Code Red Origin / Interesting reading part II
Bradley Miller
bradmiller at dslonramp.com
Fri Aug 10 03:16:22 CDT 2001
At 03:33 PM 8/9/01 -0500, you wrote:
>Does anyone know the origin of the Code Red worm/virus? I don't
>recall reading any mention of its origin or of even trying to
>determine who's responsible for it.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SECURITY SPOTLIGHT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Seeing Red
It feels much longer than a week since the Code Red worms,
which exploit the Microsoft IIS buffer overflow
vulnerability described in last week's newsletter, began to
prowl the Internet. Current estimates place the number of
infected servers between 100,000 and half a million. This
issue will help you get up to speed on the details of Code
Red and will discuss what it bodes for the future of Internet
security.
In last week's newsletter, we mentioned that eEye Digital
Security had discovered a "remote root" exploit that allowed
a malicious third party to take over any version of
Microsoft's Internet Information Server. We included pointers
to eEye's write-up of the hole, as well as Microsoft's
advisory, in last week's newsletter. However, they bear
repeating (and reading) now that the Code Red worm has lent
them increased significance:
-> eEye Advisory
http://www.eeye.com/html/Research/Advisories/AD20010618.html
-> Microsoft Security Bulletin MS01-033
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Are Patches Enough?
The events which followed demonstrate that the existence of
a patch is not always sufficient to minimize the damage
caused by disclosure of a vulnerability. Microsoft was
informed of the bug, and had a patch tested and ready,
several days before these public announcements were made.
Unfortunately, the company greatly overestimated the
attentiveness of the system administrators who
used its products. While Microsoft blithely claimed that
it knew of no published exploits for the hole, crackers
had actually posted several on clandestine Web sites
within three days of the announcement.
It wasn't long before the same code was incorporated
into Code Red, a worm that began to spread, autonomously,
throughout the Internet. (Researchers who analyzed the
worm named it--or so they say--after the caffienated,
sugary soft drink that fueled their late night disassembly
of the malicious code.)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Two Worms or Three?
A second worm that used the same infection mechanism began
to spread approximately 3-4 days later. The code of this
worm differs dramatically from that of the original, and
most researchers believe that it was developed by a different
developer. Some researchers have dubbed the second worm
"Code Red II," while Symantec and others have called it
"CodeRed.v3". (The "3" suggests that Symantec and others
have discovered yet another variant--most likely the
original worm with a few changes made directly to the
binary code.)
Symantec's analyses of the two most important "Code Red"
strains appear at
-> Analysis of "original" CodeRed worm (also known as W32/Bady,
I-Worm.Bady, Code Red, CodeRed, W32/Bady.worm)
http://www.sarc.com/avcenter/venc/data/codered.worm.html
and
-> Analysis of CodeRed.v3 (also known as CodeRed.C,
CodeRed II, CodeRed III, W32.Bady.C)
http://www.sarc.com/avcenter/venc/data/codered.v3.html
The original Code Red worm's malicious payload was limited to
launching a distributed denial of service attack against an IP
address which was once www.whitehouse.gov. (The White House
site was relocated to a different IP address to thwart the
attack.) The newer worm, however, installs up a "back door"
on the infected machine, allowing intruders to enter and
do more damage.
Both worms also had an unexpected side effect: Some
Web-enabled devices--including Cisco DSL modem/router
units--were knocked out by the worm as it attempted to
attack their IP addresses. In most cases, the problem
could be eliminated by turning off the device's
Web-based interface.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Red Flag
A scanner that detects either of the CodeRed worms is
available at
-> CodeRed Scanner (online or download)
http://security1.norton.com/us/crdetect.asp?productid=sarc&langid=us&venid=sym
However, malicious third parties seeking to identify
vulnerable systems need not use this or similar tools.
Systems infected with either variant of the worm advertise
their presence--putting up a "red flag," as it were--by
attempting to attack thousands of others. "Black hat" and
"white hat" hackers--motivated by curiosity, a desire to
warn, or a desire to exploit--have begun to monitor logs
and compile lists of infected machines. (Any
administrator of a machine that's not susceptible to the
worms can do the same by searching the logs for long strings
of "N" or "X" characters.) Because the Code.Red.v3 worm
provides a "back door" into infected systems, this poses
a special danger: malicious hackers, informed of the
identities of tens of thousands of exploitable systems,
can easily marshal them into an army and use them to
conduct massive distributed denial of service (DDoS) attacks.
Thus, the most dire consequences of the original Microsoft
vulnerability may be yet to come. Unless a concerted effort
is made to inform the owners of infected machines--or block
their transmissions if efforts to do so fail--the Internet
may be crippled by DoS attacks deployed on a previously
unimagined scale. You can bet that crackers seeking
feathers in their caps--not to mention governments both
friendly and hostile--are already considering ways in which
they might exploit this opportunity.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SirCam's Spread Continues
While the Code Red worms have been busy exploiting
Microsoft-based servers, the SirCam "Trojan worm" has been
playing hob with Windows clients. This worm employs a mix of
well-known techniques now typical of this sort of malware. It
uses a "double extension exploit" to make its executable file
appear to Windows users as a harmless data file. It mines
addresses of potential new victims from an infected machine's
e-mail "in-box," address books, and Web browsing activity.
And, like other "Friends and Family viruses," it exploits
relationships between human beings by sending itself out under
the e-mail address of someone whom the next victim may know
and trust.
The mere size of SirCam--it averages about 200K in size--is
a nuisance by itself. A few copies can exceed the quotas that
ISPs and "freemail" systems frequently set on users' mailboxes.
What's particularly nasty about SirCam, however, is that it
leaks potentially sensitive documents from victims' machines.
So far, my simple but effective malware detection system has
blocked copies of SirCam containing corporate marketing plans,
sensitive legal documents, potentially embarrassing personal
correspondence, and trade secrets.
-> For more information on SirCam, see
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
-> For a removal tool, see
http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UPDATE: Code Red II Turning Servers Into Zombies
Shortly after this week's security newsletter went to
"press," announcements on several security-oriented
mailing lists began to verify the chilling prediction
I made yesterday: At least some of the 250,000 to
500,000 servers compromised by the Code Red II worm are
being readied for use as "soldiers" (or "zombies") in
DDoS (distributed denial of service) attacks. Administrators
are now logging specially constructed HTTP queries that--when
submitted to a server that had once been infected with
Code Red II--cause that server to attack another site on
the Internet. (Note that the worm need no longer be running
the worm, as the back door is left behind even after the
infection is gone.)
Early attempts at co-opting these servers have been
experimental and crude, but it is possible--nay,
likely--that more sophisticated exploits will follow.
One way to prevent catastrophic DDoS attacks via systems
compromised by the Code Red worm would be to use the
vulnerability itself to enter the compromised systems
and force the application of a patch. Such activity might
be justifiable on the grounds that many users of Microsoft
operating systems will never be knowledgeable enough to
apply the patch themselves and would leave their machines
open, as "attractive nuisances," indefinitely. What do you
think? Does the threat of thousands of unpatched "zombies,"
ready and willing to do hackers' bidding, justify such
intrusions? Join our "Security and Privacy" discussions
and tell us what you think.
http://extreme.ziffdavis.com/cgi-bin10/flo?y=eJ2X0Cy4LO0FBU0LSl0Ag
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UPDATE: PDF Files Become Carrier For New Virus
Adobe's PDF file format, long thought to be impenetrable,
has become the method of propogation for a new virus.
On Tuesday, McAfee.com reported the new virus, named "Peachy",
infects a host computer by using VBScript embedded within a PDF
file. The virus uses the functionality of Adobe Acrobat to
extract and execute the files used to infect the host. However,
the virus can only infect by using the full version of Acrobat.
Acrobat Reader, available for free download on the Web, is not
susceptible at this time. For that simple reason, McAfee
doesn't not expect this virus to become widespread.
-> For the full story:
http://vil.mcafee.com/dispVirus.asp?virus_k=99179&
More information about the Kclug
mailing list