Web Perversion
Solutions
Inside Sanctum
Customers
Support and Training
AppShield Demo
AppScan Demo
web perversion demo
AppShield™ versus the Code Red Worm
Code Red Worm Introduction
 
A new worm discovered July 13th, 2001 focused directly on www.whitehouse.gov. The worm is no longer limiting itself to www.whitehouse.gov. This particular worm does have some destructive payload, meaning it can destroy or delete files, but the major problem it is causing is a degradation of performance and system instability.

The Code Red worm has attacked thousands of sites. A Microsoft patch was available for almost a month, but most organizations, including wwww.whitehouse.gov, did not install it. Patches alone are not a viable solution.

The target of the attack:

  • Web Servers: IIS 4.0 5.0 Web Servers, using English with Index Server Installed
  • Operating System: NT, Windows2000 (the default configuration)
 
Method of Attack
 
The worm uses an HTTP get attack buffer overflow with special characters to exploit the Index Service DLL exploit, published June 18th 2001. The specific DLL exploited is idq.dll which allows for ISAPI extensions to access administrative scripts (.ida file types) and Internet Data Queries (.idq file types). The buffer overflow is targeted at default.ida, which allows the exploiting process to access System space and gain control of the system.

The worm spreads from each site to 100 random sites. It also defaces the attacked site. Ultimately, the final target of the Code Red worm is to launch a DoS (Denial of Service) attack against the White House web server. To date, it has caused damage to thousands of sites, estimated to be more than 300,000 servers.

 
Vulnerability / Attack / Patch
 
The vulnerability is in systems that are running unpatched IIS web-servers. The vulnerability is a buffer overflow in one of the executable files (a ".ida" file). The vulnerability is achieved by doing a "buffer overflow" on the parameter name, thereby causing the server to run malicious code (the worm is just one example of such code).
  • The vulnerability in IIS Index Server was found on June 12, 2001
  • Microsoft issued a patch on June 12, 2001
  • The attack of the Code Red worm began on July 19, 2001
 
Patch Latency
 
When a vulnerability is found—the clock starts ticking.
  • A patch is created and tested by the vendor.
  • The patch is downloaded by the organization.
  • The patch is tested internally by the organization.
  • The patch is installed into the production environment—the clock stops ticking.
The typical patch latency period is a few weeks to many months. During this period the site is completely vulnerable.
 
Business Impact / Site Security
 
The worm is limited to three disruptive functions, but could easily be re-designed to do much more damage.
  1. Page defacement
  2. System degradation
  3. Denial of Service attack (DoS)
Patches are not enough!

Solutions that are based on applying patches will always lag behind the new vulnerabilities and attacks.

The only way to address security is by solving the generic problem and not being dependent on the specific attack.

 
AppShield versus Code Red
 
AppShield is an automatic Web application firewall which recognizes the correct behavior of the Web site.

The Code Red worm does not behave according to the correct behavior of the Web site in the following ways:

  • Illegal entry point into the site to the .ida file
  • Illegal parameter tampering of the .ida file
  • Buffer Overflow attempt on the parameter
  • Illegal characters within the parameter

The exploit requires that a buffer overflow with special characters be passed to the file default.ida via HTTP/HTML.

AppShield would protect against this exploit by preventing the following:

  1. Illegal characters (The malicious code contains non-printable characters)
  2. Application Buffer Overflows
  3. Parameter Tampering (ida file as input parameter) The "long" parameter name did not appear in a previous form and is therefore illegal.
  4. Forceful Browsing (illegal access to default.ida) A link to the ".ida" file does not exist in the site so AppShield prevents the "forceful browsing".

AppShield stops the Code Red worm without any updates.

More importantly:

  • Appshield stops any known or unknown worm attack.
  • AppShield stops any known or unknown human attack.

 
AppShield versus Code Red—Summary
 
AppShield protects against the Code Red worm by preventing the site infection in a generic way. It does not require a patch.

AppShield protects against all current and future Web application attacks without the need for updates.

AppShield is the ONLY solution to address vulnerabilities in a generic manner.

Call Sanctum at 1-888-280-8503 to help your company stop Code Red from shutting down your site.



      © 2002 Sanctum, Inc.      Privacy Statement
  1. https://www.gustudentassociation.org/
  2. https://kimmerestaurant.com/
  3. https://www.nyonyafood.com/
  4. https://www.perfectotech.com/
  5. https://www.planetgapyear.com/
  6. https://whatcomvet.com/
  7. https://theclassicyachtexperience.com/
  8. https://www.batonrougerosesociety.org/
  9. https://www.finburysullivan.com/
  10. https://mikrofinanzinstitut.com/
  11. https://oakgroveplantationsc.com/
  12. https://www.the-vision-of-harmony.org/
  13. https://www.pantheonpress.com/
  14. https://thefinancialgraduate.com/
  15. https://www.thenutkitchen.com/
  16. https://altiboutique.com/
  17. https://ambushsweden.com/
  18. https://goingonforgod.com/
  19. https://lasdopestattorney.com/
  20. https://www.sewardne.com/
  21. https://www.tehranfestival.com/
  22. https://www.bistrotmarin.com/
  23. https://brysonchristianmontessorischool.com/
  24. https://www.excalibureurope.com/
  25. https://www.tropicaltopless.com/
  26. https://www.originallotsoflox.com/
  27. https://www.wavespace-berlin.com/
  28. https://www.nicolasboutruche.com/
  29. https://www.michiganmediates.org/
  30. https://www.victoria-abbott.com/
  31. https://www.yourmyrtlebeachproperty.com/
  32. https://metrcconference.com/
  33. https://biotechscope.com/
  34. https://jzbrasil.com/
  35. https://kingswoodacquisition.com/
  36. https://www.mobilegourmetkitchen.com/
  37. https://saafootball.org/
  38. https://griefergames.info/
  39. https://ampalauragarcianoblejas.com/
  40. sbobet
  41. judi parlay
  42. togel kamboja
  43. Pengeluaran Cambodia
  44. judi bola
  45. demo slot
  46. Togel Kamboja
  47. keluaran Kamboja
  48. slot thailand
  49. togel kamboja
  50. keluaran kamboja
  51. togel Kamboja
  52. slot demo
  53. keluaran cambodia
  54. togel cambodia
  55. demo mahjong
  56. live draw macau
  57. slot thailand
  58. pengeluaran kamboja
  59. judi bola
  60. sbobet
  61. slot demo
  62. togel sdy