CodeRed II leaves a huge hole - the virtual C and D drives so even if they remove the root.exe file, as long as the explorer.exe is infected, you can access any file via/c or/d in your GET request (ie/c/winnt/system32/cmd.exe?any cmd you want)
I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?
Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?
Re:Why is PWS (IIS 4) on Windows 98 not vulnerable
on
Code Red Back For More
·
· Score: 2
Actually, from what I've read, CodeRedII will only infect on Win2K. From the analysis email on BUGTRAQ:
This worm, like the original Code Red worm, will only exploit Windows 2000
web servers because it overwrites EIP with a jmp that is only correct under
Windows 2000. Under NT4.0 etc... that offset is different so, the process
will simply crash instead of allowing the worm to infect the system and
spread.
But I'm sure someone will create various flavors with teh right jump points to hit all the IIS variants. Only a matter of time.
Re:Remotely disabling root.exe justifiable?
on
Code Red Back For More
·
· Score: 3, Informative
Well, no that won't fix it completely - turns out there are a few virtual exploits they put in. From teh recent analysis:
Basically the above code creates a virtual web path (/c and/d) which maps/c to c:\ and/d to d:\. The writer of this worm has put in this
functionality to allow for a backdoor to be placed on the system so even if
you remove the root.exe (cmd.exe prompt) from your/scripts folder an
attacker can still use the/c and/d virtual roots to compromise your
system. The attacks would basically look like:
http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was still
there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any
command an attacker would want to execute.
As long as the trojan explorer.exe is running then an attacker will be able
to remotely access your server.
Actually, accoridng tothe virus analysis on BUGTRAQ and eeye.com, CodeRedII does NOT deface the home page. However, CRv2 (2nd generation of the first Code Red worm, not the same as CodeRedII - got that?:) ) is still in teh wild and will deface the main page. Also, the Pobox worm has been around a long time. Or soem script kiddies are tossing these pages in using the root backdoor from CRII.
I tried to post the BUGTRAQ analysis from EEYE, but lameness filter choked on it
Steve Friedl believes he has figured out the bizarre scanning of the new strain. From DSLReports forums:
OK, I know how the scanning works now. The worm starts with the user's IP address, and then changes adds a variable number of random octets. Let's say that our web server is on 192.168.1.7:
One time out of eight, and entirely random IP address is generated
Four times out of eight, the lower octet of the IP address is randomized (192.168.1.X)
Three times out of eight, the lower two octets are randomized (192.168.X.Y)
This is entirely consistent with the patterns we've been seeing, so if somebody on your local network gets infected, you're gonna get pounded until they fix it.
Another point: if the web server in question is behind a NAT firewall, it will go nuts scanning the internal network. For a large company that has many NT systems internally, they will spend all day trying to infect each other.
What a worm.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / www.unixwiz.net
Looks like somebody did their homework and decided to really make Code Red nasty
this would be welcomed with open arms. Yes, on first read this seems like an awesome idea. Just look at how Talkback has helped improve the stability of Mozilla. God knows anything that improves the stability of Windows - amen! Heck, most of the instability I've seen with Windows over the years HAS been due to drivers, etc. Now I fault Microsoft for writing code that can't handle a drive rfailure, but plenty of blame goes to the dirver vendors.
That said, there is NO question Microsoft has used tactics to drive competition into the ground. The DR_DOS is a clear example and there are others. Again, we're left with the conspiracy theory - Microsoft could easily use this and WIndows update to degrade the stability of competing products and then block them out entirely or make them spend precious R&D on fixing bugs Microsoft has cause. Now in most other contexts (except maybe the gov't) something like this would be laughed at. But time and again Microsoft has proved they will go to extreme lengths to eliminate competition and a setup like this gives them a very powerful weapon.
Its too bad really. Microsoft has rightly earned their reputation and now they are in the position that even when they might have good intentions they get slammed for it. Its their own fault, but at times you wish we could trust Redmond in cases like these so that we could help improve the stability of WINdows and make our lives easier (for those that are forced to support them)
Re:Blaming Microsoft for Removal of Java
on
Dan Gillmor on WinXP
·
· Score: 3, Interesting
they have every right *not* to include anything they don't care to include
Okay - and then doesn't that mean Compaq has every right to NOT include MSN icons on its desktops and only AOLs? They tried. But Microsoft saw a threat and stomped on it with a last minute licensing change requiring no online service icons on the desktop or MSN had to be included if ANY other service's icon was.. See how unfair it can be when you're NOT the Monopoly? I say shut them down - its sucks, yes and it gives you a dirty feeling, but he's right - Microsoft only understands the use of force and its the only way to get them to behave.
I'll have to fight with Ximian Redcarpet and Galeon RPMs to install it
Dude - save yourself the headache. Grab the full installer and use that. I run Ximian, use Red Carpet often. But I install Mozilla with the installer in/usr/local/mozilla all by itself - clean directory. Never had a lick of trouble.
I love RPMs and Red Carpet - they save me time and trouble, but sometimes its just not worth it. Grab the installer and have a go at it. Just make sure you install it as root, run it once as root (good time to grab teh Java plug in which also must be installed as root) and then quit. You should be able to start it as any user after that - works great here.
The mailer is a bit behind the browser in terms of development it seems, but I've found it works VERY well for where they are. I've used it as my primary email client for all of my 6 email accounts (personal, business, spam), IMAP and POP together. Its been great.
Yes, it took forever to close in 0.9.2. Windows took a second or too to pop up. And once it a while, it seemed to lose its mind talking withteh imap daemon - but a restart of the client would fix that. And I only encounter this on RARE occasions (maybe a couple times a month) I've only been using 0.9.3 for a little while and I can already tell the mail client is faster. WIndows pop up fatser, preview of IMAP mail is almost instant, vs the slight lag of 0.9.2
Remember people, this is beta code, beta code is ALWAYS slower then the released code. I think the Mozilla team is making huge strides in performance - the difference in teh last few reelases has been huge.
Typical FUD - I use both Mozilla and IE6 - Honestly as long as the browser serves up web pages properly and quickly and the associated email client doesn't suck (I prefer Mozilla Mail over OE anyday) who cares what it 'looks' like - its not art.
While I've always felt IE blew Netscape 4.x away, in this case, MS may have hurt themselves by adding too many things to IE6. The pirvacy thing, while a good idea, seems useless so far - privacy polcieis in cookies? Yeah right. Honestly, IE6 seems no differnet than IE5 to me - it works, so I'm happy. Same goes for Mozilla, it now works great and I'm happy. I honestly use Mozilla instead of IE because of the Mail client - beyond that, I could care less, except for the fatc, of course, is that it allows me to use one less Microsoft product:)
Is it just me or are they never going to get to the Mozilla 1.0 stage?
Its just you;)
Seriously, they have a detailed Roadmap outlining their plans. Their dates have slipped some but they've been holding pretty well to teh schedule. Currently plans call for Mozilla to go 1.0 with what WOULD be 0.9.5 if it is deemed ready . They are just using a differnet scheme for release, vs the beta to release candidate to release. Its all in teh naming. So if all goes well (and it sure seem to be finally) I'd bet they'll make v1.0 in the beginning of the fourth quarter. But even if they don't make it till 0.9.7 which is December timeframe it'll still be a huge accomplishment.
Re:Word of caution to existing Mozilla users...
on
Mozilla 0.9.3 Released
·
· Score: 5, Informative
I got around it by blowing away the existing Mozilla folder and then unpacking the new one fresh
Which is exactly what you are supposed to do - there are disclaimers all over Mozilla.org asking you NOT to install over old version during hte beta due to teh problems that arise
However, your assumptions are that Microsoft will even BOTHER with these OS redesigns. I'm with Cringley on this one, all they care about is increasing market share - they won't waste their time making things secure - come on, why bother. Virus infections have not reared up to impact Microsoft, hell most people think there's nothing Microsoft can do to stop it (they are that clueless) So I doubt it would ever get this involved. Once Microsoft had TCP/MS in place and was making millions off it, what would they care if it worked as advertised. All their current products have serious security flaws, but it doesn't make economic sense to fix them because they are a monopoly (so folk sdon't get a choice really when they buy a PC) and they aren't being sued like hell for releasing software full of security holes.
SO don't be so sure that something like this would save the world. The infrastructure you describe is daunting to say the least with smart cards, and keys, etc. Just ask anyone who has tried to implement an enterprise sized PKI - its a scary task and its not in Microsofts interest - they'll probably continue to use plain old userids and passwords.
WHich will make for funny TV the next time there is a worldwide virus that wrecks a lot of systems, the FBI will track the virus using Microsofts info and arrest some poor grandma who had her credentials lifted.
While I love the theory, my guess is the support costs? I mean it doesn't cost THAT uch to maintain the images they throw on the drives - that's easy & automated. But my guess is the cost of having support available for user questions cost more than it was worth given how few desktop/laptops were sold with Linux.
Personally, I'd install myself anyway - the fact that this DOESN'T affect servers says something - they found a market there and given my past experieince with Dell servers - I'd spec one in a heartbeat if the price was right and the customer was willing to forgo Micro$oft!
I agree its a vanilla corporate release, but its good news. A lot of people don't even know what grid computing is. This can help spread the word of yet another excellent OSS project
I had heard of grid computing before, but hadn't read much about it. Google turned up lots of resources this mornign - worth teh read. The article was right - the software to manage a grid will be super complex and the security implications are daunting.
That the first court test of the GPL would be over MySQL? Not me for sure.
As much as I hate to see OSS groups fighting, it sure seems more common (ala DotGNU/Mon and others)
Shoudl be interesting to see where this goes. As a user of both pgSQL and MySQL, I think we can all do without the PostgreSQL is better sniping. MySQL has done a lot for the web and Open Source and it will be a shame if this fight impacts their development work.
Well, be careful - teh top table says 'Hosts Infected' which I take to mean 48,489 NEW hosts were infected that hour (the next hour is up and its like 52,273 for 14:00-15:00 EDT)
Why? The tbale below shows 115,568 hosts infected today. Funny part is the #'s don't add up - if you add the # of hosts for each hour in teh table above you get close to 200K, not 115K - makes no sense at all.
Actually, my guess is the top table shows how many infected hosts were SEEN during that hour and the table below highlights the totla # of unique IPs infected since the start of the day?
Some of this most widely used 'RESIDENTIAL' ie DSL routers on the Internet. The request causes the firmware to freeze in older firmware (the routers have embedded web servers in tehm for administration) SO its not going to cause backbone routers to go offline
OK - I'm confused. Incidents.org is finally recovering from teh/.ing it got this morning. The data on top tracking by hour now says there were 48,489 infected hosts from 1-2 EDT (up from 41,968 the hour before) But the 'Total Infections Today' in teh tabel below says 99,716. So what gives. If the upper table is showing how many infections happened in a given hour (ie the total isn't 48K, but 48K NEW infections happened), it still doesn't add up. Adding all the hourly totals gives you 177,591 infected hosts, not 99,716. It doesn't make sense....
Knowing the facts, there are only two ways to argue against missile defense: you are either in favor of M.A.D., or you believe that taxpayer dollars shouldn't pay to protect us from a very likely threat of nuclear devestation.
I believe in both and AM an American. Missle defense is nothing but a gift to the defense contractors. WIll it work? Maybe, but just like most other miltary systems, there are sizable margins of error. In this case I'm sure it'll be high - I figure if the Air Force can say they have a 75% chance of hitting a missle it'll be deployed - I just don' tthink its worth hundreds of BILLIONS of dollars for a threat that isn't very real. Hell, there aren't many countries that can reach our shores with a missle that would be considered 'rogue'
Do I think terrorists will try to nuke the US - hell yes. But they won't use a missle, they'll build it here and drive it to the target and set it off. End of story and city. An dthe missle defense won't get you a damned thing.
SO don't get so high and mighty. People have different beliefes. I think 100 Billion or more can be put to much better uses than trying to shoot down missles that will likely never come.
Remember, MAD assumes BOTH countries can destroy each other. If Sadddam managed to get his hands on a Russian or CHinese ICBM he'd never use it. Why? Because it would cause minial damage to our country as a whole (but would suck major for wherever it hit) and Iraq qould cease to exist as we launched a couple of the thousands of missles we have in their direction. So its not MAD in this case - what they are trying to sell missle defense for. Its raging stupidity and most despots are evil and egomaniacs but they usually are smart. Saddam knows now bunker would protect him if he nuked a US city because we'd turn IRAQ into a freaking crater.
Again, only trivially different from homing in on a radar reflection
Hardly - its totally different since a missle generates a really small reflection while an active transmission is easier to track in on - why teh heck do you think HARM missles are so popular?
No, its not second hand - reporters finally asked the Air Force spokesperson DIRECTLY about the presence of a GPS beacon and they confirmed it. Sounds straight out of the horses mouth to me!
Slashdot Mirror
I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?
Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?
This worm, like the original Code Red worm, will only exploit Windows 2000 web servers because it overwrites EIP with a jmp that is only correct under Windows 2000. Under NT4.0 etc... that offset is different so, the process will simply crash instead of allowing the worm to infect the system and spread.
But I'm sure someone will create various flavors with teh right jump points to hit all the IIS variants. Only a matter of time.
Basically the above code creates a virtual web path (/c and /d) which maps /c to c:\ and /d to d:\. The writer of this worm has put in this
functionality to allow for a backdoor to be placed on the system so even if
you remove the root.exe (cmd.exe prompt) from your /scripts folder an
attacker can still use the /c and /d virtual roots to compromise your
system. The attacks would basically look like:
http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was still
there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any command an attacker would want to execute.
As long as the trojan explorer.exe is running then an attacker will be able to remotely access your server.
Man whoever did this put some thought into it.
I tried to post the BUGTRAQ analysis from EEYE, but lameness filter choked on it
They are now: http://msnbc.com/news/606910.asp
BY bizarre, I meant the way it appeared in teh logs. You're right, this a big improvement over the original worm and helped this worm spread faster.
DShield has a system setup. Just execute this command if you run Apache in your log directory:
grep 'default.ida' access_log* | mail -s 'APACHE' redalert@dshield.org
THis way they can identify all teh compromised hosts and contact the owners.
The ARIS team @ SecurityFocus is doing something similar
OK, I know how the scanning works now. The worm starts with the user's IP address, and then changes adds a variable number of random octets. Let's say that our web server is on 192.168.1.7:
This is entirely consistent with the patterns we've been seeing, so if somebody on your local network gets infected, you're gonna get pounded until they fix it.
Another point: if the web server in question is behind a NAT firewall, it will go nuts scanning the internal network. For a large company that has many NT systems internally, they will spend all day trying to infect each other.
What a worm.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / www.unixwiz.net
Looks like somebody did their homework and decided to really make Code Red nasty
That said, there is NO question Microsoft has used tactics to drive competition into the ground. The DR_DOS is a clear example and there are others. Again, we're left with the conspiracy theory - Microsoft could easily use this and WIndows update to degrade the stability of competing products and then block them out entirely or make them spend precious R&D on fixing bugs Microsoft has cause. Now in most other contexts (except maybe the gov't) something like this would be laughed at. But time and again Microsoft has proved they will go to extreme lengths to eliminate competition and a setup like this gives them a very powerful weapon.
Its too bad really. Microsoft has rightly earned their reputation and now they are in the position that even when they might have good intentions they get slammed for it. Its their own fault, but at times you wish we could trust Redmond in cases like these so that we could help improve the stability of WINdows and make our lives easier (for those that are forced to support them)
Okay - and then doesn't that mean Compaq has every right to NOT include MSN icons on its desktops and only AOLs? They tried. But Microsoft saw a threat and stomped on it with a last minute licensing change requiring no online service icons on the desktop or MSN had to be included if ANY other service's icon was.. See how unfair it can be when you're NOT the Monopoly? I say shut them down - its sucks, yes and it gives you a dirty feeling, but he's right - Microsoft only understands the use of force and its the only way to get them to behave.
Dude - save yourself the headache. Grab the full installer and use that. I run Ximian, use Red Carpet often. But I install Mozilla with the installer in /usr/local/mozilla all by itself - clean directory. Never had a lick of trouble.
I love RPMs and Red Carpet - they save me time and trouble, but sometimes its just not worth it. Grab the installer and have a go at it. Just make sure you install it as root, run it once as root (good time to grab teh Java plug in which also must be installed as root) and then quit. You should be able to start it as any user after that - works great here.
The mailer is a bit behind the browser in terms of development it seems, but I've found it works VERY well for where they are. I've used it as my primary email client for all of my 6 email accounts (personal, business, spam), IMAP and POP together. Its been great.
Yes, it took forever to close in 0.9.2. Windows took a second or too to pop up. And once it a while, it seemed to lose its mind talking withteh imap daemon - but a restart of the client would fix that. And I only encounter this on RARE occasions (maybe a couple times a month) I've only been using 0.9.3 for a little while and I can already tell the mail client is faster. WIndows pop up fatser, preview of IMAP mail is almost instant, vs the slight lag of 0.9.2
Remember people, this is beta code, beta code is ALWAYS slower then the released code. I think the Mozilla team is making huge strides in performance - the difference in teh last few reelases has been huge.
Typical FUD - I use both Mozilla and IE6 - Honestly as long as the browser serves up web pages properly and quickly and the associated email client doesn't suck (I prefer Mozilla Mail over OE anyday) who cares what it 'looks' like - its not art.
While I've always felt IE blew Netscape 4.x away, in this case, MS may have hurt themselves by adding too many things to IE6. The pirvacy thing, while a good idea, seems useless so far - privacy polcieis in cookies? Yeah right. Honestly, IE6 seems no differnet than IE5 to me - it works, so I'm happy. Same goes for Mozilla, it now works great and I'm happy. I honestly use Mozilla instead of IE because of the Mail client - beyond that, I could care less, except for the fatc, of course, is that it allows me to use one less Microsoft product :)
Its just you ;)
Seriously, they have a detailed Roadmap outlining their plans. Their dates have slipped some but they've been holding pretty well to teh schedule. Currently plans call for Mozilla to go 1.0 with what WOULD be 0.9.5 if it is deemed ready . They are just using a differnet scheme for release, vs the beta to release candidate to release. Its all in teh naming. So if all goes well (and it sure seem to be finally) I'd bet they'll make v1.0 in the beginning of the fourth quarter. But even if they don't make it till 0.9.7 which is December timeframe it'll still be a huge accomplishment.
Which is exactly what you are supposed to do - there are disclaimers all over Mozilla.org asking you NOT to install over old version during hte beta due to teh problems that arise
SO don't be so sure that something like this would save the world. The infrastructure you describe is daunting to say the least with smart cards, and keys, etc. Just ask anyone who has tried to implement an enterprise sized PKI - its a scary task and its not in Microsofts interest - they'll probably continue to use plain old userids and passwords.
WHich will make for funny TV the next time there is a worldwide virus that wrecks a lot of systems, the FBI will track the virus using Microsofts info and arrest some poor grandma who had her credentials lifted.
Personally, I'd install myself anyway - the fact that this DOESN'T affect servers says something - they found a market there and given my past experieince with Dell servers - I'd spec one in a heartbeat if the price was right and the customer was willing to forgo Micro$oft!
I had heard of grid computing before, but hadn't read much about it. Google turned up lots of resources this mornign - worth teh read. The article was right - the software to manage a grid will be super complex and the security implications are daunting.
As much as I hate to see OSS groups fighting, it sure seems more common (ala DotGNU/Mon and others)
Shoudl be interesting to see where this goes. As a user of both pgSQL and MySQL, I think we can all do without the PostgreSQL is better sniping. MySQL has done a lot for the web and Open Source and it will be a shame if this fight impacts their development work.
Why? The tbale below shows 115,568 hosts infected today. Funny part is the #'s don't add up - if you add the # of hosts for each hour in teh table above you get close to 200K, not 115K - makes no sense at all.
Actually, my guess is the top table shows how many infected hosts were SEEN during that hour and the table below highlights the totla # of unique IPs infected since the start of the day?
Some of this most widely used 'RESIDENTIAL' ie DSL routers on the Internet. The request causes the firmware to freeze in older firmware (the routers have embedded web servers in tehm for administration) SO its not going to cause backbone routers to go offline
OK - I'm confused. Incidents.org is finally recovering from teh /.ing it got this morning. The data on top tracking by hour now says there were 48,489 infected hosts from 1-2 EDT (up from 41,968 the hour before) But the 'Total Infections Today' in teh tabel below says 99,716. So what gives. If the upper table is showing how many infections happened in a given hour (ie the total isn't 48K, but 48K NEW infections happened), it still doesn't add up. Adding all the hourly totals gives you 177,591 infected hosts, not 99,716. It doesn't make sense....
I believe in both and AM an American. Missle defense is nothing but a gift to the defense contractors. WIll it work? Maybe, but just like most other miltary systems, there are sizable margins of error. In this case I'm sure it'll be high - I figure if the Air Force can say they have a 75% chance of hitting a missle it'll be deployed - I just don' tthink its worth hundreds of BILLIONS of dollars for a threat that isn't very real. Hell, there aren't many countries that can reach our shores with a missle that would be considered 'rogue'
Do I think terrorists will try to nuke the US - hell yes. But they won't use a missle, they'll build it here and drive it to the target and set it off. End of story and city. An dthe missle defense won't get you a damned thing.
SO don't get so high and mighty. People have different beliefes. I think 100 Billion or more can be put to much better uses than trying to shoot down missles that will likely never come.
Remember, MAD assumes BOTH countries can destroy each other. If Sadddam managed to get his hands on a Russian or CHinese ICBM he'd never use it. Why? Because it would cause minial damage to our country as a whole (but would suck major for wherever it hit) and Iraq qould cease to exist as we launched a couple of the thousands of missles we have in their direction. So its not MAD in this case - what they are trying to sell missle defense for. Its raging stupidity and most despots are evil and egomaniacs but they usually are smart. Saddam knows now bunker would protect him if he nuked a US city because we'd turn IRAQ into a freaking crater.
Hardly - its totally different since a missle generates a really small reflection while an active transmission is easier to track in on - why teh heck do you think HARM missles are so popular?
But regardless - Dumbya makes it so EASY! :)