Slashdot Log In
Code Red Back For More
Posted by
timothy
on Sat Aug 04, 2001 11:50 PM
from the more-bells-more-whistles dept.
from the more-bells-more-whistles dept.
Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.
This discussion has been archived.
No new comments can be posted.
Code Red Back For More
|
Log In/Create an Account
| Top
| 866 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
In my honor too ... (Score:5, Funny)
If worms start popping up with Linux4Green (my ICQ nick) then I know I'm bad luck.
A few more details (Score:5, Informative)
We'll have full details posted to the Incidents [securityfocus.com] list shortly.
Re:A few more details (Score:4, Informative)
When I went to telnet, the backdoor didn't work and I got the "Hacked by chinese" message.
Either the worms over write each other, or a machine can be infected by BOTH worms.
Re:A few more details (Score:5, Insightful)
The fact the old code red is turned off tells me that they might be linked to the same person/organization or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.
Re:A few more details:It's a root trojan (Score:5, Informative)
Microsoft or security... (Score:3, Funny)
CodeRedNeck (Score:3, Interesting)
Of course... (Score:3, Insightful)
Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)
I made a rookie mistake in my story submission (Score:4, Informative)
And now we know these poor bastards have been rootkitted. There has to be a way to use this to warn them?
Code Red - the soda pop - sales take off! (Score:3, Funny)
Code Red--the soda--has been spreading almost as fast as its namesake computer worm, which has infected hundreds of thousands of computers to date. The caffeine-laden, cherry-flavored version of its pale-yellow cousin, Mountain Dew, was released in May, months before the Code Red worm threatened to clog Internet traffic. And as computer security experts work to contain the damage from the Code Red worm, the soda's maker, Pepsi, is coincidentally featuring a "Crack the Code" contest on the Mountain Dew Web site.
Code Red has been an especially big hit with computer programmers, who often guzzle the high-octane drink to fuel late-night code-writing sessions. Among the drink's fans were the staff of eEye Digital Security, who say they identified the Code Red worm and named it after their favorite soda..
The rest of the story can be found on http://www.securitynewsportal.com/article.php?sid
Its funny. Laugh. Please?
Re:what is code red. . (Score:4, Funny)
Or maybe patent it. Also how about sending the BSA after anyone running it without a licence.
What are you talking about? (Score:4, Insightful)
It's fast because that's how exponential growth works.
Re:What are you talking about? (Score:4, Informative)
OK, I know how the scanning works now. The worm starts with the user's IP address, and then changes adds a variable number of random octets. Let's say that our web server is on 192.168.1.7:
This is entirely consistent with the patterns we've been seeing, so if somebody on your local network gets infected, you're gonna get pounded until they fix it.
Another point: if the web server in question is behind a NAT firewall, it will go nuts scanning the internal network. For a large company that has many NT systems internally, they will spend all day trying to infect each other.
What a worm.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / www.unixwiz.net
Looks like somebody did their homework and decided to really make Code Red nasty
The end is near... (Score:3, Insightful)
So that means any loser with this list of infected IPs and some knowledge of perl literally has a small army of computers at their command?
I think we might be seeing some rather impressive DDoS attacks by this evening.
Hmm.. 3 more XXX's in the time it took me to write this... frequency's increasing...
@home preventative measures (Score:4, Informative)
I'd JUST reinstalled Win2k Pro on a new system, I'd added IIS for my own purposes and before I had a chance to run the service pack and patch, I got the Code Red worm (ok, so I was lazy and tired and was going to leave it for the morning)
@home unbound my cablemodem until I'd cleared the worm (disable IIS, reboot).
normally, I'd be a little annoyed at @home for monitoring my connection and cutting my connection rather than just block all traffic to that IP at router level. but hey, it saved me from contributing to a problem.
Re:@home preventative measures (Score:4, Interesting)
Personally i don't see @Home taking you off and noticing you fixed it and putting you back online.
Check your outtage listings for your area.
What about.... (Score:4, Funny)
Breakdown of the new "features" of CRII (Score:5, Informative)
1. It makes a copy of CMD.EXE called ROOT.EXE in the;
\inetpub\scripts
and
\program files\common files\system\msadc
directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).
2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.
3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.
File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).
4. The system is then rebooted (probably a forced reboot).
5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;
a) Launches the real Explorer.exe, so the system looks normal.
b) Sets SFCDisable in hklm\software\microsoft\windows nt\currentversion\winlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)
c) Creates two virtual directories (via the registry) in hklm\system\currentcontrolset\services\w3svc\param eters\virtual
roots. Called "C" and "D", they are mapped to the root directories of
the two drives and permissions are established in the virtual
directory to allow script, read, and write access as well as setting
execute permissions to scripts and executables.
d) goes into an endless sleep loop.
The end result of all of this action is to leave your box wide open to remote connection and total compromise.
Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.
The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).
Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.
Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).
Credits:
The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
If this can't break Microsoft's back nothing will. (Score:3, Insightful)
I'm warned that smoking and drinking are bad for my health
Medicines and drugs aren't legal unless they're fully tested and approved
My car doesn't lock up and freeze
My microwave doesn't blue screen and cook my brain inside out.
SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.
WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?
WHY doesn't microsoft NOTIFY me of the risks of using its OS?
I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.
I hope no one running Windows is on the internet for that matter.
Re:If this can't break Microsoft's back nothing wi (Score:5, Insightful)
Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.