yea, looks nice in the web logs -
[Fri Jul 20 04:46:22 2001] [error] [client 211.232.156.139] Client sent
malformed Host header
[Fri Jul 20 05:08:46 2001] [error] [client 207.70.183.108] Client sent
malformed Host header
[Fri Jul 20 05:26:26 2001] [error] [client 193.216.5.242] Client sent
malformed Host header
[Fri Jul 20 05:53:42 2001] [error] [client 134.34.144.30] Client sent
malformed Host header
[Fri Jul 20 06:05:16 2001] [error] [client 211.13.19.189] Client sent
malformed Host header
[Fri Jul 20 06:43:10 2001] [error] [client 206.246.65.141] Client sent
malformed Host header
[Fri Jul 20 07:01:04 2001] [error] [client 211.53.212.183] Client sent
malformed Host header
[Fri Jul 20 08:24:39 2001] [error] [client 216.30.76.139] Client sent
malformed Host header
[Fri Jul 20 08:56:57 2001] [error] [client 167.142.199.170] Client sent
malformed Host header
[Fri Jul 20 08:57:32 2001] [error] [client 211.115.206.124] Client sent
malformed Host header
[Fri Jul 20 09:04:30 2001] [error] [client 64.34.91.145] Client sent
malformed Host header
216.30.76.139 - - [20/Jul/2001:08:24:39 +1200] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 318 "-" "-"
167.142.199.170 - - [20/Jul/2001:08:56:57 +1200] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8
b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 318 "-" "-"
211.115.206.124 - - [20/Jul/2001:08:57:32 +1200] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8
b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 318 "-" "-"
64.34.91.145 - - [20/Jul/2001:09:04:30 +1200] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90
90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 318 "-" "-"
-----Original Message-----
From: owner-nznog(a)list.waikato.ac.nz
[mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Chris Rigby
Sent: Friday, July 20, 2001 9:19 AM
To: nznog(a)list.waikato.ac.nz
Subject: Full analysis of the .ida "Code Red" worm.
I think this is something we should all be aware of for those of you not
on bugtraq (which I hope most of you are.)
This attack has gone from something like 0 hits in my web logs yesterday
to 11 in the last 4 hours
Some people are estimating over 12,000 hosts infected already.
Also to worry about are later announcements that :
"A notable side effect of this.. the worm signature is wreaking havoc with
Cisco 675, 677, and 678 DSL routers that have the Web Based Configuration
Interface enabled."
since they lock up when "?" is sent to them in a URL.
And apparently has issues for some 7500 size routers.
The main thing I'm concenred over is that the worm is programmed to flood
www.whitehouse.gov between 20:00pm and 23:59 (local system time). I'm not
looking forward to what effect this might have on the internet.
Escpecially the small outbound links in NZ.
Chris Rigby
Senior Systems Engineer
IHUG - Into the Internet
---------- Forwarded message ----------
Date: Wed, 18 Jul 2001 22:40:11 -0700
From: Marc Maiffret
From kernel32.dll: GetSystemTime CreateThread CreateFileA Sleep GetSystemDefaultLangID VirtualProtect
From infocomm.dll: TcpSockSend
From WS2_32.dll: socket connect send recv closesocket
Finally the worm stores the base address of w3svc.dll which it will later use to potentially deface the infected website. 4. Check the number of threads the worm has created. CODEREF: seg000:00000512 FUNC_LOAD_DONE Here the worm seems to perform a WriteClient (Part of the ISAPI Extension API), sending "GET" back to the attacking worm. This possibly could be a way of telling attacking worms that they have successfully infected a new host. Next the worm code will count the number of worm threads already in action. If the number of threads is 100 then control is shifted to the Worm hack web page functionality. If the number of threads is below 100 then the worm creates a new thread. Each new thread is an exact replica of the worm (Using the same code base). The worm now continues its path of execution. 6. Checks for the existence of c:\notworm CODEREF: seg000:0000079D DO_THE_WORK There seems to be a to be built in "lysine deficiency" (See Jurassic Park, or Caesar's paper on this at www.rootkit.com). A "lysine deficiency" is a built in check to keep malicious code from spreading further. In this case the "lysine deficiency" is a check for the existence of the file c:\notworm. If this file exists then the worm will become dormant. This means it will not attempt to make connections out to other IP addresses to try to infect. If this file does not exist then the worm continues onto the next step. 7. Check the infected systems time (computer clock) CODEREF: seg000:00000803 NOTWORM_NO The worm will now check the infected systems local time (in UTC). If the hour is greater then 20:00 UTC then the worm will proceed to goto the first step of the attack www.whitehouse.gov functionality. If the time is less than 20:00 UTC then the worm will attempt to continue to try to infect new systems. 8. Infect a new host (send .ida worm to a "random" IP address on port 80). At this point the worm will resend itself to any IP addresses which it can connect to port 80 on. It uses multiple send()'s so packet traffic may be broken up. On a successful completion of send, it closes the socket and goes to step 6... therefore repeating this loop infinitely. Worm hack webpage functionality ------------------------------- This functionality is called after a hundred threads are spawned within the worm. 1. Check if local system default language is English us then goto step 6 of core worm functionality. CODEREF: seg000:000005FE TOO_MANY_THREADS The first thing the worm does is get the local codepage. A codepage specifies the local operating system language (I.E. English (US), Chinese, German etc...). It then compares the local codepage against 0x409. 0x409 is the codepage for English (US) systems. If the infected system is an English (US) system then the worm will proceed to deface the local systems webpage. If the local codepage is not English (US) then this worm thread will goto step 6 of core worm functionality. 2. Sleep for 2 hours. CODEREF: seg000:00000636 IS_AMERICAN This worm thread now sleeps for 2 hours. We anticipate that this is to allow the other worm threads to attempt to spread the infection before making a presence known via defacing the infected systems webpage. 3. Attempt to modify infected systems webpages in memory. CODEREF: seg000:0000064F HACK_PAGE This worm uses an interesting technique called "hooking" to effectively deface (alter) an infected systems webpages. Hooking is modifying code in memory to point to code that the worm provides. In this case the worm is modifying w3svc.dll to change the normal operation of a function called TcpSockSend. TcpSockSend is what w3svc.dll (IIS core engine) uses to send information back to the client. By modifying this, the worm is able to change data being written back to clients who request web pages of an infected server. To perform hooking, first the worm makes the first 4000h bytes of w3svc.dll's memory writable. In a normal situation the memory for w3svc.dll (and basically all mapped dll's) is read-only. It uses the function VirtualProtect to change the memory of w3svc.dll to be writable, saving the old state to a stack variable. It then uses the saved codebase of w3svc.dll (from step 3 of core worm functionality) as a start point to search the import table (again see PE header documentation) for the address of TcpSockSend. Once the address for TcpSockSend is located the worm then replaces TcpSockSend's actual address with an address within the worm. The address that TcpSockSend now points to is a function within the worm that will return the "Hacked by Chinese !" webpage. The CODEREF for this function is seg000:00000C9A FAKE_TCPSOCKSEND. This thread of the worm now sleeps for 10 hours. During this 10 hours all web requests to the infected server will return the "Hacked by chinese !" webpage. After the 10 hours is up this thread will return w3svc.dll to its original state, including re-protecting memory. Execution after this proceeds to step 6 of the core worm functionality. Attack www.whitehouse.gov functionality --------------------------------------- Sooner or later every thread within the worm seems to shift its attacking focus to www.whitehouse.gov. 1. create socket and connect to www.whitehouse.gov on port 80 and send 100k byes of data CODEREF: seg000:000008AD WHITEHOUSE_SOCKET_SETUP Initially the worm will create a socket and connect to 198.137.240.91 (www.whitehouse.gov/www1.whitehouse.gov) on port 80. CODEREF: seg000:0000092F WHITEHOUSE_SOCKET_SEND If this connection is made then the worm will create a loop that performs 18000h single byte send()'s to www.whitehouse.gov. CODEREF: seg000:00000972 WHITEHOUSE_SLEEP_LOOP After 18000h send()'s the worm will sleep for about 4 and a half hours. It will then repeat the attack against www.whitehouse.gov (goto step one of Attack www.whitehouse.gov functionality). Appendix ======== This is associated information about the "Code Red" worm including how to stop the worm, commentary on the worm, and dispelling common misconceptions about this worm. How to secure your system from this .ida "Code Red" worm? --------------------------------------------------------- Microsoft patch for this .ida vulnerability http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp The worm spreads itself to new vulnerable systems via the .ida vulnerability. Applying this patch will keep your server from being infected. However, as stated earlier, because of the way the worm creates its list of "random" IP addresses to attack, you could still be affected by a high traffic overload denial of service. eEye Digital Security Advisory for .ida vulnerability http://www.eeye.com/html/Research/Advisories/AD20010618.html We initially discovered the .ida vulnerability which is being used by this worm as its infection vector. The above advisory details our research of that specific vulnerability. We worked with Microsoft to help them create a patch for the .ida vulnerability. SecureIIS - Application firewall, stops known and unknown IIS vulnerabilities. http://wwww.eeye.com/secureiis We do produce a product that protects IIS web servers from attack which is one of the reasons that we were so quick to research this worm. Funny enough in our initial testing we couldn't get the worm to work because we forgot we had SecureIIS enabled on the lab web server. heh. I have been infected by this worm what can I do? ------------------------------------------------ The first thing you must do is goto the Microsoft security site, as referenced above, and install the .ida patch ASAP. The worm will remain in memory until you reboot your server so make sure to reboot after installing the .ida patch. I think I am infected, how can I tell? -------------------------------------- An infected system will show an increase in load (processor/network). It will also show a number of external connections (or attempts) to port 80 of random IP addresses. You can see this by doing a "netstat -an" from a MS-DOS prompt. Either way do not take any chances... if your system is missing the .ida patch then install it ASAP and reboot. How to setup your IDS to detect this specific worm? --------------------------------------------------- The following is part of the packet data that is sent for this .ida "Code Red" worm attack: GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Just add that to your IDS signature database. What are some common misconceptions about the "Code Red" worm? -------------------------------------------------------------- 1. It connects to worm.com. This worm only specifies www.worm.com in the initial HTTP GET request HOST: header and in the defaced page show on English (US) systems. This worm does _not_ connect to www.worm.com. This worm operates completely independent and can spread and infect systems without having a single point of failure. What that means is that this worm will be wild on the Internet until there is a _VERY_ high degree of systems that go and install the .ida patch. 2. This worm is based off of hsj's "proof of concept" .ida exploit. This worm is _NOT_ based off of hsj's "proof of concept" .ida exploit. His exploit code had no worm functionality. It was a simple exploit shell that had little to no implicit functionality. It was designed to prove to administrators the seriousness of this vulnerability so that they would install patches ASAP. Credits ======= Ken Eichman of Chemical Abstracts Service Matthew Asham of Left Coast Systems Corp and a large handful of administrators who gave us much needed data to piece this together. Signed, eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities "Its not a virus! Its a worm!" - z3r0 c00l "Whats this one eat?" - l0rd n1k0n "th1s 0n3 34ts 11S s3rv3rs!" - ch4m3l30n h4ck3rs --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog