Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Lessons from Code Red

October 2001 News & Events

Recently, the Code Red worm was unleashed and quickly spread to some 350 000 host machines around the world. Whilst Code Red is not of immediate interest to businesses in the conventional security sector, the saga of Code Red highlights issues that we would all be well advised to take note of.

How was Code Red able to spread and what lessons can we learn from its destruction?

On 19 June 2001, the Computer Emergency Response Team Coordination Centre issued Advisory CA-2001-13 www.cert.org/advisories/CA-2001-13.html warning of a buffer overflow in the Microsoft Internet Information Server software Versions 4.0 or 5.0 running under Windows 2000 and beta-test versions of Windows XP. This vulnerability allows execution of arbitrary code on a susceptible machine; ie anyone can execute any instructions they like on an unpatched system.

The Advisory urged, "Since specific technical details on how to create an exploit are publicly available for this vulnerability, system administrators should apply fixes or workarounds on affected systems as soon as possible."

One month later, on 19 July, Advisory CA-2001-19 www.cert.org/advisories/CA-2001-19.html was issued announcing that the Code Red worm (a free-standing, self-propagating program that spreads through network connections) was exploiting the vulnerability announced in CA-2001-13. A good description of the worm's internals can be found at xforce.iss.net/alerts/advise89.php

Without regurgitating all of the hype surrounding Code Red, there are some obvious lessons to be learnt from this outbreak:

* It took only a month from public discovery and patch of a vulnerability to an outbreak of an exploit.

* It took more than a month for many administrators of vulnerable systems to apply the patch.

* Variants of the worm appeared almost immediately, and they were worse than the first ones.

* The number of unpatched systems is so high that even a simple attack can measurably affect Internet traffic and increase response time for web connections.

* All unpatched systems will continue to be vulnerable to this type of exploit.

* The fundamental flaw that allowed for this attack is poor programming: buffer overflows imply that input strings are not being checked for length or otherwise edited, allowing strings to be interpreted as instructions. Manufacturers need to improve their quality assurance.

* The originator of the attack may never be known.

* The criminal hacker subculture has bred a group of people whose enjoyment of harm approaches the level of clinical sociopathy.

* The long-standing warnings from Donn Parker and others about automation of computer crime are coming true (see Parker's 1998 book, 'Fighting computer crime: A new framework for protecting information').

According to M.E. Kabay, Associate Professor of Computer Information Systems at Norwich University, "We are very close to major damage to the information infrastructure through self-propagating code that exploits the inability and unwillingness of management to support network administrators in keeping their system patches up-to-date."

Reinforcing this message was an excellent analysis of the implications of the Code Red family of worms by Elinor Mills Abreu, who interviewed several security experts for an article headlined 'Code Red foreshadows evolution of cyber threats' ( news.excite.com/printstory/news/r/010803/22/net-techcodered-dc). She points out that Code Red shows that infectious code can rapidly increase the damage caused by its payload.

An issue not being talked about is that of the collateral damage of Code Red. For example, Cisco has admitted that DSL routers with older firmware were susceptible to a denial-of-service attack when attacked by Code Red. Such devices were not specifically targeted by Code Red. Instead, their web interface could not handle the Code Red attack. There has been an enormous proliferation of random devices with a web interface: listening on Port 80, including security hardware from CCTV to access control. Says Counterpane Internet Security's Bruce Schneier, "This is a large single-point-of-failure that Code Red has illustrated, and no one seems to be talking about."

Ouch.

Lessons from Code Red indeed.

Till next month.

Darren Smith





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Unlock the future of security operations in Bloemfontein
DeepAlert News & Events Surveillance
Security professionals and business leaders are invited to revolutionise their offsite monitoring operations at the DeepAlert Product Road Show, taking place on 16 – 17 September 2025, at the Schoemanspark Golf Club, Bloemfontein.

Read more...
Hytera supports communication upgrade for Joburg
News & Events Infrastructure Government and Parastatal (Industry)
By equipping Johannesburg’s metro police and emergency services with multimode radios which integrate TETRA and LTE networks, Hytera is bridging coverage gaps and improving response times across the city.

Read more...
Your Wi-Fi router is about to start watching you
News & Events Surveillance Security Services & Risk Management
Advanced algorithms are able to analyse your Wi-Fi signals and create a representation of your movements, turning your home's Wi-Fi into a motion detection and personal identification system.

Read more...
ProtecLink 2025: Ithegi Electronics supports a safer, smarter security ecosystem
News & Events
If you are a security buyer, operations lead, or technology partner, do not miss ProtecLink 2025, to be held in Polokwane on 16 September 2025, at the Polokwane Royal Hotel.

Read more...
Secutel maintains ISO certifications
News & Events Fire & Safety
Secutel Technologies has successfully recertified all four of its ISO standards, a reflection of its continued commitment to excellence, client trust, and operational integrity.

Read more...
SABRIC appoints Andre Wentzel as interim CEO
News & Events Financial (Industry) Associations
The South African Banking Risk Information Centre (SABRIC) has announced the appointment of Andre Wentzel as interim chief executive officer, effective immediately.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Paxton cuts emissions by over a third
Paxton News & Events
Paxton has announced a significant reduction in its carbon footprint, cutting emissions by 961 tonnes of CO2e in its 2023 second reporting year.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Securex gears up for Cape Town
News & Events
Four industry expos debut in Cape Town from 21–23 October, providing access to Africa’s tech hub and a rapidly expanding local market, through a platform covering security, OSH, facilities management, and fire safety solutions in one venue.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.