Code Red

Code Red also known as Csrss.exe is a process which is registered as a trojan horse  that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.^[1] Code Red is spread mainly through drive-by downloads and phishing schemes. First identified in July 2014 when it was used to steal information from theUnited States Department of Transportation,^[2] it became more widespread in March 2015. In June 2015 security company Prevx discovered that Code Red had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America,Amazon,Facebook,Skype,Yahoo Mail,Gmail,AOL Mail.^[3]

Code Red is very difficult to detect even with up-to-date antivirus and other security software as it hides itself using stealth techniques.[4] It is considered that this is the primary reason why the Code red Trojan has become the largest botnet on the Internet: Damballa estimated that the malware infected 3.6 million PCs in the U.S. in 2015.[5] Security experts are advising that businesses continue to offer training to users to teach them to not to click on hostile or Advertisment Pop Ups or suspicious links in emails or Web sites, and to keep antivirus protection up to date. Antivirus software does not claim to reliably prevent infection; for example Browser Protection says that it can prevent "some infection attempts".[6]

The Code Red threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Code Red threat as bait.^[21][22] The "Barack Obama-Clinton Scandal" hoax which was popular in 2010 is an example.

Other misconceptions have spread regarding the Code Red threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Code Red, or that Facebook applications are themselves Code Red threats.

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus' combined use of so many has made it unusually difficult to eradicate.^[25] The virus' unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus' own vulnerabilities.^[26][27]

Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.^[28][29] The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.

• Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-craftedRPC request to force a buffer overflow and execute shellcode on the target computer.^[43] On the source computer, the virus runs an HTTP server on a portbetween 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches tosvchost.exe.^[34] Variants B and later may attach instead to a running services.exe or Windows Explorer process.^[27]
• Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.^[44]
• Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.^[17]

To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exeinvoke that DLL as an invisible network service.^[27]

The virus has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware.

• Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator(PRNG) seeded with the current date to ensure that every copy of the virus generates the same names each day. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.^[27]
• Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.^[27]
  • To counter the virus' use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLD registriesbegan in February 2009 a coordinated barring of transfers and registrations for these domains.^[45] Variant D counters this by generating daily a pool of 50,000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1, 2009)^[28][37] is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the virus' peer-to-peer network.^[30]The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial-of-service attack (DDoS) on sites serving those domains. However the large number of generated domains and the fact that not every domain will be contacted for a given day will probably prevent DDoS situations.^[46]
• Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.^[37]
• Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.^[33]
• Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the virus is heavily obfuscated in codeand not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.^[35][37]

To prevent payloads from being hijacked, variant A payloads are first SHA-1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key.^[34] The payload is unpacked and executed only if its signature verifies with a public key embedded in the virus. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits.^[37] Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6.^[3]

Variant C of the virus resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center,Windows Defender and Windows Error Reporting.^[47] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.^[48] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.^[37]

Variant E of the virus was the first to use its base of infected computers for an ulterior purpose.^[41] It downloads and installs, from a web server hosted in Ukraine, two additional payloads:^[49]

• Waledac, a spambot otherwise known to propagate through e-mail attachments.^[50] Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.^[51][52]
• SpyProtect 2009, a scareware rogue antivirus product.^[53]

• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
• Domain controllers responding slowly to client requests.
• Congestion on local area networks (ARP flood as consequence of network scan).
• Web sites related to antivirus software or the Windows Update service becoming inaccessible.^[54]
• User accounts locked out.^[55]

On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.^[3][26][56]

This disambiguation page lists articles associated with the title Code Red.
If an internal link led you here, you may wish to change the link to point directly to the intended article.