How to mitigate the impact of the Code Red Worm


Sun, 03/03/2013 - 21:47
Jun 18th, 2009

Core issue

A malicious, self-replicating program known as Code Red Worm targets systems running Microsoft Internet Information Servers (IIS). Several Cisco products are installed (or provided on) the targeted systems. The worm behavior can cause problems for other network devices.

What is Code Red and Code Red II?

The Code Red and Code Red II worms popped up in the summer of 2001. Both worms exploited an operating system vulnerability that was found in machines running Windows 2000 and Windows NT. The vulnerability was a buffer overflow problem, which means when a machine running on these operating systems receives more information than its buffers can handle, it starts to overwrite adjacent memory.

The original Code Red worm initiated a distributed denial of service (DDoS) attack on the White House. That means all the computers infected with Code Red tried to contact the Web servers at the White House at the same time, overloading the machines.

A Windows 2000 machine infected by the Code Red II worm no longer obeys the owner. That's because the worm creates a backdoor into the computer's operating system, allowing an attacker to access and control the machine. In hacking terms, this is a system-level compromise, and it's bad news for the victim. The attacker behind the virus can access information from the victim's computer or even use the infected computer to commit crimes. That means the victim not only has to deal with an infected computer, but also may fall under suspicion for crimes he or she didn't commit.


For more information on which Cisco Products are affected, refer to the Affected Products section of Cisco Security Advisory: "Code Red" Worm - Customer Impact.For comprehensive information on the impact, workarounds and software updates available for Code Red Worm, refer to the Cisco Security Advisory: "Code Red" Worm - Customer Impact document.

You can also attempt to block the Code Red Worm at network ingress points using Network-Based Application Recognition (NBAR) and Access Control Lists (ACLs) within Cisco IOS  Software on Cisco routers.

This solution should be used in conjunction with the recommended patches for IIS servers from Microsoft. For more information on this procedure, refer to Using Network-Based Application Recognition and ACLs for Blocking the "Code Red" Worm.



This Document

Related Content