Users login

Create an account »


Users login

Home » Hacking News » Code Green. Are you Serious?!

Code Green. Are you Serious?!

by Majik on September 6th, 2001 Amid a debate over the ethics of fighting a virus with a virus, security researchers have separately released two programs that hunt down and patch computers infected with Code Red II.

CodeGreen, written by a German security expert who uses the nickname "Der HexXer," is designed to randomly scan the Internet for servers running Microsoft's IIS software that are infected with Code Red version II. When it finds a compromised IIS machine, the worm will attempt to download and apply the patch from Microsoft, and then will close the "back doors" left by the worm. The cleaned host will then itself begin the scanning process.

CRclean, according to its author, Markus Kern, is a "passively spreading worm" which only targets systems that first attack the machine on which CRclean is running. CRclean attempts to patch and clean infected systems, and installs a copy of itself on the new host. According to notes in the source code, CRclean removes itself from the system on shutdown if the date is November 2001 or later.

Source code to both tools was posted to a security mailing list Saturday. Neither author was immediately available for comment. According to the posting from Der HexXer, the author of CodeGreen has just begun a vacation.

While the spread of Code Red II has been contained for weeks, several thousand systems appear to be infected with the worm still and are actively attempting to spread the worm to other machines on the Internet. In Holland alone, participating Internet service providers have reported more than 74,000 infected systems to, a site that is tracking Code Red infections.

Members of the intrusion detection service are still recording hundreds of thousands of Code Red probes per day, and Port 80 remains the most commonly attacked port, according to Dshield.

Security professionals have for weeks debated the pragmatic and ethical issues involved in releasing a "benign" worm to combat the thousands of systems apparently still infected with Code Red. But Saturday marked the first time that developers have released such code.

A spokesperson for the Computer Emergency Response Team (CERT), told Newsbytes today that the federally funded security clearinghouse believes there are "serious ethical and legal problems with these kinds of clean-up worms."

Both authors warn that their programs are beta or test code and are for educational purposes only.

While there have been no reports yet of the worms being used on the Internet, some security experts say it is just a matter of time. Others also fear that doctored, more dangerous versions of the worms could appear.

"It seems unavoidable. Much malicious capability will be loosed with such a release, but someone won't care. Someone will just want to see what happens," said Steve Gibson, president of Gibson Research Corp.

Last month, a software developer named Paul Nettle released a non-propagating program called AntiCodeRed which automatically generates a warning message to a system operator if his or her machines attempts to spread Code Red II to the system running AntiCodeRed.

To identify themselves to operators, both CodeGreen and CRclean leave unique signatures in the Web server logs of systems they probe, according to an analysis of the worms by, a service of the SANS Institute.

In a list of known problems included in the source code of CodeGreen, the author expresses uncertainty about whether the program will correctly apply the patch to all systems. In fact, he concedes that CodeGreen may not work at all.

CodeGreen is available at

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »