CodeRed

From Protocolinfo

The Code Red worm exploited a vulnerability in Microsoft's IIS webserver. After its release in 2001, it spread very fast and caused significant slowdowns for large portions of the Internet. Code Red is no longer a major threat. More information can be found at cert.org.

[edit] Identification

Code Red attempts to connect to webservers on port 80. It then sends a request for the following page:

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a

Code Red uses the .ida extension and it tries to attempt buffer overflow attack. The above signature doesn't identify the variant if it sends X character instead of N. Generalizing the signature in the following way:

 [/]default[.]ida[?][a-zA-Z0-9]+%u

 There should NOT be any space in between the groups.

[edit] See also

• Wikipedia's Code Red article
• Wikipedia's Code Red II article