A new variant of Code Red appeared on the 4th of August. It uses the same IIS .ida vulnerability but is structurally different — it installs a persistent backdoor on disk, uses a smarter scanning algorithm, and produces a much larger compromise population. The community is calling it Code Red II.
What Code Red II does differently
Three main differences from the original.
Persistent on-disk installation. Where Code Red I was memory-resident only, Code Red II writes a backdoor to disk (typically cmd.exe or root.exe in publicly-accessible web directories) and installs registry keys that re-establish the backdoor on reboot. A simple reboot does not remove it.
Smart scanning. Where Code Red I used a fixed-seed LCG that produced the same scan order on every host, Code Red II uses the host's current IP address as the seed. This means each host scans a different sequence — the aggregate coverage is faster and more efficient.
More subtly, Code Red II's scanner is biased toward adjacent IP ranges. About 50% of scans go to IPs in the same /16 as the compromised host; another 25% go to the same /8. This concentrates scanning on networks that are likely to have similar configurations to the originally-compromised host.
The backdoor. The on-disk backdoor — a copy of cmd.exe accessible via a specific URL — gives anyone who knows the URL command execution as the IUSR user on the compromised host. This is essentially a permanent foothold; the worm operator can return to compromised hosts at will.
No DDoS phase. Code Red II does not have the Whitehouse.gov DDoS that Code Red I had. The author has decided that the persistent foothold is more valuable than the disruption.
The propagation
Code Red II's smart-scanning has produced faster propagation than the original. Saturation of the same vulnerable population happened in approximately half the time.
The local-bias scanning has also produced an interesting effect: networks that have many IIS servers see disproportionate compromise. A single corporate network with 50 IIS servers, where one is compromised, rapidly has all 50 compromised because the local-bias scan finds them quickly.
This is structurally significant. Where Code Red I produced a roughly-uniform distribution of compromised hosts globally, Code Red II concentrates the compromised population in IIS-rich networks.
What is happening operationally
The cleanup from Code Red I was nearly complete (most operators had patched). Code Red II has reset the cleanup work — even patched hosts can be infected via the on-disk backdoor that Code Red II installs, if they were ever compromised by Code Red II during the window when they were unpatched.
The correct cleanup procedure for any host that was ever compromised by Code Red II:
- Patch the underlying IIS vulnerability.
- Inspect the filesystem for the worm's backdoor binaries (typically
cmd.exeorroot.exein writable web directories). - Inspect the registry for the worm's persistence keys.
- Verify that no other unauthorised changes have been made.
- Optionally, reinstall from clean media.
Many operators will not do step 4 thoroughly. Compromised hosts will continue to provide attacker access for months.
The compromised-host market
A new development worth noting: Code Red II's persistent backdoor has produced a market for compromised hosts. The URLs to the backdoor binaries are being shared in underground forums; the backdoors give whoever-knows-the-URL access to thousands of internet-facing hosts.
This is the commercial cybercrime infrastructure I have been writing about, accelerating. Compromised hosts are now a tradeable asset.
What this teaches
Four things, mostly reinforcing earlier observations.
Worm authors learn from each other quickly. The structural improvements in Code Red II address every weakness in Code Red I. The author had the lessons from the original to work with; the iteration speed is fast.
Persistent installation is the next step. Memory-resident worms were a category; persistent worms are the natural successor. We should expect future worms to default to persistent.
Smart scanning beats random scanning. The local-bias technique is now operationally demonstrated. Future worms will use similar techniques.
The compromised population is a strategic asset. Worm authors are now optimising for retention of access, not just initial compromise. The ecosystem around compromised hosts is forming.
What I am doing
For my own infrastructure: still not directly affected (no IIS).
For my Snort sensor: updated rules to detect both Code Red I and Code Red II patterns. Active alerts on the .ida exploit pattern continue.
For friends with IIS: a full inspection of their web servers' filesystems for the Code Red II backdoor binaries, in addition to confirming patch status. The cleanup is more involved than for Code Red I.
A quiet observation
The two-worm sequence in three weeks is the new normal. Code Red, then Code Red II, then probably another variant, then probably an entirely different worm. The internet is, structurally, in a different operational rhythm than it was at the start of the year.
More as the year develops. SirCam is also worth writing about; that post will be next week.