Re: Full analysis of the .ida "Code Red" worm.

From: Pierre Vandevenne (pierre@datarescue.com)
Date: 07/20/01


From: "Pierre Vandevenne" <pierre@datarescue.com>
To: "Laurence Hand" <lhand@co.la.ca.us>, "Marc Maiffret" <marc@eeye.com>
Date: Fri, 20 Jul 2001 04:08:06 +0200
Subject: Re: Full analysis of the .ida "Code Red" worm.
Message-ID: <99559213401@datarescue.be>

On Thu, 19 Jul 2001 16:44:08 -0700, Laurence Hand wrote:

>Did anyone else see that one of Microsoft's windowsupdate.microsoft.com
>servers got bit by this worm? It went away when we refreshed the screen
>and presumably rolled over to another server, but it is definitely on at
>least one of their servers.

Confirmed. Here's a "souvenir"

http://www.datarescue.com/fprot/virinfo/hackedbychinese.gif

This DOES raise some pretty fundamental questions about the security of
all the infrastructure, because, in theory the compromised servers
_could_ have been exploited more extensively and _could_ be delivering
nastily compromised stuff around. I have no reason to believe it has
happened, but still...

---
Pierre Vandevenne - DataRescue : home of the IDA Pro Disassembler  
Advanced tools for the IT Security Industry. www.datarescue.com/idabase/
SM CF and MS Picture Recovery Software www.datarescue.com/photorescue/



Relevant Pages

  • Nimda Worm Alert - What Ive done so far.
    ... Download/Install URL Scan for www servers. ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
    (Focus-Microsoft)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.inetserver.iis.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.windowsxp.security_admin)
  • RE: New "concept" virus/worm?
    ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ...
    (Vuln-Dev)