Code Red Emails

I got a call from a company in Atlanta, Georgia recently, wondering why someone at www-data@cbservices.dyndns.org was sending them emails about a virus. I was explaining to them that these emails were in fact being sent automatically by my server in response to a virus attack from their server when my cordless phone battery died without any warning. As I hadn't got a return phone number, or an email address from them, I couldn't call them back or contact them in any way. They did, however, call back the next day and thank me, saying that before we were cut off, they got all the information they needed to fix their server. Glad I could help....your bill is in the mail! :)
I realized though, that my automated email didn't really explain things very well, so here goes:

Around July of 2001, there was a worm-type virus written which exploited a security hole in Microsoft's IIS webserver software. This virus was dubbed CodeRed. The virus, once it infected a computer, would send out requests to random internet addresses, attempting to infect any other server it found. These requests are easily recognizable in server logs. As my webserver is neither running IIS, nor missing any security patches, I could see these attempts to infect my server throughout my logfiles. Originally, I started looking up these infected computers, and manually emailing to the administrator of the computer in question that their system was infected with a virus. I soon found, however, that many of these computers were in fact home user's systems with Microsoft Personal Web Server running on Windows 95, 98, or Me, and some were even dial-up systems which had disconnected by the time I got around to checking for hits from the virus. When a dial-up system disconnects from the internet, there is no way to trace it when it reconnects, as it would have a different IP address. Basically, it would be like trying to find the owner of a house, when you go to where it was, and the whole house is gone. This is also true of some always-on high speed internet connections. Besides, the flood of infected computers quickly overwhelmed my attempts to do this manually.

At that point, I realized I needed something that acted quicker, so I wrote a small program that monitored requests to my webserver, and immediately emailed out an automated message when it detected a request from a CodeRed infected machine. This worked quite nicely for a while, at least for commercial Windows NT systems, (9x has no mail server, and therefore cannot receive emails sent directly to it) and it seemed this vulnerability gradually got patched, because these requests tapered off to almost nothing. I still get one or two hits a week from China, Russia, and a few other places, but very few. I left my program in place on my server, because it was only actually run when a request came in for a page that couldn't be found on the server. We've all seen them:

"404 error. The page you requested could not be found!"

As it wasn't taking any resources away from other programs running full-time on the computer, I saw no reason to remove it.

A few months later, however, a modified version of this virus was written, which is called, appropriately enough, CodeRed II. It appears to me that it exploits the same vulnerability in IIS, and requests from this new one come at least as often as the period of highest traffic from the original. This makes me think that the vulnerability has not, in fact, been widely patched, but rather, anti-virus software updates took care of the original. Since the page requests for the two versions are similar enough, and my monitoring program isn't overly picky about what it thinks is a CodeRed request, it detects the second version just the same as the first. As a result, my server is again sending lots of automated emails to administrator accounts on servers which are apparently sending CodeRed II requests.

The addresses this program sends messages to are:

administrator@IP
administrator@hostname
root@IP
all@IP

The "IP" part of the address is replaced with the IP address of the machine which actually made the request, and the "hostname" part is replaced with the actual hostname of the computer for it's current connection to the internet. Since "administrator" is the default account on Windows NT machines for administrator access, I put that one first. "root" is the equivalent account on Linux, which, while immune to this virus, I included just in case the virus writer was smart enough to have it fake the address the request came from, so as to be untraceable. "all" was included just as a simple attempt at a catch-all in case the first two didn't work.

The program I wrote sends an email to all these four addresses every time it detects a CodeRed or CodeRed II request. If you're getting these frequently in your inbox, you can be pretty sure you have this virus. Without patching all the security vulnerabilities, you will never be rid of this virus. Simply rebooting the computer will temporarily rid you of it, as at least the original doesn't infect any files, but as soon as another infected computer sends a request to your IP address again, you'll be infected a second time. I'm getting requests from this virus several times a day, sometimes as quickly as a minute apart. At most, you'd get a couple of hours respite with this method. The only sure way to fix the problem is to search for all security patches for your version of IIS on Microsoft's website. Install all these patches, and reboot your computer. Then, update the virus definition database in your anti-virus software, just for good measure. Only then will you be free of this virus.

Unless you have lots of Microsoft-specific active scripting (ASP) on your website, you might be much better off moving the entire server to a Linux/Apache platform. Yes, there are security vulnerabilities in both these software packages, too, but due to the way they're designed, there is much less chance of anything completely compromising the entire system the way Windows viruses do.

I hope this explains properly what the emails you're receiving are about. If you have any more questions, feel free to email me. If you want to complain about the amount of email I'm sending you, please don't. Patch your server, instead.