-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2001.13 -- AUSCERT ALERT
Potential Increase in "Code Red" Worm Activity
30 July 2001
===========================================================================
PROBLEM:
AusCERT is issuing this alert to warn members of a potential
increase in activity of the "Code Red" worm and mutations of the
worm. We believe "Code Red" may resume propagating again on August
1, 2001 0:00 GMT (August 1, 2001 10:00 AEST), and there is
information to suggest that thousands of systems may be infected
or vulnerable to re-infection at that time.
The worm was originally nicknamed "Code Red" by eEye Digital
Security, who have published an alert at:
http://www.eeye.com/html/Research/Advisories/AL20010717.html
There are believed to be at least two variants of "Code Red" that
each follow a date-triggered pattern of:
- propagation mode, from the 1st to the 19th of the month (details
below);
- denial-of-service attack mode, from the 20th to the 27th of the
month, to be launched against a specific IP address embedded in
the code; and
- sleep mode, from the 27th day of the month onwards, where the
worm remains in memory but inactive.
As part of the worm's propagation mode, "Code Red" targets a
recently patched vulnerability in the Microsoft Internet
Information Server (IIS) Indexing Service DLL. For more
information, refer to the details under the heading "PLATFORM"
below.
The "Code Red" worm attack proceeds as follows:
* The victim is scanned for TCP port 80 by the "Code Red" worm.
* If the victim is listening for TCP on port 80, the attacking
host sends a crafted HTTP GET request to the victim, attempting
to exploit a buffer overflow in the Indexing Service (as detailed
in AusCERT External Security Bulletins ESB-2001.238 and
ESB-2001.241).
The crafted HTTP GET request used by "Code Red" can be identified
on victim machines by the presence of the following string in
IIS log files:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u
0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
Note that the worm will attempt the exploit irrespective of
whether the intended victim is actually vulnerable or not. As
a result, the worm may have a denial-of-service effect on sites
targeted early in an outbreak.
* Upon a successful compromise, the worm executes on the victim
host. The existence of the c:\notworm file is checked and if
this file be found, the worm ceases operation.
* If c:\notworm is not found, the worm begins spawning up to 100
threads to scan random IP addresses for hosts listening on TCP
port 80, attempting to exploit any vulnerable hosts it finds.
* The exploit has a web defacement component which may result in
the default page for a site being replaced with one containing
the words "Hacked by Chinese".
Note that the text of this page is stored exclusively in memory
and is not written to disk. Therefore, searching for the text
of this page in the file system may not detect the compromise.
PLATFORM:
The Microsoft systems that are affected by "Code Red" are:
* Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and
Index Server 2.0 installed; and
* Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing
services installed
For further details refer to the AusCERT External Security
Bulletins:
ESB-2001.238 Microsoft Security Bulletin MS01-033 -
Unchecked Buffer in Index Server ISAPI Extension Could
Enable Web Server Compromise
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.238
ESB-2001.241 CERT Advisory CA-2001-13 -
Buffer Overflow In IIS Indexing Service DLL
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.241
CISCO has released an advisory warning of both a direct and
indirect threat, posed by "Code Red", to certain CISCO products.
Per the CISCO Advisory:
"The following Cisco products are vulnerable because they run
affected versions of Microsoft IIS:
* Cisco CallManager
* Cisco Unity Server
* Cisco uOne
* Cisco ICS7750
* Cisco Building Broadband Service Manager
Other Cisco products may be indirectly affected by the IIS
vulnerability (this is not an exhaustive list):
* Cisco 600 series of DSL routers that have not been patched per
the Cisco Security Advisory,
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml,
will stop forwarding traffic when scanned by a system infected
by the "Code Red" worm. The power must be cycled to restore
normal service.
* Cisco Network Management products are not directly affected but
might be installed on a Microsoft platform running a vulnerable
version of IIS."
For further details refer to AusCERT External Security Bulletin:
ESB-2001.304 Cisco Security Advisory - "Code Red" Worm
Customer Impact
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.304
IMPACT:
Infected systems may experience web site defacement as well as
performance degradation as a result of the propagating activity
of this worm. This degradation may become quite severe, and
potentially could cause some services to stop entirely. These
impacts apply to both the Microsoft and Cisco products listed
above.
RECOMMENDATIONS:
AusCERT stresses that this worm has the potential to adversely
affect member sites, and we encourage system administrators to be
alert for evidence of any activity on their systems that may
indicate its presence.
AusCERT is interested in any reports regarding this activity. If
you have any information, comments or questions about this threat,
please contact us.
A. Detection
1) eEye Digital Security (http://www.eeye.com/) has recently
released a free tool which you can use to scan your network
for IIS servers which may still be vulnerable to the "Code Red"
worm. You can download this tool from the eEye site directly
at:
http://www.eeye.com/html/Research/Tools/codered.html
2) Please note that reference to this product does not imply
endorsement. Members are cautioned to evaluate this product
prior to use.
It is possible to check for evidence of an attempted attack by
"Code Red". The crafted HTTP GET request used by the worm can
be identified on victim machines by the presence of the
following string in IIS log files:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u
0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
As mentioned previously, the worm will attempt the exploit
irrespective of whether the intended victim is actually
vulnerable or not. As a result, the worm may have a
denial-of-service effect on sites targeted early in an outbreak.
B. Recovery and Prevention
1) For systems currently infected with the "Code Red" worm, a
reboot is required. Also any Cisco 600 series routers scanned
by the "Code Red" worm will not resume normal service until
the power to the router has been cycled.
2) To protect your systems from re-infection install Microsoft's
patch for the vulnerability that "Code Red" exploits:
* Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
* Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Useful step-by-step instructions for these actions are posted at
http://www.digitalisland.com/codered/
If you suspect that your site may have been compromised, there
are several documents available from:
http://www.auscert.org.au/Information/Auscert_info/papers.html
eg. Windows NT Intruder Detection Checklist
Steps for Recovering from a UNIX or NT System Compromise
which may provide some assistance.
CERT/CC have also issued three Advisories on "Code Red" (CA-2001-19
and CA-2001-23) that have been redistributed as AusCERT External
Security Bulletins:
ESB-2001.302 CERT Advisory CA-2001-19 - "Code Red" Worm
Exploiting Buffer Overflow In IIS
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.302
ESB-2001.322 - CERT Advisory CA-2001-23 - Continued Threat
of the "Code Red" Worm
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.322
ESB-2001.323 - CERT Advisory - Public Alert about the Code
Red worm
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.323
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO2WbGyh9+71yA2DNAQH6hQQAhzz0A57IIyR/pOo3BSYr26xX7fiiepJ7
j2X9vqtN9Ja92oM5Lfvo77O7FvewJo1gZfJghaC49lewpz7SBJgpDuPqoUbWOwVD
vtMr2642aec3PY+Gp+icvBNRdTOCoZYp0vvG1A/oZ0hlqxna98m3chj9us7zqgoU
7ScM9yEvkTw=
=ir1V
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
