CodeRed: A Case Study on the Spread

1
Introduction

• Code-Red A Case Study on the Spread
• and Victims of an Internet Worm
• D. Moore, C. Shannon, K. Claffy
• Observation and Analysis of BGP
• Behavior under Stress
• L. Wang, X. Zhao, D. Pei, R. Bush, D. Massey,
• A. Mankin, S. Wu, L. Zhang

2
Outline

• About Code-Red
• Flavors of Code-Red
• Spread of Code-Red
• Observations on Code-Red
• Paving the way for Nimda
• Resulting Impact
• Code-Red and Beyond

3
About Code-Red

• Exploits a buffer-overflow vulnerability in the
  MS IIS web server
• If day of month is 1 through 19, worm attempts to
  spread
• If day of month is 20 through 28, worm DoS
  attacks www1.whitehouse.gov
• On remaining days of the month, the worm is
  dormant

4
Flavors of Code-Red

• Initial variant became known as Code-RedI v1
  (07-12-01)
• Used a static seed for random number generator,
  thus limiting its spread
• Not very damaging
• Second variant entitled Code-RedI v2 (07-19-01)
• Fixed the bug in the first worm and thus had a
  much greater impact

5
Flavors of Code-Red

• Third variant was named Code-RedII (08-04-01)
• Most harmful of the three
• Lies dormant for a day and then reboots the
  machine
• Uses a much more complex random IP selection
  scheme
• Installs backdoor software, thus effectively
  turning compromised machines into zombies

6
Spread of Code-Red

• Code-RedI v1 had little impact on global
  resources
• Code-RedI v2 spread to more than 359,000 machines
  in 14 hours
• Code-RedII spread to the same host population as
  Code-RedI v2
• Code-RedI v2 traffic is difficult to distinguish
  from Code-RedII

7
Total of Infected IP Addresses
8
Infection Rates
9
Observations on Code-Red

• Host characterization by domain shows ISP domains
  most infected
• Noticeable diurnal cycle on infected hosts (1/3
  1/2)

10
Observations on Code-Red

• Patch rate was described as sluggish
• July 24 through July 31, 1.5 patched per day
• After worm began spreading again on August 1,
  patches systems doubled from 32 to 64
• .EDU patched well, .COM and .NET did not respond
  as well

11
Patch Rate
12
Paving the way for Nimda

• Nimda is a mass-mailing virus that was released
  on 09-18-01
• Spreads via email, but also installs itself on
  IIS servers previously compromised by Code-Red
• Can also propagate itself via compromised IIS
  servers

13
Resulting Impact

• This combined threat of Code-Red and Nimda ended
  up having an effect on BGP itself
• At the peak of the attack, a massive increase in
  BGP updates was recorded
• It was believed at the time that this behavior
  indicated a global routing instability

14
BGP Announcements
15
Resulting Impact

• Further study showed that the majority of these
  BGP updates did not lead to AS path changes
• Of the path changes that did occur, they were
  limited to a small subset of unstable networks

16
Resulting Impact

• After analyzing the data, it was discovered that
  BGP did not exhibit routing instability
• The apparent instability was a series of
  monitoring artifacts
• However, local changes proved to have a global
  scope
• BGP should be improved to better prepare for the
  future

17
Code-Red And Beyond

• Major virus attacks since Code-Red
• Sobig (multiple variants)
• SQL Slammer
• Blaster/Welchia
• Are we prepared for the next big virus?