Slashdot Mirror
Code Red Back For More
Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.
Errrr.... More things named in my honor... This can't be good!
:-P
If worms start popping up with Linux4Green (my ICQ nick) then I know I'm bad luck.
--
CodeRed, the lower user #. No relation to SirCam.
It doesn't affect its own netspace exclusively. Initial analysis indicates that it will do so 6 out of 7 times. The 1 out of 7 will go outside its network range.
We'll have full details posted to the Incidents list shortly.
What the fuck? What the fuck is going on? How the fuck is it that I can have old ladies calling me up at work (tech support for an ISP) and asking if the reason they can't pick up their email is because of the Code Red worm, 'cos they saw the press conference and, hey, they're wondering, and something like 105,000 separate IP addresses are still infected? Did the rapture happen when I wasn't looking, and God took the people responsible for these computers, those left behind couldn't find the passwords anywhere? How is this possible?
(I know, I know; not everyone lives w/in viewing distance of CNN, default installations of MS whatever -- but still, this absolutely amazes me.)
Carousel is a lie!
Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.
"Depression is merely anger without enthusiasm." - Anonymous
Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...
Nah, this will just make the sysadmins even lazier.
SysAdmin #1: Dude, your NT machines are all infected with Code Red!
SysAdmin #2: I know! I'm just waiting for for them to be infected with the fix... should be any day now...
"And like that
1. It makes a copy of CMD.EXE called ROOT.EXE in the;
\inetpub\scripts
and
\program files\common files\system\msadc
directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).
2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.
3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.
File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).
4. The system is then rebooted (probably a forced reboot).
5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;
a) Launches the real Explorer.exe, so the system looks normal.
b) Sets SFCDisable in hklm\software\microsoft\windows nt\currentversion\winlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)
c) Creates two virtual directories (via the registry) in hklm\system\currentcontrolset\services\w3svc\param eters\virtual
roots. Called "C" and "D", they are mapped to the root directories of
the two drives and permissions are established in the virtual
directory to allow script, read, and write access as well as setting
execute permissions to scripts and executables.
d) goes into an endless sleep loop.
The end result of all of this action is to leave your box wide open to remote connection and total compromise.
Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.
The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).
Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.
Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).
Credits:
The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
For those who are interested in the source:
http://www.kryptolus.com/red.txt
On another note, a server whose identity I will not name(solaris w/ apache) was hit with 17000 attacks as of yesterday(the server handles a lot of ips).
--
Violators will be prosecuted and prosecutors will be violated.
Seeing a lot of "XXXX" and far fewer "NNNN" in the logs. This version appears to stay crunchier in milk than the first. Up to 25-30 per hour, from 10 this afternoon. The 24.x.x.x may be getting slammed, but I can see another that is just as bad.
Snipped from incidents dot org (emphasis added)Article also mentions that it appears the compromised servers are backdoored and rooted. Ouch.
The editorial accusations of crying wolf might look a little pale this evening...
one better than mcleodeight
automatically generated list of attacks against my server
147 attacks so far
the page is generated through a perl script that reads my apache logs
--
Violators will be prosecuted and prosecutors will be violated.
This guy's computer is infected and attacking me every 10 minutes or so. I went to his web page and found this resume which indicates the guy is a Windows2000 expert and Network Technician!
Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.
Since it seems that it's possible to run, and basically do, anything trivially on any of these infected computers via the root.exe "script" I'm guessing that a lot of shit is going to go down in the next two days that will probably be both good and bad for Microsoft and the public's understanding of network security.
/.'ers are doing one of two things:
:)) that it not be launched until after Monday afternoon around 3 or 4PM, since this is a serious problem for both sysadmin's and Microsoft. If a large part of the damage is avoided by white hat hackers sending a cure for the virus out, it will only happen again. If you don't give them time to sweat, then nothing will be changed and a even more malicious virus (which say, deletes the entire contents of the drives or something) will be unleashed soon enough.
I'm also guessing that right now a bunch of
1) Writing scripts to make things suck more for those who have been compromised (shame on you)
or
2) Writing scripts to fix the compromised servers
I propose that if a script is created to fix these servers (Code Green?
So, before you go out and launch a cure for the problem, think twice about the long term effects of doing so. Create it, make sure it works, and then the Open Source movement can release a cure for the problem faster than anyone else and "we" (I'm not really part of the OSS movement, or whatever) will look like the good guys. Instead of the media holding Microsoft on high for providing the cure to a problem they caused, if the patch is done and ready and launched by Monday afternoon they will have egg on their faces.
Thanks.
--
Man, I'm glad that I'm not using [Microsoft Product]. This new [virus/worm/trojan] exploits a [flaw/bug/backdoor] in [Microsoft Product], and it [does/doesn't] use Outlook and the stupidity of users. Luckily, I'm running [Free alternative to Microsoft product], so I'm not at risk. In fact, [Free alternative to Microsoft product] has protected me from [any integer over 200] [viruses/worms/trojans]. And just look at the [hundreds/thousands/millions/billions] of dollars that I've saved using [Free alternative to Microsoft product]. I hope that this [Free alternative to Microsoft product] takes off, along with [free alternative to Microsoft OS]. Unfortunately, my [company/home] has to pay for the stupidity of Microsoft: this [virus/worm/trojan] sucked [250KB/250MB/250GB/250TB] of bandwidth!