What Does Code Red Do?

• Propagation phase (days 1-19)

• Target host scanned on TCP port 80

• Attacking host sends a specially crafted HTTP GET request that exploits the IIS buffer overflow vulnerability (Index Service does not have to be running to be exploited!)

• If successful, the worm starts running from RAM if the file c:\notworm is not found

Previous slide

Next slide

Back to first slide

View graphic version