Code Red Worm Infects 359,000 Servers in 14 Hours
A self-replicating worm exploited a buffer overflow in Microsoft IIS web servers, defacing websites and launching DDoS attacks against the White House — all without any human interaction.
Background
In the summer of 2001, Microsoft Internet Information Services (IIS) ran on the majority of Windows web servers worldwide. A buffer overflow vulnerability in the Index Server ISAPI extension (MS01-033) had been patched, but patch adoption was slow.
The Attack
Code Red exploited the unpatched buffer overflow to inject shellcode directly into memory. The worm required no file system access — it ran entirely in RAM. Once active, it scanned random IP addresses for other vulnerable IIS servers, defaced English-language sites with "HACKED BY CHINESE!" and attempted a coordinated DDoS against whitehouse.gov on the 20th of each month.
Response
Microsoft released emergency guidance urging administrators to apply the patch released weeks earlier. The White House preemptively changed its IP address to avoid the DDoS. CERT/CC issued multiple advisories. The worm burned itself out within weeks as infected servers rebooted and lost their in-memory payload.
Outcome
Over 359,000 machines were infected within 14 hours of release. Estimated damages exceeded $2 billion in lost productivity and cleanup. The incident demonstrated the catastrophic speed at which a weaponised worm could spread across the internet.
Key Takeaways
- Patch critical vulnerabilities promptly — Code Red exploited a flaw with a publicly available patch
- Network segmentation limits lateral spread even when a single node is compromised
- In-memory malware is harder to detect than file-based threats
- Internet-wide scanning by a single worm can saturate backbone bandwidth