2 An Analysis of Code Red I
The ﬁrst version of the Code Red worm was initiallyseen in the wild on July 13th, 2001, according to RyanPermeh and Marc Maiffret of Eeye Digital Security[EDS01a, EDS01b], who disassembled the worm codeand analyzed its behavior. The worm spread by compro-mising Microsoft IIS web servers using the .ida vulner-ability discovered also by Eeye and published June 18th[EDS01c] and was assigned CVE number CVE-2001-0500 [CV01].Once it infected a host, Code-Red spread by launching99 threads which generated random IP addresses, andthen tried to compromise those IP addresses using thesame vulnerability. A hundredth thread defaced the webserver in some cases.However, the ﬁrst version of the worm analyzed byEeye, whichcametobeknownasCRv1, hadanapparentbug. The random number generator was initialized witha ﬁxed seed, so that all copies of the worm in a particularthread, on all hosts, generated and attempted to compro-mise exactly the same sequence of IP addresses. (Thethread identiﬁer is part of the seeding, so the worm had ahundred different sequences that it explores through thespace of IP addresses, but it only explored those hun-dred.) Thus CRv1 had a linear spread and never com-promised many machines.On July 19th, 2001, a second version of the worm beganto spread. This was suspected informally via mailing listdiscussion, then conﬁrmed by the mathematical analysiswe present below, and ﬁnally deﬁnitively conﬁrmed bydisassembly of the new worm. This version came to beknown as CRv2, or Code Red I.Code Red I v2 was the same codebase as CRv1 in al-most all respects—the only differences were ﬁxing thebug with the random number generation, an end to website defacements, and a DDOS payload targeting the IPaddress of
.We developed a tentative quantitative theory of whathappened with the spread of Code Red I worm. The newversion spread very rapidly until almost all vulnerableIISserversontheInternetwerecompromised. Itstoppedtrying to spread at midnight UTC due to an internal con-straint in the worm that caused it to turn itself off. It thenreactivated on August 1st, though for a while its spreadwas suppressed by competition with Code Red II (seebelow). However, Code Red II died by design [SA01]on October 1, while Code Red I has continued to makea monthly resurgence, as seen in Figure 2. Why it con-tinues to gain strength with each monthly appearance re-mains unknown.
We call this model the Random Constant Spread (RCS)model. The model assumes that the worm had a goodrandom number generator that is properly seeded. Wedeﬁne
as the total number of vulnerable servers whichcan be potentially compromised from the Internet. (Wemake the approximation that
is ﬁxed—ignoring bothpatching of systems during the worm spread and normaldeploying and removing of systems or turning on andoff of systems at night. We also ignore any spread of theworm behind ﬁrewalls on private Intranets).
is the initial compromise rate. That is, the numberof vulnerable hosts which an infected host can ﬁnd andcompromise per hour at the start of the incident, whenfew other hosts are compromised. We assume that
isa global constant, and does not depend on the processorspeed, network connection, or location of the infectedmachine. (Clearly, constant
is only an approxima-tion.) We assume that a compromised machine picksother machines to attack completely at random, and thatonce a machine is compromised, it cannot be compro-mised again, or that if it is, that does not increase therate at which it can ﬁnd and attack new systems. Weassume that once it is compromised, it stays that way.
is a time which ﬁxes when the incident happens.We then have the following variables:
is the proportion of vulnerable machines whichhave been compromised.
is the time (in hours).Now, we analyze the problem by assuming that atsome particular time
, a proportion of the machines
have been compromised, and then asking how manymore machines,
, will get compromised in the nextamount of time
. The answer is:
(1)The reason is that the number of machines compromisedin the next increment of time is proportional to the num-ber of machines already compromised (
) times thenumber of machines each compromised machine can
One possibility is that, since the default install of Windows 2000server includes IIS, new vulnerable machines have been added to theInternet.