Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Malware :: al200113.txt

AusCERT Alert 2001.13 Potential Increase in "Code Red" Worm Activity




-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2001.13  --  AUSCERT ALERT
               Potential Increase in "Code Red" Worm Activity
                                30 July 2001

===========================================================================

PROBLEM:

	AusCERT is issuing this alert to warn members of a potential
	increase in activity of the "Code Red" worm and mutations of the
	worm.  We believe "Code Red" may resume propagating again on August
	1, 2001 0:00 GMT (August 1, 2001 10:00 AEST), and there is
	information to suggest that thousands of systems may be infected
	or vulnerable to re-infection at that time.

	The worm was originally nicknamed "Code Red" by eEye Digital
	Security, who have published an alert at:

	http://www.eeye.com/html/Research/Advisories/AL20010717.html

	There are believed to be at least two variants of "Code Red" that
	each follow a date-triggered pattern of:
	- propagation mode, from the 1st to the 19th of the month (details
	  below);
	- denial-of-service attack mode, from the 20th to the 27th of the
	  month, to be launched against a specific IP address embedded in
	  the code; and
	- sleep mode, from the 27th day of the month onwards, where the
	  worm remains in memory but inactive.

	As part of the worm's propagation mode, "Code Red" targets a
	recently patched vulnerability in the Microsoft Internet
	Information Server (IIS) Indexing Service DLL.  For more
	information, refer to the details under the heading "PLATFORM"
	below.

	The "Code Red" worm attack proceeds as follows:

	* The victim is scanned for TCP port 80 by the "Code Red" worm.

	* If the victim is listening for TCP on port 80, the attacking
	  host sends a crafted HTTP GET request to the victim, attempting
	  to exploit a buffer overflow in the Indexing Service (as detailed
	  in AusCERT External Security Bulletins ESB-2001.238 and
	  ESB-2001.241).

	  The crafted HTTP GET request used by "Code Red" can be identified
	  on victim machines by the presence of the following string in
	  IIS log files:

	/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
	NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
	NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
	NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
	u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u
	0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

	  Note that the worm will attempt the exploit irrespective of
	  whether the intended victim is actually vulnerable or not.  As
	  a result, the worm may have a denial-of-service effect on sites
	  targeted early in an outbreak.

	* Upon a successful compromise, the worm executes on the victim
	  host. The existence of the c:\notworm file is checked and if
	  this file be found, the worm ceases operation.

	* If c:\notworm is not found, the worm begins spawning up to 100
	  threads to scan random IP addresses for hosts listening on TCP
	  port 80, attempting to exploit any vulnerable hosts it finds.

	* The exploit has a web defacement component which may result in
	  the default page for a site being replaced with one containing
	  the words "Hacked by Chinese".

	  Note that the text of this page is stored exclusively in memory
	  and is not written to disk. Therefore, searching for the text
	  of this page in the file system may not detect the compromise.


PLATFORM:

	The Microsoft systems that are affected by "Code Red" are:

        * Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and
          Index Server 2.0 installed; and
        * Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing
          services installed

	For further details refer to the AusCERT External Security
	Bulletins:

                ESB-2001.238 Microsoft Security Bulletin MS01-033 -
                Unchecked Buffer in Index Server ISAPI Extension Could
                Enable Web Server Compromise
                ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.238

                ESB-2001.241 CERT Advisory CA-2001-13 -
                Buffer Overflow In IIS Indexing Service DLL
                ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.241

	CISCO has released an advisory warning of both a direct and
	indirect threat, posed by "Code Red", to certain CISCO products.
	Per the CISCO Advisory:

	"The following Cisco products are vulnerable because they run
	affected versions of Microsoft IIS:

        * Cisco CallManager
        * Cisco Unity Server
        * Cisco uOne
        * Cisco ICS7750
        * Cisco Building Broadband Service Manager

        Other Cisco products may be indirectly affected by the IIS
        vulnerability (this is not an exhaustive list):

        * Cisco 600 series of DSL routers that have not been patched per
          the Cisco Security Advisory,
          http://www.cisco.com/warp/public/707/CBOS-multiple.shtml,
          will stop forwarding traffic when scanned by a system infected
          by the "Code Red" worm. The power must be cycled to restore
          normal service.
        * Cisco Network Management products are not directly affected but
          might be installed on a Microsoft platform running a vulnerable
          version of IIS."

	For further details refer to AusCERT External Security Bulletin:

                ESB-2001.304 Cisco Security Advisory - "Code Red" Worm
                Customer Impact
                ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.304


IMPACT:

	Infected systems may experience web site defacement as well as
	performance degradation as a result of the propagating activity
	of this worm. This degradation may become quite severe, and
	potentially could cause some services to stop entirely.  These
	impacts apply to both the Microsoft and Cisco products listed
	above.


RECOMMENDATIONS:

	AusCERT stresses that this worm has the potential to adversely
	affect member sites, and we encourage system administrators to be
	alert for evidence of any activity on their systems that may
	indicate its presence.

	AusCERT is interested in any reports regarding this activity.  If
	you have any information, comments or questions about this threat,
	please contact us.

	A. Detection

	1) eEye Digital Security (http://www.eeye.com/) has recently
	   released a free tool which you can use to scan your network
	   for IIS servers which may still be vulnerable to the "Code Red"
	   worm.  You can download this tool from the eEye site directly
	   at:

   		http://www.eeye.com/html/Research/Tools/codered.html

	2) Please note that reference to this product does not imply
	   endorsement.  Members are cautioned to evaluate this product
	   prior to use.

	   It is possible to check for evidence of an attempted attack by
	   "Code Red".  The crafted HTTP GET request used by the worm can
	   be identified on victim machines by the presence of the
	   following string in IIS log files:

        /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
        NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
        NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
        NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
        u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u
        0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

	   As mentioned previously, the worm will attempt the exploit
	   irrespective of whether the intended victim is actually
	   vulnerable or not.  As a result, the worm may have a
	   denial-of-service effect on sites targeted early in an outbreak.


        B. Recovery and Prevention

	1) For systems currently infected with the "Code Red" worm, a
	   reboot is required.  Also any Cisco 600 series routers scanned
	   by the "Code Red" worm will not resume normal service until
	   the power to the router has been cycled.

	2) To protect your systems from re-infection install Microsoft's
	   patch for the vulnerability that "Code Red" exploits:

	   *  Windows NT version 4.0:
	   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

	   * Windows 2000 Professional, Server and Advanced Server:
	   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

	Useful step-by-step instructions for these actions are posted at
	http://www.digitalisland.com/codered/

	If you suspect that your site may have been compromised, there
	are several documents available from:

	http://www.auscert.org.au/Information/Auscert_info/papers.html

	eg. Windows NT Intruder Detection Checklist
	    Steps for Recovering from a UNIX or NT System Compromise

	which may provide some assistance.

	CERT/CC have also issued three Advisories on "Code Red" (CA-2001-19
	and CA-2001-23) that have been redistributed as AusCERT External
	Security Bulletins:

		ESB-2001.302 CERT Advisory CA-2001-19 - "Code Red" Worm
		Exploiting Buffer Overflow In IIS
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.302

		ESB-2001.322 - CERT Advisory CA-2001-23 - Continued Threat
		of the "Code Red" Worm
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.322

		ESB-2001.323 - CERT Advisory - Public Alert about the Code
		Red worm
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.323

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO2WbGyh9+71yA2DNAQH6hQQAhzz0A57IIyR/pOo3BSYr26xX7fiiepJ7
j2X9vqtN9Ja92oM5Lfvo77O7FvewJo1gZfJghaC49lewpz7SBJgpDuPqoUbWOwVD
vtMr2642aec3PY+Gp+icvBNRdTOCoZYp0vvG1A/oZ0hlqxna98m3chj9us7zqgoU
7ScM9yEvkTw=
=ir1V
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH