UCSD network and, with the help of Vern Paxson, Lawrence Berkeley National Laboratory. (Paxson provided Internet data from monitors on two Lawrence Berkeley networks.) In addition, Pat Wilson, Brian Kantor, and Stefan Savage of UCSD, and K. Claffy, Ken Keys, Ryan Koga, and Colleen Shannon, all of CAIDA, and Jeff Brown of SDSC’s National Laboratory for Applied Networking Research, contributed data, analyses, and advice in the tracking effort.

Forty-three percent of all infected hosts were in the United States, 11 percent were in Korea, 5 percent in China, and 4 percent in Taiwan (Figure 2). The .NET Top Level Domain accounted for 19 percent of all compromised machines, followed by .COM with 14 percent, and .EDU with 2 percent. The CAIDA study also observed 0.04 percent of .MIL and 0.11 percent of .GOV hosts infected by the worm. Moore noted that at least 10 percent of the infected hosts were in the domains of Internet Service Providers of home and small business systems. "Machines operated by home users or small businesses are much less likely to be maintained by a professional system administrator, who would react quickly to a security threat," he said. "But PCs are as integral to the health of the global Internet as the big systems."

The IIS vulnerability was a serious security hole, exploitable by other worm programs with more sinister intentions.

In the last week of July, officials representing both Microsoft and the FBI’s National Infrastructure Protection Center pleaded with computer operators to install a free software patch to fix the crucial defect in Microsoft’s IIS. Microsoft and the FBI feared that the worm would begin a second round of infection at the beginning of August.

The Worm Returns

The fear was warranted. The worm had been programmed to be infectious for the first 20 days of July, to attack www.whitehouse.gov for the rest of the month, and then to deactivate itself (apparently an act of relative kindness by the worm’s unknown author). During the afternoon of Tuesday, July 31, CAIDA researchers set up their network monitors to track the possible appearance of an August outbreak. Active, infectious copies of the worm had survived in computers with misset dates, which is why the infection could spread anew in August. As expected, the worm stirred at 00:00 GMT on August 1 in Europe and Asia, while it was still July 31 in California.

"In the second round of infection, we saw the worm infect 85,000 systems in only four hours," Moore said. "Only a day after the outbreak, it had infected more than 142,000 hosts. In the course of two weeks, we observed infection attempts from machines at more than 4 million unique IP addresses, but only a few percent of that total were active at any one time. Dynamic reassignment of IP addresses as people log off and on–may account for this."

The worm had a smaller pool of potential victims to attack because many system administrators had patched their software. Roughly 40 percent of the total number of systems that were infected in the first attack were hit again.

A graph of the infection in the second outbreak (Figure 3) reveals two interesting trends. The number of infected systems seems to have slowly decreased, possibly as system administrators belatedly began patching their software. But unexpectedly, the number of systems infected varies on a periodic basis.

"The fluctuations strongly correlate to the business work day," said CAIDA researcher Colleen Shannon. "People in various time zones come to work in the morning and turn on their computers, which then become infected. At the end of the workday, they shut down their machines for the night (Figure 4). The fluctuations indicate that, contrary to most of the publicity, the worm is infecting a significant number of desktop systems in addition to dedicated Web servers, which typically run all the time. Tens of thousands of computer users may be unaware that Microsoft’s IIS software is running on their systems, activated by accident or by another program without their knowledge."

Malevolent Sibling

Several days into the August outbreak, a new worm appeared, calling itself "Code Red II"–the name is embedded in the worm’s programming. The new software takes advantage of the same vulnerability that allowed the first worm to propagate. The new predator spreads more efficiently because it uses a nonrandom algorithm to generate IP addresses when it targets other machines for infection. It prefers machines with nearby IP addresses, machines that may be on the same local network.

Code Red II modifies disk files, making its eradication much more difficult to accomplish. "Computer operators should disinfect afflicted machines by erasing their disks and re-installing the operating system and other files from backups," Moore said.

When the Code Red II worm infects a computer, it installs several files, including a "back door." This entry point enables a hacker to remotely log into and control any infected computer and install additional malicious software. Among many other opportunities for mayhem, this capability puts credit card information at risk in Web servers that support electronic commerce.

"The original Code Red worm was more of a warning shot than a malicious exploit," Moore said. "It did little permanent damage, but its method of attack involved a potentially devastating security hole. Yet more than 100,000 systems remained unpatched after a week of intense publicity. Regardless of whether this is due to ignorance or apathy, it is very troubling. Now Code Red II is loose. It isn’t firing warning shots–it’s hunting, and we’re its targets." –MG

www.caida.org

www.caida.org/analysis/security/code-red