I personally know of someone who was infected by this. If you haven't removed all non-(CF or ASP) script mappings, DO SO NOW! An ounce of prevention.... Daryl (Nothing like typing in a hurry...) ----- Original Message ----- From: "Marc Maiffret" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 17, 2001 1:17 PM Subject: Initial analysis of the .ida "Code Red" Worm The following information was researched by Ryan Permeh ([EMAIL PROTECTED] and Marc Maiffret ([EMAIL PROTECTED] of eEye Digital Security. We would like to specially thank Matthew Asham of Left Coast Systems Corp and Ken Eichman of Chemical Abstracts Service for providing us with logs and needed data to make this analysis possible. Introduction ------------ On Friday July 13th we received packet logs and information from 2 network administrators that were experiencing large amounts of attacks targeting the recent .ida vulnerability that eEye Digital Security discovered (http://www.eeye.com/html/Research/Advisories/AD20010618.html) on June 18, 2001. >From the first analysis of the logs that were sent to us we were able to deduce that in fact it looked as if someone had released a worm for the .ida vulnerability. Within the logs we could see connection attempts from over 5 thousand IIS 5 web servers targeting various other IIS web server and sending a .ida exploit to each of them. Evidence also showed that compromised hosts were being used to attack other hosts. We've designated this the .ida "Code Red" worm, because part of the worm is designed to deface webpages with the text "Hacked by Chinese" and also because code red mountain dew was the only thing that kept us awake all last night to be able to disassemble this exploit. Details ------- Note: Details are going to be short for now. We plan on releasing a full analysis of the worm but felt that it was important to get this message out ASAP as this worm is starting to affect a lot of people. The standard injection vector is a exploit that uses the .ida buffer overflow to execute code (as SYSTEM) on vulnerable remote systems. The worm performs the following on infected systems: * Spawns 100 threads which are used to scan for new IIS web servers to infect * Checks for the existence of c:\notworm and if it is found then it does not try to propagate itself to other hosts. * Defaces web pages with the message: <html><head><meta http-equiv="Content-Type" content="text/html; charset=English"><title>HELLO!</title></head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html> Analysis -------- Note: Again this is a quick brief analysis, more detail will follow. Upon infection the infected host will spawn 100 threads in a loop. This loop checks for the existence of c:\notworm and if the file does not exist then the worm will proceed to start scanning for vulnerable servers to infect. The worm does scan for random IP addresses. However, the worm uses the same seed for "randomization" of IP addresses. This means that each new infected host will start at the same IP and continue scanning further down the same track of IP's as every other infected host. The ramifications of this are severe because this means that hosts early in this "randomized" IP sequence will be hit over and over as new hosts are infected. This creates the potential for a denial of service against early IP addresses in the sequence. Also, evidence has proved that hosts can be infected multiple times therefore creating a drain on system resources. However, normal worm operation seems to have a cut off point as to how many times a host will be re-infected. Early analysis seems to suggest that the worm has a limit of 3 reinfections however that may have just been "by chance" in our test scenario. Other in house tests of the infections have shown that internal thread rate limiting seems to be broken in certain situations. Which means that some infected systems will continue to spawn new threads until system resources become so low that the entire web server computer crashes or becomes unusable. Summary ------- We will be releasing a full detailed analysis, complete with disassembled worm code and comments within the code. We have had reports from a few network administrators that their IDS systems have seen this .ida attack originating from over 5 thousand unique source addresses within a 3 day time span. Hosts early in the IP sequence will be hit with a traffic based denial of service and those hosts vulnerable to this worm will most likely grind to a halt. How to secure your system from this .ida attack ----------------------------------------------- Microsof patch for this .ida vulnerability http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp eEye Digital Security Advisory http://www.eeye.com/html/Research/Advisories/AD20010618.html The following is part of the packet data that is sent for this .ida "Code Red" worm attack: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 You can set your IDS to monitor for this to be able to see if your being hit with this worm or not. Also any IDS capable of detecting the .ida overflow should be able to detect this as an attack. Signed, eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities ---------------------------------------------------------------------------- Delivery co-sponsored by Trend Micro ============================================================================ TREND MICRO REAL-TIME VIRUS ALERTS If you would like to know about a virus outbreak before CNN and ZDNet get Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of code to give your visitors a real-time top 10 list and the latest virus advisories. Setup takes just 10 minutes and requires no server-side code on your Web site. All content is updated automatically from Trend Micro's Web site. http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/ vinfo/ ---------------------------------------------------------------------------- ______________________________________________________________________ The KCFusion.org list and website is hosted by Humankind Systems, Inc. List Archives........ http://www.mail-archive.com/cf-list@kcfusion.org Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED] To Subscribe.................... mailto:[EMAIL PROTECTED] To Unsubscribe................ mailto:[EMAIL PROTECTED]
