DSL Reports At Code Red Forefront

quote:

---

We'd also like to recognize Stephen Friedl of Unixwiz for performing
a higher level analysis last night and posting his findings to the web
before any other concrete information was available.

---

Most of this is too far over my head to understand anything but the hours and hard work that go into this analysis. I glad that Steve is on our side and not hacking away.
Another reason that DSLR is the first place to go with a problem.
GREAT JOB!

The first public report that I've been able to find of the Code Red II web server log signature was found right here at DSL Reports in this thread: http://www.dslreports.com/forum/remark,1224346;root=security,1;mode=flat . Since I had just written my websnarf tool, I checked my own system and found not only the web signature but a copy of the worm itself. Then it all started.

I knew that others would be doing the detailed analysis -- the boys at eEye are really good at this -- but I decided to do an ongoing update as well. BugTraq was strangely quiet for 12 hours on this, so DSLReports was one of the better places to go for Code Red II information for most of Saturday.

What a weekend.

Steve

All I can say is that it is great to have you with us!

A job well done Steve. Nice to have that kind of knowledge and dedication made available.

Thank you thank you thank you.

As a technical support supervisor for a broadband company, I have already dealt with several customers who have been infected by the latest round of the CRWv2. Thanks for the indepth analysis which I made a manditory read by my techs.

Excellent write up!

Thanks again

Take off a little time for a good game of tennis. You've been hard at work for the benefit of many. Now it's time to rest a little on your laurels and relax for a moment or 2. Thanks for the great education and all the hard work.
[text was edited by author 2001-08-06 20:30:03]

Anyone experiencing lots of probing on PacBell lines? Anyone have information on how we can work with PacBell on helping people get their machines fixed?

Some, if not all models of consumer-level Cisco broadband routers can be taken down by the Code Red worm: the worm sends a malformed HTTP GET, which, if it targets the HTTP port of the router (used by the web configuration tool) , will cause the router to halt. Certain VARs are saying that the way to correct this is to deactivate web configuration. This is not effective, as the router will still accept HTTP requests; it just won't offer the configuration screen in response. Since it still accepts requests, it still crashes.
The way to correct this is to render the HTTP port of the router inaccessible from the outside of your network. Two simple approaches, both effective, are:
1) Change the port from 80 to something obscure, like 8081. Worms don't usually bother with nonstandard ports and this particular worm never does. This is a weak solution but effective in this case.
2) Use the router's own filter rules to deny HTTP access to the router's address from the WAN interface.

If you have a proper firewall, there are even better solutions, but both of these are effective.
It has been suggested (by Cisco, I believe) that upgrading to CBOS 2.41 will correct this vulnerability. I found this to be untrue. The only solution is to completely deny access to the web configuration port.

I am going to try your solution I hope it fixes this problem. I have also found the cisco/qwest solution to be untrue and does not solve the problem.

I have an idea. Someone who is willing to risk prosecution and litigation for the good of the internet should code and release a Code Red Retro Virus. May I suggest an algorithm?

LISTENER:
- watch for Code Red signature access to ida
- queue to private log

INNOCULATOR: [WHILE LISTNRLOG.LOG SIZE Zero DO]
- grab log entry
- loginto originating server, send and execute STARTER.EXE.

STARTER:
- stop IIS
- patch IIS
- enumerate and remove back door
- reboot and start LISTENER:

I'd enjoy your comments. If you send me non complied VBS and give me a few pointers for starting it off, I might even be willing to put up a web server and throw some proverbial water at the fire...

edasher@null.n_t (Spam Foil Fix: null.net)

said by Erik the Awful:

---

I have an idea

---

Putting aside legal/ethical issues, this probably wouldn't be terribly effective. When a Code Red II machine is infected, it has at least three hundred worker threads pounding away looking for other victims. This is a sufficiently large number of threads that even if many of them are blocked, the machine will still be totally swamped.

At some level of system load, IIS starts handing back "Server too busy" pages, and eventually simply refused to answer at all even while accepting connections on port 80. So in practice the back door would be there, but too many partygoers would be in the way.

Patching IIS "for real" is also problematic. Anybody who's actually done this has found that sometimes it requires Service Pack 2, and I find it hard to imagine what would happen to the internet if a worm started causing 100 megabyte downloads automatically.

On a strictly technical basis, assuming one could "get in" to the system via the back door, it would be possible to unwind the back door (delete the copies of cmd.exe, reverse the registry entries), and it could install a tiny service that ran at startup. This service would create the notworm file (CRv1) and create the CodeRedII atom to prevent future infections, but this would not really solve the problem.

These machines would then still be open to the actual exploit, but since the symptoms all went away, the box owners would find no reason to patch their machines. This is not good for the internet.

The only way to really solve this problem is to get the box owners to patch them, and the most effective way to do this will be a worm that rings the console bell every sixty seconds until patched.

This will never cease to be a very seductive idea, but it's best to make it an intellectual exercise only.

Steve

I'll second that emotion. Releasing a retrovirus is putting a BandAid(tm) on a gunshot wound. What really needs to happen is for sysadmins to keep on top of security patches (or not to use IIS in the first place, as the case may be ).

I would have to say that even though you think you're helping, I don't think you can know with too much certainty that you wouldn't affect operations in some other way. Consequences can hide themselves quite well until you poke them the right way. As good as your intentions might be, it really would be just as much of an invasion as the original.

could there be a new version of the virus that is starting to spread? this is the only hit I have under this format.

8/6/01 21:03:27 - NON AUTHORIZED IP 24.10.xx.xx(ccxxxxxx-a.taylor1.mi.home.com) GET /x.ida?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=x Status Code 403 688 Bytes Outbound 265 Bytes Inbound [Refrence Number 1185]

I have xx's out portions of the IP for the "protection" of the owner of this machine.

Brian
Network Administrator
Round Grove Machine Corp.

said by ntwrkguy:

---

GET /x.ida?aaaaa....aaa=x

---

This looks very much like the eEye Code Red Scanner tool (though I believe they use A instead of a). I'm quite sure this can't do any infection because the "overflow" code is too small to actually do anything.

Steve

Speaking of eEye's code red scanner - anyone know of another tool that will scan more than a single class C at a time?

Thanks

Is Verizon blocking port 80? I have a PATCHED iis on a Verizon DSL connection, and I can't get pages on port 80, but other ports get through.

I'm using Earthlink ISP with a verzion connection for my home use and my webserver's still running fine, no problems with port 80, or any other port for that matter

Brian
Network Administrator
Round Grove Machine Corp.

From Verizon's web site...

DSL Network

Posted Date: 8/6/01 10:18:41 PM CST

Status: Open

In an effort to limit the propagation of the Code Red internet worm across the Verizon internet services network, Verizon has placed filters on the network to protect its end users from being infected with the Code Red Internet Worms. These filters will not impede users ability to browse the internet but will prevent infected machines from scanning Verizon internet services network. Verizon is doing all we can to protect our end users from this internet worm. If you feel you may have been infected with this worm, please contact a virus/network security websites to learn about the latest patches and/or symptoms of this internet worm.

Very cool of this ISP to do something.

Call VZ support and let them know about your problem. If people don't call they wont know that anyone cares about this.