Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Code Red - Sixth Anniversary Of Internet Worm Attacks

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:07:08 PM

Posted 20 July 2007 - 12:53 PM

Posted Image

Code Red - Sixth Anniversary of Internet worm attacks

The Code Red attacks in July and August of 2001 represent one of the first completely automated major security attacks for Windows servers that were not completely up-to-date on security patches.

A critical security patch was issued by Microsoft on June 18, 2001 and the 1st Code Red worm surfaced about one month later on July 13, 2001. It was essentially a reverse engineering of the MS01-033 security patch to automatically manipulate the Windows NT and 2000 Index Server environment used by IIS 4 and 5. The peak number of infections was around 359,000 by July 19, 2001.

Code Red II was a much more potent attack launched on August 4, 2001. It was not just another variant of Code Red, as it was a complete redesign and rewrite of the original attack. Code Red II had a more sophisticated design for randomly calculating IP addresses.

The paradigmn presented by both Code Red and Nimda got administrators into the mode of applying patches expeditiously, at least for servers. Still, more lessons were learned about workstation patching when the Blaster worm surfaced in August 2003.

Hopefully, history will not repeat itself where you simply plug a PC/server into the Internet and you get zapped. One of Microsoft's TWC improvements helps here with XP SP2 and Vista's firewalls that help protect against potentially malicious traffic that constantly surfaces on inbound TCP/IP ports.

A key lesson learned is to constantly monitor the changing landscape associated with security risks. Something that's completely safe today may not be tomorrow. Finally I believe even after six years, that Code Red I or II may still yet reside in limited circulation on some of the unpatched servers out there.

Wiki Links for Code Red I and II

MS01-033 - The key security bulletin exploited by these attacks

Microsoft MVP Steve Friedl's Excellent Analysis

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users