.ida "Code Red" Worm
From: Nir Aran (tanin@ParadigmGeo.com)Date: 07/20/01
- Previous message: Andrey Terentyev: "RE: NT "net use" Malfunctions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <BF258E83D0F6DA4192E4F0C9A301DC5A073C51@ntserver2.geodepth.com> From: Nir Aran <tanin@ParadigmGeo.com> To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com> Subject: .ida "Code Red" Worm Date: Fri, 20 Jul 2001 00:31:56 +0200
-----BEGIN PGP SIGNED MESSAGE-----
It's out there now !!
.ida "Code Red" Worm
Release Date:
July 17, 2001
Severity:
HIGH
Systems Affected:
Unpatched Microsoft IIS Web Servers
Description:
On Friday July 13th we received packet logs and information from two
network administrators that were experiencing large amounts of
attacks targeting the recent .ida vulnerability that eEye Digital
Security discovered
(http://www.eeye.com/html/Research/Advisories/AD20010618.html) on
June 18, 2001.
- From the first analysis of the logs that were sent to us we were able
to deduce that someone had released a worm for the .ida
vulnerability. Within the logs we could see connection attempts from
over five thousand IIS 5 Web servers targeting various other IIS Web
servers and sending an .ida exploit to each of them. Evidence also
showed that compromised hosts were being used to attack other hosts.
The following information was researched by Ryan Permeh
(ryan@eeye.com) and Marc Maiffret (marc@eeye.com) of eEye Digital
Security.
Special thanks to:
Matthew Asham of Left Coast Systems Corp and Ken Eichman of Chemical
Abstracts Service for providing us with logs and data necessary to
make this analysis possible.
We at eEye have designated this worm the ".ida 'Code Red' worm",
because part of the worm is designed to deface Web pages with the
text "Hacked by Chinese" and also because "Code Red" Mountain Dew was
the only thing that kept us awake last night to be able to
disassemble this exploit.
Details
- -------
Note: Details are going to be short for now. We plan on releasing a
full analysis of the worm but felt that it was important to get this
message out as quickly as possible as this worm is starting to affect
a lot of people.
The standard injection vector is an exploit that uses the .ida buffer
overflow to execute code (as SYSTEM) on vulnerable remote systems.
The worm performs the following on infected systems:
* Spawns 100 threads which are used to scan for new IIS Web servers
to infect
* Checks for the existence of c:\notworm and if it is found then it
does not try to propagate itself to other hosts
* Defaces Web pages with the message:
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5><font
color="red"><p align="center">Welcome to http://www.worm.com
!<br><br>Hacked By Chinese!</font></hr></bady></html>
Analysis
- --------
Note: Again this is a brief analysis, more detail will follow.
Upon infection, the infected host will spawn 100 threads in a loop.
This loop checks for the existence of c:\notworm and if the file does
not exist then the worm will proceed to start scanning for vulnerable
servers to infect.
The worm does scan for random IP addresses. However, the worm uses
the same seed for "randomization" of IP addresses. This means that
each new infected host will start at the same IP and continue
scanning further down the same track of IP's as every other infected
host. The ramifications of this are severe because this means that
hosts early in this "randomized" IP sequence will be hit over and
over as new hosts are infected. This creates the potential for a
denial-of-service against early IP addresses in the sequence. Also,
evidence has shown that hosts can be infected multiple times
therefore creating a drain on system resources. However, normal worm
operation seems to have a cut-off point as to how many times a host
will be re-infected. Early analysis seems to suggest that the worm
has a limit of three re-infections; however, that number may have
just been by chance in our test scenario.
Other in-house tests of the infections have shown that internal
thread-rate limiting seems to be broken in certain situations. This
means that some infected systems will continue to spawn new threads
until system resources become so low that the entire Web server
computer crashes or becomes unusable.
Summary
- -------
We will be releasing a full detailed analysis, complete with
disassembled worm code and comments within the code.
We have had reports from a few network administrators that their IDS
systems have seen this .ida attack originating from over five
thousand unique source addresses within a three-day time span.
Hosts early in the IP sequence will be hit with a traffic-based
denial-of-service, and those hosts vulnerable to this worm will most
likely grind to a halt.
How To Secure Your System From This .ida Attack
- -----------------------------------------------
Download the Microsoft patch for this .ida vulnerability:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/bulletin/MS01-033.asp
eEye Digital Security Advisory
http://www.eeye.com/html/Research/Advisories/AD20010618.html
The following is part of the packet data that is sent for this .ida
"Code Red" worm attack:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%
u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
You can set your IDS to monitor for this to be able to see if you are
being hit with this worm. Also, any IDS capable of detecting the .ida
overflow should be able to detect this as an attack.
Vendor Status:
Microsoft has previously released a patch for this .ida
vulnerability. You can find the patch here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/bulletin/MS01-033.asp
Credit:
Ryan Permeh and Marc Maiffret
Greetings:
The guy at Del Taco that sold us food at 3am to allow us to perform
this research. The guy who left the warm "Code
Red" Mountain Dew in the eEye lab.
Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
=TAnin
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBO1c1quoRYpbiWTZdAQFp0Af/RQ0Z9FuNHfT1Qg1ttmlvI2orIyujTPZU
JWNsOYfZzAGRxlc4j5Kbu3cpTJQ3shMw0mw3sS+xaDLaFRE5XDBqQIlBMlBafWvE
8oK3q4DDOOHUl3ljvJGAeSgHQtohKr9kFnPFXPSAtiA0QJeeR3uXuXCNnnUmOE4b
t0HtWhD8tSvrzM4wjMNybok+dHSldOMHgNwfeKjjBcBnoTTthiJ+qLSAqdMRpJhm
UjMoZ07mrNS3o0z32gn4wdzAk9yOb6TjwXwl8Q445h4FRpt0UOQ4rx0qeVoBgYyJ
wdxqhoG/qtCC04sYcq3TscFG08oqozQuLQZZRUp4WsE5s9KoDaxQmg==
=4Jmi
-----END PGP SIGNATURE-----
- Previous message: Andrey Terentyev: "RE: NT "net use" Malfunctions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
