Slashdot Mirror

There was an interesting post about this on the Politech list, which includes a response from Elias Levy (the guy who runs BUGTRAQ).

...discussed many, many times on Bugtraq.

Elias Levy already summed it all up:
"Well, the world chances. I am not so stubborn to think I will always be right or will never change my opinion on this matter. A little reality check every once in a while is good. It also allows some of the newer members of the list to understand the philosophy behind the list. Now we stop flogging a dead horse and take you back to our regular programming." http://www.securityfocus.com/archive/1/203625

The worm only stays resident in memory after you are infected. Therefore, you are instantly clean after a reboot. It _does_ not stay anywhere else except RAM, which is cleared when you reboot.

But the trojan modifications by the newer version of the worm are permanent, and will NOT be removed by rebooting and installing the patch. The patch just prevents reinfection by the original buffer overflow bug.

Look here for a tool to TRY to clean up the system.

But note that once the system has had the FIRST backdoor installed, that may have been used to install other backdoors, unknown to the author of the cleanout tool. And in infected machine is advertising its vulnerability to the entire net by the infection attempts it makes.

The only real solution is to reinstall the whole machine, and install the patch before going live on the net.

(And while you're at it - why not install Linux or a BSD instead, and switch to the Apache web server, which doesn't HAVE this problem.)

Get a copy of the worm.

Modify it to take the web server down (or whatever) rather than infecting it.

Install a launcher for it as default.ida in the document root of your webserver.

Note that by now any worm-infested machine - benign or backdoor version - may have several diverse rootkits installed. So it should be reinstalled (preferably with linux or a BSD and apache B-) ) rather than cleaned out and patched. And a machine infected with the benign worm, if merely crashed, will no doubt be brought back up and eventually infected with the backdoor-installing version.

Some authors of retaliatory-strike software will no doubt chose to disable the web server on a more permanent basis - as by removing the unpatched DLL (along with the several backdoors the worm installs - see a patch tool here) - rather than merely shutting it down.

While this may get them in trouble, chosing to reformat the drives would be a hostile action, since it might destroy unbacked parts of the web site. (It would also likely lead to the administrators installing a backup, complete with vulnerability. So it is a less effective retaliatory strike.)

Finally: I do NOT recommend actually doing this, as it may be illegal. The more damaging alternatives certainly are illegal (and also unnecessary, given the availability of less damaging alternatives).

Probably old news, but we all know that the guys at SecurityFocus are collecting the IP addresses of those boxes in your logs from Code Red. Reuven Lerner has created aa perl module that is collecting the info, sends it to SecurityFocus, and emails the entity holding the block of IP addresses the visitor is from (via the MX record), informing them as well. Worth looking through.

BL.

securityfocus (a.k.a bugtraq) is collecting infected IP addresses with timestamps. send them to aris-report@securityfocus.com. i have been keeping track of the hits to my system at debussy.ucsc.edu.

I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

You might be interested in this article titled, "Securing an unpatchable webserver"

First off, you can go to jail. This is very much like the stunt that got Max Butler, a.k.a. Max Vision, 18 months in Federal stir. Too bad, because he is an IDS wizard, as well as a pretty decent guy, from all reports. But if I were a DOD investigator working on this case, I'd probably want to see him in the slam myself.

Secondly, you cannot audit the actions of a worm. And when you close a hole like the one Code Red exploits, you want the actions to leave an audit trail.

Thirdly, a anti-worm-worm is not certain to infect, and thus patch, the systems that you want patched.

Better in all ways to just suck it in and patch the systems you own, yourself. And email the poor schmucks who just don't know their W2K boxes have IIS servers running, unpatched, and which have thus been hit, that their systems are infected and infectious. I fired off an email to uunet two days ago about an infected box scanning the networks I monitor. The worm's scans shut down just three hours later. Coincidence?

from the bugtraq post:

To: BugTraq
Subject: Infection Notification
Date: Sun Aug 05 2001 10:50:22
Author:
Message-ID:

If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:

IP ADDRESS DATE/TIME WITH TIMEZONE

Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

---end bugtraq post---

A major security hole was discovered in Red Hat 7.?? (Don't remember the details). Soon after mysteriously a virus appeared on the web which fixed bug.

The Max Vision of whitehats.org found himself in trouble for writing a worm which patched systems for the BIND hole.
Read more about it at http://www.securityfocus.com/news/203

There was a very similar discussion on BugTraq during the first "outbreak" of CodeRed. The consensus pretty much was that while this would be technically possible, and (really) trvial, technically -- the question must arise "we can, should we?" -- and the ultimate answer appears to be a resounding "no".

By loosing another worm onto the network, we would be adding to an already saturated network significantly more traffic -- *and* we'd be violating anothers box/property -- ultimately making the writer of any "CodeRed-Fix_worm" no better than the original authors. (How many worm/virus/exploit writers do you know that have said "i wrote it to show that the vulnerability existed -- so someone would fix it"?)

bemis
-- Everyone in the world is doing something without me.

It has been discussed before for other vulnerabilities as well. But the consesus is that this is a bad idea for a number of reasons, and they can be summarized as:

• Liability: Most viruses and worms cause problems because they're wrtten poorly. If the "anti-worm" doesn't behave as expected on all systems, and causes damage, the person who wrote it could be liable.
• Legality: Even though it's well intentioned, it's still legally the same criminal act as the original virus/worm writer commited. If the worm does harm (by breaking somebody's app) then there will likely be criminal as well as civil charges filed.
• Morality: Fundamentally, this isn't the way the white hats behave. We, as a community should help others fix the problems, but shouldn't be using the techniques of the black-hats to do it... including exploiting security holes and mucking with other people's machines.

-- Mitch

It has been discussed before for other vulnerabilities as well. But the consesus is that this is a bad idea for a number of reasons, and they can be summarized as:

• Liability: Most viruses and worms cause problems because they're wrtten poorly. If the "anti-worm" doesn't behave as expected on all systems, and causes damage, the person who wrote it could be liable.
• Legality: Even though it's well intentioned, it's still legally the same criminal act as the original virus/worm writer commited. If the worm does harm (by breaking somebody's app) then there will likely be criminal as well as civil charges filed.
• Morality: Fundamentally, this isn't the way the white hats behave. We, as a community should help others fix the problems, but shouldn't be using the techniques of the black-hats to do it... including exploiting security holes and mucking with other people's machines.

-- Mitch

• The morality aspect - you are "taking control" of someone elses hardware/software
• The legal aspect - this still constitutes "cracking" as you have illegally gained access to a computer system that is not yours. Breaking into someones house is not OK just because you only intended to do their dishes.
• The practical aspect - the worst side effect of internet worms is not primarily damage done to the infected systems, but bandwidth consumed and resources depleted as a result of the worm spreading.

Here is a link to the Bugtraq advisory for this, as well as a fairly insightful reply, both of which come from my own submission of this story which was rejected six hours before this one was accepted, not that I'm bitter.

Here is a link to the Bugtraq advisory for this, as well as a fairly insightful reply, both of which come from my own submission of this story which was rejected six hours before this one was accepted, not that I'm bitter.

That explioit is a much older one using unicode characters in the URL which was patched between SP1 and SP2.
See http://www.securityfocus.com/bid/1806 for details.
I am getting about one attempt every hour using variants on that exploit - all from address blocks in mainland China.

or the worm has a sleeping behaviour pattern. Please review the following message from the Securityfocus Incidents Archive (the message was sent 30 minutes ago)

You wanted to know if this worm has been reverse engineered. Well it has. View the results here:http://securityfocus.com/templates/archive.pi ke?fromthread=0&end=2001-08-11&list=1&mid=201885&s tart=2001-08-05&threads=0&

I braved the evil frames of the securityfocus website to bring you:

http://www.securityfocus.com/archive/1/198282

Here is another good article on it at securityfocus.com.

It was Max Vision. There is a nice article about it at securityfocus.

Max Vision of whitehats.org (IIRC) got busted for doing just this (writing a worm that patched systems to prevent a malicious worm from infecting them). The FBI didn't charge him with anything initially while he was ratting out people, but as soon as he baulked at ratting out a close friend, they fried his ass. Nice ethics those FBI thugs have. Article that explains it better is here at securityfocus.com.

One bug in IIS's let you (through HTTP requests) access the filesytem and run simple commands (this is very sad). The first thing that a cracker would do is copy cmd.exe into the scripts directory.

One of the servers at my school got hacked this way. I just had to laugh at the simplicity of the hack.

To notify the administrators of the attacking servers you can send their IP followed by the date and time of the attack to aris-report@securityfocus.com. - Please use this format because it's a robot address. http://securityfocus.com/announcements/310

Took longer than expected (plus I slept a bit in there.. long night :) )

http://www.securityfocus.com/archive/75/201878
http://www.securityfocus.com/archive/75/201877

Took longer than expected (plus I slept a bit in there.. long night :) )

http://www.securityfocus.com/archive/75/201878
http://www.securityfocus.com/archive/75/201877

Also, once reinfected (by whatever means), I would presume that the rename would fail.

Renaming c:\explorer.exe should help.

Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)

It doesn't affect its own netspace exclusively. Initial analysis indicates that it will do so 6 out of 7 times. The 1 out of 7 will go outside its network range.

We'll have full details posted to the Incidents list shortly.

It would still grow, unless the RNG had a real short cycle. True, the children would infect no new hosts, but the root worm would... until it is killed, and then the next oldest will take over. Each copy of the worm will infect the sites in a certain sequence (for example 2, 3, 5, 7, 11, 13, 17, ...) which would be infinite (or rather 2^32). The problem would be that it would be the same sequence for each copy of the worm. I.e. Worm number two would also first start with site 2 (itself), then 3, 5, 7, etc. just as number one did. Given enough time the whole 2^32 bit space would still be probed, but only the very first worm would contribute to this. The others would only redo sites which the root already has checked.

A more in-depth description can be found here

Yes there are other o/s's that are vulnerable to exploits. Check out Bugtraq and click on Linux. Just because Macrosquish is getting most of the attention, doesn't mean us linux users aren't getting any. :P

Turn a non-tech hobby into your career.
--

would only approach systems that have subscribed to this as a service.

inform the Administrator of the system (through email

some sort of confirmation/activation/deactivation process available to the Administrator

I've got an idea too! How about an "opt in system" where system administrators get emailed a location to where the "patch" is! That way they would:
1) Be informed of the problem.
2) Told where to get the fix
3) Have some sort of confirmation/activation/deactivation process available to the Administrator

Or how about a web page where users could find updates?

Or maybe a site that tracks bugs in software?

And all that without having to have microsoft send out more stupid worms.

My point is that if people don't use the tools already availible, why would the take the time to opt-in to this program?


-- Zack

To quote Marc Maiffret, "We've designated this the .ida "Code Red" worm, because part of the worm is
designed to deface web pages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit even further."
If you want to blame someone, blame eEye; for once, a journalist isn't to blame. I'll content myself with wagging an accusatory finger at the braindead moderators who dumped points in your lap.
Easy does it!

--

Yes, the June 18th hotfix *DOES* cover this vulnerability. If you read the articles on a real security news source, you will find that the fix for the "Code Red" work is Q300972, issued on... (wait for it)... June 18th.
---
nuclear presidential echelon assassination encryption virulent strain

Too bad they are like that.

--The Shortcut

--The Shortcut

--The Shortcut

I was gonna call bullshit, but then I saw this. Bah... still could be a pretty good effort at starting an internet-urban-legend.

Quoted:
It looks like the "Code Red" worm has the added side effect of crashing Cisco (675/678) DSL CPEs running any CBOS prior to 2.4.1. The GET it sends looking for IIS servers hardlocks any modem with the web management interface enabled.

CBOS v2.4.2 is unaffected. Also, turning off the web interface with 'set web disabled' also prevents the crashes.

This found at securityfocus

I don't run IIS, but I've been seeing odd things in my logs. It took me a sec to check security focus and learn what it was. Here is an except of a log file so you if see similar you know what's up.

65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"

The thing on security focus indicating that "default.ida" thing is IIS probes (and/or possibly already compromised systems rescanning is here.

I don't run IIS, but I've been seeing odd things in my logs. It took me a sec to check security focus and learn what it was. Here is an except of a log file so you if see similar you know what's up.

65.201.146.103 - - [19/Jul/2001:17:58:49 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"

The thing on security focus indicating that "default.ida" thing is IIS probes (and/or possibly already compromised systems rescanning is here.

More info here

802.11b freenets are great and I by all means encourage more people to open them up and run them (I have a little one running), but they are hardly a realistic threat to ISPs. The simple fact is that WiFi just doesn't have enough range and penetration to make significant coverage economically feasible ad-hoc. It takes a lot of placements to get decent coverage, particularly when leaves, many walls, and most other obstructions attenuate the signal a great deal. Hell, look at all the money Metricom had to pump into getting decent coverage (different tech, but similar range issues).

If you look at the major freenet networks (such as SFLan and BAWUG here in San Francisco or others), their actual coverage is really quite tiny. Sure, you can find a good number more by war driving around the city, but that hardly gets to the point that were making a dent in the ISP revenue stream. While I'm optimistic on their expanding and the radios improving, what percentage of SF residents realistically would have usuable signal strength in their homes in 1, 2, even 3 years out?

If you do decide to run a freenet, get an external antenna with some decent gain, though WAP antenna connectors have to be proprietary, most are just reversed DNC or the like. You get a pretty shocking increase in range and penetration even with a 3db omni and a lot less sensitivity to the wireless card's orientation (which is all to often flat and sub-optimal for pickup). A lot of the freenet spec out relatively expensive hardware (< $1K for SFLan), but a little antenna hacking can get most any WAP to reach out for semi-decent range.

Regards, RJS

You may want to subscribe to security focus' mailing list on forensics and ask this question.

The most important rule that courts use to determine the validity of digital evidence is to ask if there is a chain of diligence from the creation of the data to the presentation in court.
That is, have the data been kept in a secure manner from their creation to their presentation?
This generally means that log files are saved on read only media, in a regular procedure, that they are dated and signed by at least 2 people as to validity and that they are physically kept in a secure manner until presented.
There has been a discussion on the forensics mailing list this last week about how to guarantee that disk images can be certified valid in court. see SecurityFocus forensics for the mailing list archives.

What, you mean, the way that samba is " much more reliable" than Microsoft's implementation of SMB? (Hint: select 'bugtraq', search for 'samba': I get more than 150 hits... althogh the articles themselves aren't available, I'm getting this error: "Sql.sql(): Couldn't connect using the mysql database"... irony, gotta love it)

Don't be so sure that all Microsoft software is complete rubbish, or that an open source or free implementation would automatically be better. The only way in which all free software is better than all Microsoft software is in it's freedom. That's the important factor to me, but most PHBs could care less about freedom (if they even understood the concept.) Yet when their expectations of Linux and free software are set by that sort of unthinking hype - Linux is far more secure than Windows, Linux is much more reliable than Windows, you know the tune - all that happens is that when they try it out, and it dumps core, or their local MS astroturfer points out tha bugtraq carries tens of posts a DAY listing remote root exploits in all sorts of Unix software, they decide never to trust those weird communist amateur hippy types.

That's why I've come down on the FSF point of view rather than the Open Source Institute's point of view.

(Of course, it goes without saying that quite a lot of Free software *is* more reliable / secure / etc than the MS version... which isn't the point I'm making)
--
"I'm not downloaded, I'm just loaded and down"