As stated earlier the .ida "Code Red" worm is spreading throughout IIS web servers on the Internet via the .ida buffer overflow attack that was published weeks ago.
The following are the steps that the worm takes once it has infected a vulnerable web server.
1. Setup initial worm environment on infected system.
2. Setup a 100 threads of the worm
3. The first 99 threads are used to spread the worm (infect other web servers).
-The worm spreads itself by creating a sequence of random IP addresses. However, the worm's randomization of IP addresses to attack is not all together random. In fact there seems to be a static seed that the worm uses when generating new IP addresses to try to attack. Therefore every computer infected by this worm is going to go through the same list of random IP addresses to try to infect. The "problem" with that is that the worm is going to end up reinfecting systems and also end up crossing traffic back and forth between hosts to end up creating a denial of service type affect because of the amount of data that will be transferred between all the IP addresses in the sequence of random IP addresses. The worm could have done truly random IP generation and that would have allowed it to infect a lot more systems a lot faster. We are not sure why that was not done but a friend of ours did pose an interesting idea... If the person who wrote this worm owned an IP address that was one of the first hundred or thousand etc... to be scanned then they could setup a sniffer and anytime and IP address tried to connect to port 80 on their IP address they would know that the IP address that connected to them was infected with the worm and they would therefore be able to create a list of the majority of systems that were infected by this worm.
4. The 100th thread checks to see if it is running on a English (US) Windows NT/2000 system.
-If the infected system is found to be a English (US) system then the worm will proceed to deface the infected systems website. That means... the local web servers web page will be changed to a message that says Welcome to http://www.worm.com !, Hacked By Chinese!. This hacked web page message will stay "live" on the web server for 10 hours and then disappear and never appear again unless the infected system is re-infected by another host.
-If the system is not a English (US) Windows NT/2000 system then the 100th worm thread is also used to infect other systems.
5. Each worm thread checks for c:\notworm
-If the file c:\notworm is found, the worm goes dormant.
-If the file is not found then each thread will continue to attempt to infect more systems.
6. Each worm thread will now check the infected computers time.
-If the time is between 20:00 UTC and 23:59 UTC then the worm will proceed to use this thread to attack www.whitehouse.gov. The attack consists of the infected system sending 100k bytes of data to port 80 of www.whitehouse.gov therefore potentially performing a denial of service attack against www.whitehouse.gov.
-If the time is below 20:00 UTC then this worm thread will try to find and infect new web servers.
In testing we have calculated that the worm can attempt to infect roughly half a million IP addresses a day and that was a ruff estimate made from using a very slow network.
As of writing this document (July 18 6:49pm) we have had reports from administrators that have been probed by over 12 thousand unique hosts. That basically means at least 12 thousand hosts have been infected by this worm.
In testing we have seen that sometimes the worm does not execute correctly and will continue to spawn new threads until the infected machine crashes and has to be rebooted. We have not been able to isolate the cause of this behavior.