Web Perversion
Solutions
Inside Sanctum
Customers
Support and Training
AppShield Demo
AppScan Demo
web perversion demo
AppShield™ versus the Code Red Worm
Code Red Worm Introduction
 
A new worm discovered July 13th, 2001 focused directly on www.whitehouse.gov. The worm is no longer limiting itself to www.whitehouse.gov. This particular worm does have some destructive payload, meaning it can destroy or delete files, but the major problem it is causing is a degradation of performance and system instability.

The Code Red worm has attacked thousands of sites. A Microsoft patch was available for almost a month, but most organizations, including wwww.whitehouse.gov, did not install it. Patches alone are not a viable solution.

The target of the attack:

  • Web Servers: IIS 4.0 5.0 Web Servers, using English with Index Server Installed
  • Operating System: NT, Windows2000 (the default configuration)
 
Method of Attack
 
The worm uses an HTTP get attack buffer overflow with special characters to exploit the Index Service DLL exploit, published June 18th 2001. The specific DLL exploited is idq.dll which allows for ISAPI extensions to access administrative scripts (.ida file types) and Internet Data Queries (.idq file types). The buffer overflow is targeted at default.ida, which allows the exploiting process to access System space and gain control of the system.

The worm spreads from each site to 100 random sites. It also defaces the attacked site. Ultimately, the final target of the Code Red worm is to launch a DoS (Denial of Service) attack against the White House web server. To date, it has caused damage to thousands of sites, estimated to be more than 300,000 servers.

 
Vulnerability / Attack / Patch
 
The vulnerability is in systems that are running unpatched IIS web-servers. The vulnerability is a buffer overflow in one of the executable files (a ".ida" file). The vulnerability is achieved by doing a "buffer overflow" on the parameter name, thereby causing the server to run malicious code (the worm is just one example of such code).
  • The vulnerability in IIS Index Server was found on June 12, 2001
  • Microsoft issued a patch on June 12, 2001
  • The attack of the Code Red worm began on July 19, 2001
 
Patch Latency
 
When a vulnerability is found—the clock starts ticking.
  • A patch is created and tested by the vendor.
  • The patch is downloaded by the organization.
  • The patch is tested internally by the organization.
  • The patch is installed into the production environment—the clock stops ticking.
The typical patch latency period is a few weeks to many months. During this period the site is completely vulnerable.
 
Business Impact / Site Security
 
The worm is limited to three disruptive functions, but could easily be re-designed to do much more damage.
  1. Page defacement
  2. System degradation
  3. Denial of Service attack (DoS)
Patches are not enough!

Solutions that are based on applying patches will always lag behind the new vulnerabilities and attacks.

The only way to address security is by solving the generic problem and not being dependent on the specific attack.

 
AppShield versus Code Red
 
AppShield is an automatic Web application firewall which recognizes the correct behavior of the Web site.

The Code Red worm does not behave according to the correct behavior of the Web site in the following ways:

  • Illegal entry point into the site to the .ida file
  • Illegal parameter tampering of the .ida file
  • Buffer Overflow attempt on the parameter
  • Illegal characters within the parameter

The exploit requires that a buffer overflow with special characters be passed to the file default.ida via HTTP/HTML.

AppShield would protect against this exploit by preventing the following:

  1. Illegal characters (The malicious code contains non-printable characters)
  2. Application Buffer Overflows
  3. Parameter Tampering (ida file as input parameter) The "long" parameter name did not appear in a previous form and is therefore illegal.
  4. Forceful Browsing (illegal access to default.ida) A link to the ".ida" file does not exist in the site so AppShield prevents the "forceful browsing".

AppShield stops the Code Red worm without any updates.

More importantly:

  • Appshield stops any known or unknown worm attack.
  • AppShield stops any known or unknown human attack.

 
AppShield versus Code Red—Summary
 
AppShield protects against the Code Red worm by preventing the site infection in a generic way. It does not require a patch.

AppShield protects against all current and future Web application attacks without the need for updates.

AppShield is the ONLY solution to address vulnerabilities in a generic manner.

Call Sanctum at 1-888-280-8503 to help your company stop Code Red from shutting down your site.



      © 2002 Sanctum, Inc.      Privacy Statement
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://www.the-vision-of-harmony.org/
  12. https://www.pantheonpress.com/
  13. https://thefinancialgraduate.com/
  14. https://www.thenutkitchen.com/
  15. https://altiboutique.com/
  16. https://ambushsweden.com/
  17. https://goingonforgod.com/
  18. https://lasdopestattorney.com/
  19. https://www.sewardne.com/
  20. https://www.tehranfestival.com/
  21. https://brysonchristianmontessorischool.com/
  22. https://www.excalibureurope.com/
  23. https://www.originallotsoflox.com/
  24. https://www.wavespace-berlin.com/
  25. https://www.michiganmediates.org/
  26. https://www.yourmyrtlebeachproperty.com/
  27. https://metrcconference.com/
  28. https://biotechscope.com/
  29. https://jzbrasil.com/
  30. https://saafootball.org/
  31. https://griefergames.info/
  32. https://ampalauragarcianoblejas.com/
  33. sbobet
  34. judi parlay
  35. togel kamboja
  36. Pengeluaran Cambodia
  37. judi bola
  38. Togel Kamboja
  39. keluaran Kamboja
  40. slot thailand
  41. togel kamboja
  42. keluaran kamboja
  43. togel Kamboja
  44. slot demo
  45. keluaran cambodia
  46. togel cambodia
  47. live draw macau
  48. slot thailand
  49. pengeluaran kamboja
  50. judi bola
  51. sbobet
  52. slot demo
  53. togel sdy
  54. demo slot
  55. keluaran kamboja
  56. judi sbobet
  57. slot qris
  58. slot qris 5000
  59. slot qris
  60. slot deposit 5000
  61. slot qris
  62. pintarbersamamedan.org
  63. slot qris gacor
  64. slot qris 5000
  65. generasitogel
  66. live draw kamboja
  67. slot deposit qris
  68. toto macau
  69. pengeluaran macau
  70. macau pools
  71. slot server thailand super gacor
  72. slot qris 5k
  73. toto hk
  74. toto sdy
  75. toto sgp