Effects
The effects of RedCode are:
- It spreads until October 2001and then it restarts the affected computer.
- It spreads through computer networks.
- It drops a Trojan in affected computers, which allows other users to gain control of the affected Web server.
- It creates multiple execution threads in memory, which act like copies of the worm.
In computers with a Chinese operating system, RedCode creates 600 execution threads. In operating systems in other languages it only creates 300.
The function of these threads is to create random IP addresses in order to find more Web servers to infect.
- It restarts affected computers a certain time after carrying out its infection.
This period of time is 48 hours in computers with a Chinese operating system and 24 hours in operating systems in other languages.
Infection strategy
RedCode creates the following files:
- It creates a file with Trojan characteristics: EXPLORER.EXE. This file generates two virtual drives through which the affected computer can be accessed.
This Trojan allows the attacker to take complete control of the affected Web server by sending a http Get type query in order to run Scripts/root.exein the affected Web server.
- Redcode copies the CMD.EXE file to the following directories, if they exist in the affected computer:
C:\Inetpub\Scripts\Root.exe
D:\Inetpub\Scripts\Root.exe
C:\Progra~1\Common~1\System\MSADC\Root. exe
D:\Progra~1\Common~1\System\MSADC\Root.exe
Once Redcode gets into a computer it carries out the following infection routine:
- It looks for a valid copy of the KERNEL32.DLL module in the main memory of the computer in which it is running.
- It looks for the GetProcAddress function in this copy. This allows Redcode to locate the rest of the functions it needs: LoadLibraryA,GetSystemTime, CreateThread, CreateFileA, Sleep, GetSystemDefaultLangID, Socket, Connect, Send, Recv, CloseSocket, GetTickCount, GetSystemDirectory, CopyFileA, GlobalFindAtomA, GlobalAddAtomA, CloseHandle, _Icreate, _Iclose, ioctlsocket, select, gethostname, gethostbyname, WSAGetLastError andExitWindowsEx.
- It locates information on the network to which the computer in which it is running is connected using the gethostname and gethostbyname functions.
RedCode modifies the following entries in the Windows Registry:
/MSADC = %rootdir%\program files\common files\system\msadc,,205
/C = C:\,,217
/D = D:\,,217
By modifying this entry, it allows other users full access to the affected Web server.
Redcode modifies this entry by assigning it the following value: 0xFFFFFF9D. By doing this, Recode can disable the System File Checker (SFC).
Means of transmission
RedCode spreads through networks by exploiting a vulnerability in MS Index Server 2.0, MS Indexing Service, or MS IIS 4.0 and 5.0. This exploit consists of a buffer overflow, which allows Redcode to run.
Recode spreads following the routine described below:
- It sends itself out through TCP/IP type connections by simulating an HTTP query in the text string format ASCII.
- The query is sent through port 80 of the computer under attack (default port of the HTTPprotocol).
- Sending the ASCII string causes a buffer overflow, which allows Redcode to run.
The text string that cause this buffer overflow consists of the following:
- A header for sending the query (through the HTTPprotocol GETmethod).
- Exploit: A string of characters that can cause the buffer overflow. An instruction for accessing the buffer so that Redcode can take control of it after it has overflowed.
- The worm’s code encrypted in binary format.
In order to find other computers to infect Redcode generates masks and IP addresses. Four of these addresses are in the class A network, three of them are in the class B network and the other one is generated randomly.
Redcode will not infect computers whose IP address falls into one of the following ranges: 127.x.x.x and 224.x.x.x (addresses of possible local networks).