Re: Code Red - misconceptions
From: Russ (Russ.Cooper@RC.ON.CA)Date: 08/12/01
- Previous message: Joe_Colleran@CIRCUITCITY.COM: "NT 4.0 Security Roll-up & Compaq RAID Controllers (Q305228)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <E9A01F52DC939448BBDE44ED2E1C468F1C9D8E@muskie.rc.on.ca> Date: Sun, 12 Aug 2001 15:34:26 -0400 From: Russ <Russ.Cooper@RC.ON.CA> Subject: Re: Code Red - misconceptions To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-----BEGIN PGP SIGNED MESSAGE-----
1. patrick diiorio [wwwebtech@yahoo.com] reported several days ago
that a patched NT 4.0/IIS 4.0 server setup with a URL Redirect for
the default website (or specifically addressed site) would cause a
crash when hit with Code Red. Investigations are on-going, but there
have been some false reports that servers in this configuration are
being "infected" with Code Red.
While the effects on such a box are not in any way beneficial, they
are not the result of an "infection". Such boxes do not have any
Trojan's dropped on them nor do they participate in any way in any
sort of attack on other addresses. Microsoft are still investigating,
but have stated in public newsgroups that a workaround is to remove
the redirect(s).
Neither the patch, nor removing .ida/.idq script mappings prevent the
problems with URL redirects.
2. Other reports are indicating that a new variant of Code Red has
been uncovered in Korea. For the record, here is the numbering I've
been using;
CRv1 = July 13th, 2001 - in the wild
CRv2 = July 19th, 2001 - in the wild
CRv3 = July 21st, 2001 - reportedly with FBI/NIPC - not in the wild
CRv4 = August 4th, 2001 - in the wild
CRv4 had the string CRII embedded in its code, so it became known as
Code Red II, hence the confusion of versions/variants.
CRv4 had a component which caused it to double its effects on Chinese
Language W2K systems. It would produce 600 threads and run for 48
hours. Its suspected that this may be the reason the Korean
Government is thinking its seeing another variant other than what's
being discussed in the press.
3. Some people seem to think that Index Server itself is somehow
related to Code Red. Let me assure you that the affected component is
IDQ.DLL, which is an ISAPI filter used by IIS to relay Index Server
requests from IIS to Index Server. It matters not whether Index
Server is running, or even installed. As long as a script mapping
exists in IIS pointing .ida/.idq requests to IDQ.DLL, and .IDQ.DLL
exists, Code Red can infect the box.
Some people have suggested that applying the patch to a box where
IDQ.DLL does not exist will cause it to be installed. This is
incorrect. Unless IDQ.DLL already exists on the box it will not be
installed by the Hotfix. The Hotfix also will not re-instate script
mappings in IIS, so patching is still a good idea even if the
mappings are removed.
4. Finally, let me restate my point about Personal Web Server (PWS)
on Windows 2000. All IIS 5.0 fixes apply to PWS on Windows 2000
systems. PWS for NT 4.0 (from the NT 4.0 Option Kit) was not
supported with Hotfixes, and was a different product than IIS 4.0.
With Windows 2000 the difference became the management interface, not
the underlying code. Any NT 4.0 system with PWS installed, when
upgraded, automatically had IIS 5.0 and the Personal Web Manager
(PWM) management interface installed. Ergo any system with PWS on W2K
needs to have the MS01-033 patch applied to be protected from Code
Red.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO3baQhBh2Kw/l7p5AQEZ/AP6Aqt86JWclyMKoCkLVh2LOt9KfLENtJZm
k7ZXM51dRG1v8wtUKGCpYcvk8bcocSQwdzfG8TRsAp4yVV84U0EjhyLL98Wvy7j3
t/ThVvdPjSFGokZkU46u96XeTUbPbHaTEytzt/Yvj2dlBC7/lxZbDD3wi6B+DMnr
9tvNMsltuwM=
=q3HE
-----END PGP SIGNATURE-----
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE
If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================
- Previous message: Joe_Colleran@CIRCUITCITY.COM: "NT 4.0 Security Roll-up & Compaq RAID Controllers (Q305228)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
