Code-Red Worm Attack 5

CODE-RED WORM ATTACK 5

Code-Red Worm Attack

Following the American Psychological Association Style Guide

Name

Professor

Introduction

The focus of this essay will be to research the code-red worm attack. I will create an audit report. My audit report will include detailed technical background and how the threat compromised the target. A Power Point presentation is also included in the summary of my findings. This essay will also focus on a background and then how the code-worm looked, the Power Point presentation and then the conclusion.

Background

The code-red work attack was a malware virus that took place on computers during 2001 mainly (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). The specific date of the code-red worm attack is July 15, 2001 (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). Computers that were running Microsoft’s IIS web server were severely attacked by this code-red worm malware attack (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). The company of eEye Digital Security were the first to discover that the code-red worm attack of malware was spreading across the computer systems that ran Microsoft’s IIS web server (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). The reason why the malware attack is named code-red is because the people who discovered the malware were drinking Code Red Mountain Dew at the time of the code-red worm malware attack (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). The code-red worm attack was released on July 13, 2001 (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). It took six days after that on July 19, 2001 for the largest number of computers that were running the Microsoft IIS web server to be affected with the code-red worm malware (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). On July 19, 2001, the number of computers that were attacked with the code-red malware was approximately 359,000 computers (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).
How the Worm Could Spread

There is a common type of vulnerability which computers using Microsoft IIS web server have called buffer overflow (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). This is exactly how the code-red worm was able to spread so fast and so quickly (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

How the Worm Looked on Computers

The effects of the code-red worm attack would literally destroy the front page of a website (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). What would appear on the front page of a website would be the following. HELLO! Welcome to http://www.worm.com! Hacked By Chinese! (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

On August 4, 2001,Code Red IIappeared. Code Red II is a variant of the original Code Red worm. Although it uses the same injection vector it has a completely differentpayload. Itpseudo-randomlychose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not. Additionally, it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.

eEye believed that the worm originated inMakati City,Philippines, the same origin as theVBS/Loveletter(aka "ILOVEYOU") worm. (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November). This is exactly how the code-red worm was able to spread so fast and so quickly (Berghel, 2001; Cowie, Ogielski, Premore & Yuan, 2001; Kc, Keromytis & Prevelakis, 2003, October; Long & Thomas, 2001; Moore, Paxson, Savage, Shannon, Staniford & Weaver, 2003; Moore & Shannon, 2002, November; Weaver, Paxson, Staniford & Cunningham, 2003, October; Zou, Gong & Towsley, 2002, November).

Summary with Power Point Presentation

Conclusion

The focus of this essay was to research the code-red worm attack. I created an audit report. My audit report includes detailed technical background and how the threat compromised the target. A Power Point presentation was also included in the summary of my findings. This essay also focused on a background and then how the code-worm looked, the Power Point presentation and then the conclusion here.

References

Berghel, H. (2001). The code red worm.Communications of the ACM,44(12), 15-19. Retrieved

from: http://dl.acm.org/citation.cfm?doid=501317.501328

Cowie, J., Ogielski, A., Premore, B., & Yuan, Y. (2001). Global routing instabilities during Code

Red II and Nimda worm propagation. Retrieved from:

http://course.ccert.edu.cn/reference/Worms/Global%20Routing%20Instabilities%20during%20Code%20Red%20II%20and%20Nimda%20Worm.pdf

Kc, G. S., Keromytis, A. D., & Prevelakis, V. (2003, October). Countering code-injection attacks

with instruction-set randomization. InProceedings of the 10th ACM conference on Computer and communications security(pp. 272-280). ACM. Retrieved from: http://www.cs.columbia.edu/~gskc/publications/isaRandomization.pdf

Long, N., & Thomas, R. (2001). Trends in denial of service attack technology.CERT

Coordination Center. Retrieved from: http://resources.sei.cmu.edu/asset_files/WhitePaper/2001_019_001_52491.pdf

Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., & Weaver, N. (2003). Inside the

slammer worm.IEEE Security & Privacy,99(4), 33-39.

Moore, D., & Shannon, C. (2002, November). Code-Red: a case study on the spread and victims

of an Internet worm. InProceedings of the 2nd ACM SIGCOMM Workshop on Internet

measurment(pp. 273-284). ACM. Retrieved from: http://dl.acm.org/citation.cfm?id=637244

Weaver, N., Paxson, V., Staniford, S., & Cunningham, R. (2003, October). A taxonomy of

computer worms. InProceedings of the 2003 ACM workshop on Rapid malcode(pp. 11-18). ACM. Retrieved from: http://dl.acm.org/citation.cfm?id=948190

Zou, C. C., Gong, W., & Towsley, D. (2002, November). Code red worm propagation modeling

and analysis. InProceedings of the 9th ACM conference on Computer and communications security(pp. 138-147). ACM. Retrieved from: http://home.eng.iastate.edu/~daji/seminar/papers/ZGT02.ACMCCS.pdf