CERT® Advisory CA-2001-23 Continued Threat of the "Code Red" WormOriginal release date: July 26, 2001
Last revised: January 17, 2002
A complete revision history can be found at the end of this file.
The CERT/CC has received reports indicating that at least 280,000 hosts were compromised in the first wave.
A translation of this advisory into Polish is available at http://www.cert.pl/CA/CA-2001-23-PL.html.
The "Code Red" worm is malicious self-propagating code that exploits Microsoft Internet Information Server (IIS)-enabled systems susceptible to the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. Its activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock. The CERT/CC is aware of at least two major variants of the worm, each of which exhibits the following pattern of behavior:
Detailed technical analysis of the "Code Red" worm can be found in CA-2001-19.
Data reported to the CERT/CC indicates that the "Code Red" worm infected more than 250,000 sytems in just 9 hours. Figure 1 illustrates the activity between 6:00 AM EDT and 8:00 PM EDT on July 19, 2001.
NOTE: After 8:00 PM EDT on July 19 (0:00 GMT July 20), the worm switched into flood mode on most infected systems, so the number of infected systems remained fairly constant after that time.
Our analysis estimates that starting with a single infected host, the time required to infect all vulnerable IIS servers with this worm could be less than 18 hours. Since the worm is programmed to continue propagating for the first 19 days of the month, widespread denial of service may result due to heavy scan traffic.
As reported in CA-2001-19, infected systems may experience web site defacement as well as performance degradation as a result of the propagating activity of this worm. This degradation can become quite severe, and in fact may cause some services to stop entirely, since it is possible for a machine to be infected with multiple copies of the worm simultaneously.
Furthermore, it is important to note that the IIS indexing vulnerability that the "Code Red" worm exploits can be used to execute arbitrary code in the Local System security context. This level of privilege effectively gives an attacker complete control of the infected system.
The CERT/CC encourages all Internet sites to review CA-2001-13 and ensure workarounds or patches have been applied on all affected hosts on your network.
If you believe a host under your control has been compromised, you may wish to refer to
Known versions of the worm reside entirely in memory; therefore, a reboot of the machine will purge the worm from the system. However, due to the rapid propagation of the worm, the likelihood of re-infection is quite high. Taking the system offline and applying the vendor patch will eliminate the vulnerability exploited by the "Code Red" worm.
IV. Good PracticesConsistent with the security best-practice of denying all network traffic and only selectively allowing that which is required, ingress and egress filtering should be implemented at the network edge. Likewise, controls must be in place to ensure that all software used on a network is properly maintained.
Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections to non-authortized services. In this fashion, the effectiveness of many intruder scanning techniques can be dramatically reduced. With "Code Red," ingress filtering will prevent instances of the worm outside of your network from infecting machines in the local network that are not explicitly authorized to provide public web services. Cisco has published a tech tip specifically addressing ingress filtering for the "Code Red" worm at
Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of "Code Red," employing egress filtering will prevent compromised IIS servers on your network from further propagating the worm.
Installing new software with the latest patchesWhen installing an operating system or application on a host for the first time, it is insufficient to merely use the install media. Vulnerabilities are often discovered after the software becomes widely distributed. Thus, prior to connecting this host to the network, the latest security patches for the software should be obtained from the vendor and applied.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Cisco has published a security advisory describing this vulnerability at
The following document regarding the vulnerability exploited by the "Code Red"
worm is available from Microsoft:
Author(s): Roman Danyliw and Allen Householder
This document is available from: http://www.cert.org/advisories/CA-2001-23.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Jul 26, 2001: Initial release Jul 30, 2001: Added link to Polish translation Aug 16, 2001: Added link to Cisco ingress filtering tech tip, updated link to Microsoft cumulative patch Aug 23, 2001: Updated contact information Jan 17, 2002: Updated feedback link