[dranch@trinnet.net: How the IIS Red Worm works..]
so which ISP in Wellington was it that is reported to have lost its servers as a result of thei worm (reported in the Herald).... and did it really infect/affect 250000 sites?
Ian
Dunno about the first one - but there is a portion in this article that talks to your second point. Dean ----- Forwarded message ----- Interesting.. From http://www.w2knews.com/subscribe.cfm?id=W2K -- Explanation As stated earlier the .ida "Code Red" worm is spreading throughout IIS Web servers on the Internet via the .ida buffer-overflow attack that was published last month. The following are the steps that the worm takes once it has infected a vulnerable Web server: Setup initial worm environment on infected system. Setup 100 threads of the worm. Use the first 99 threads to spread the worm (infect other Web servers). � The worm spreads itself by creating a sequence of random IP addresses. However, the worm's list of IP addresses to attack is not all together random. In fact, there seems to be a static seed (a beginning IP address that is always the same) that the worm uses when generating new IP addresses. Therefore every computer infected by this worm is going to go through the same list of "random" IP addresses. Because of this feature, the worm will end up re-infecting the same systems multiple times, and traffic will cross traffic back and forth between hosts ultimately creating a denial-of-service type effect. The denial-of-service will be due to the amount of data being transferred between all of the IP addresses in the sequence of random IP addresses. The worm could have done truly random IP generation and that would have allowed it to infect many more systems much faster. We are not sure why this was not done, but a friend of ours did pose an interesting idea: If the person who wrote this worm owned an IP address that was one of the first hundred or thousand to be scanned, then they could setup a "sniffer" and anytime and IP address tried to connect to port 80 on their server they would get confirmation that the IP address that connected to them was infected with the worm. With this knowledge, they would be able to create a list of the majority of systems that were infected by this worm. The 100th thread checks to see if it is running on an English (US) Windows NT/2000 system. � If the infected system is found to be a English (US) system, the worm will proceed to deface the infected system's website. The local Web server's Web page will be changed to a message that says: "Welcome to http://www.worm.com!, Hacked By Chinese!". This hacked Web page message will stay "live" on the Web server for 10 hours and then disappear. The message will not appear again unless the system is re-infected by another computer. � If the system is not an English (US) Windows NT/2000 system, the 100th worm thread is also used to infect other systems. Each worm thread checks for c:\notworm. � If the file c:\notworm is found, the worm goes dormant. � If the file is not found, each thread will continue to attempt to infect more systems. Each worm thread checks the infected computer's system time. � If the date is past the 20th of the month (GMT), the thread will stop searching for systems to infect and will instead attack www.whitehouse.gov. The attack consists of the infected system sending 100k bytes of data (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) to port 80 of www.whitehouse.gov. This flood of data (410 megabytes of data every 4 and a half hours per instance of the worm) would potentially amount to a denial-of- service attack against www.whitehouse.gov. � If the date is between the 1st and the 19th of the month, this worm thread will not attack www.whitehouse.gov and will continue to try to find and infect new Web servers. We have calculated that the worm can attempt to infect roughly half a million IP addresses a day. This is a rough estimate generated by testing on a very slow network. At the time of writing this document (July 19th, 3:00pm), we have had reports from administrators that have been probed by over 196 thousand unique hosts. This leads us to believe that this worm has infected at least 196 thousand computers. During testing we noticed that sometimes the worm does not execute "normally" and will continue to spawn new threads until the infected machine crashes and has to be rebooted, effectively killing itself. We have not been able to isolate the cause of this behavior. ----- End forwarded message ----- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Dean and all, Guys and gals, just wait, this is only the beginning... More fun and games to come, not to worry... Dean Pemberton wrote:
so which ISP in Wellington was it that is reported to have lost its servers as a result of thei worm (reported in the Herald).... and did it really infect/affect 250000 sites?
Ian
Dunno about the first one - but there is a portion in this article that talks to your second point.
Dean
----- Forwarded message -----
Interesting..
From http://www.w2knews.com/subscribe.cfm?id=W2K
-- Explanation As stated earlier the .ida "Code Red" worm is spreading throughout IIS Web servers on the Internet via the .ida buffer-overflow attack that was published last month.
The following are the steps that the worm takes once it has infected a vulnerable Web server:
Setup initial worm environment on infected system.
Setup 100 threads of the worm.
Use the first 99 threads to spread the worm (infect other Web servers).
· The worm spreads itself by creating a sequence of random IP addresses. However, the worm's list of IP addresses to attack is not all together random. In fact, there seems to be a static seed (a beginning IP address that is always the same) that the worm uses when generating new IP addresses. Therefore every computer infected by this worm is going to go through the same list of "random" IP addresses.
Because of this feature, the worm will end up re-infecting the same systems multiple times, and traffic will cross traffic back and forth between hosts ultimately creating a denial-of-service type effect. The denial-of-service will be due to the amount of data being transferred between all of the IP addresses in the sequence of random IP addresses.
The worm could have done truly random IP generation and that would have allowed it to infect many more systems much faster. We are not sure why this was not done, but a friend of ours did pose an interesting idea: If the person who wrote this worm owned an IP address that was one of the first hundred or thousand to be scanned, then they could setup a "sniffer" and anytime and IP address tried to connect to port 80 on their server they would get confirmation that the IP address that connected to them was infected with the worm. With this knowledge, they would be able to create a list of the majority of systems that were infected by this worm.
The 100th thread checks to see if it is running on an English (US) Windows NT/2000 system.
· If the infected system is found to be a English (US) system, the worm will proceed to deface the infected system's website. The local Web server's Web page will be changed to a message that says: "Welcome to http://www.worm.com!, Hacked By Chinese!". This hacked Web page message will stay "live" on the Web server for 10 hours and then disappear. The message will not appear again unless the system is re-infected by another computer.
· If the system is not an English (US) Windows NT/2000 system, the 100th worm thread is also used to infect other systems. Each worm thread checks for c:\notworm.
· If the file c:\notworm is found, the worm goes dormant.
· If the file is not found, each thread will continue to attempt to infect more systems.
Each worm thread checks the infected computer's system time.
· If the date is past the 20th of the month (GMT), the thread will stop searching for systems to infect and will instead attack www.whitehouse.gov. The attack consists of the infected system sending 100k bytes of data (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) to port 80 of www.whitehouse.gov.
This flood of data (410 megabytes of data every 4 and a half hours per instance of the worm) would potentially amount to a denial-of- service attack against www.whitehouse.gov.
· If the date is between the 1st and the 19th of the month, this worm thread will not attack www.whitehouse.gov and will continue to try to find and infect new Web servers.
We have calculated that the worm can attempt to infect roughly half a million IP addresses a day. This is a rough estimate generated by testing on a very slow network.
At the time of writing this document (July 19th, 3:00pm), we have had reports from administrators that have been probed by over 196 thousand unique hosts. This leads us to believe that this worm has infected at least 196 thousand computers.
During testing we noticed that sometimes the worm does not execute "normally" and will continue to spawn new threads until the infected machine crashes and has to be rebooted, effectively killing itself. We have not been able to isolate the cause of this behavior.
----- End forwarded message ----- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
-- Jeffrey A. Williams Spokesman for INEGroup - (Over 118k members strong!) CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng. Information Network Eng. Group. INEG. INC. E-Mail jwkckid1(a)ix.netcom.com Contact Number: 972-447-1800 x1894 or 214-244-4827 Address: 5 East Kirkwood Blvd. Grapevine Texas 75208 --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (2)
-
Dean Pemberton -
Jeff Williams