|
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== A U S C E R T A L E R T AL-2001.13 -- AUSCERT ALERT Potential Increase in "Code Red" Worm Activity 30 July 2001 =========================================================================== PROBLEM: AusCERT is issuing this alert to warn members of a potential increase in activity of the "Code Red" worm and mutations of the worm. We believe "Code Red" may resume propagating again on August 1, 2001 0:00 GMT (August 1, 2001 10:00 AEST), and there is information to suggest that thousands of systems may be infected or vulnerable to re-infection at that time. The worm was originally nicknamed "Code Red" by eEye Digital Security, who have published an alert at: http://www.eeye.com/html/Research/Advisories/AL20010717.html There are believed to be at least two variants of "Code Red" that each follow a date-triggered pattern of: - propagation mode, from the 1st to the 19th of the month (details below); - denial-of-service attack mode, from the 20th to the 27th of the month, to be launched against a specific IP address embedded in the code; and - sleep mode, from the 27th day of the month onwards, where the worm remains in memory but inactive. As part of the worm's propagation mode, "Code Red" targets a recently patched vulnerability in the Microsoft Internet Information Server (IIS) Indexing Service DLL. For more information, refer to the details under the heading "PLATFORM" below. The "Code Red" worm attack proceeds as follows: * The victim is scanned for TCP port 80 by the "Code Red" worm. * If the victim is listening for TCP on port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service (as detailed in AusCERT External Security Bulletins ESB-2001.238 and ESB-2001.241). The crafted HTTP GET request used by "Code Red" can be identified on victim machines by the presence of the following string in IIS log files: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u 0003%u8b00%u531b%u53ff%u0078%u0000%u00=a Note that the worm will attempt the exploit irrespective of whether the intended victim is actually vulnerable or not. As a result, the worm may have a denial-of-service effect on sites targeted early in an outbreak. * Upon a successful compromise, the worm executes on the victim host. The existence of the c:\notworm file is checked and if this file be found, the worm ceases operation. * If c:\notworm is not found, the worm begins spawning up to 100 threads to scan random IP addresses for hosts listening on TCP port 80, attempting to exploit any vulnerable hosts it finds. * The exploit has a web defacement component which may result in the default page for a site being replaced with one containing the words "Hacked by Chinese". Note that the text of this page is stored exclusively in memory and is not written to disk. Therefore, searching for the text of this page in the file system may not detect the compromise. PLATFORM: The Microsoft systems that are affected by "Code Red" are: * Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed; and * Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing services installed For further details refer to the AusCERT External Security Bulletins: ESB-2001.238 Microsoft Security Bulletin MS01-033 - Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.238 ESB-2001.241 CERT Advisory CA-2001-13 - Buffer Overflow In IIS Indexing Service DLL ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.241 CISCO has released an advisory warning of both a direct and indirect threat, posed by "Code Red", to certain CISCO products. Per the CISCO Advisory: "The following Cisco products are vulnerable because they run affected versions of Microsoft IIS: * Cisco CallManager * Cisco Unity Server * Cisco uOne * Cisco ICS7750 * Cisco Building Broadband Service Manager Other Cisco products may be indirectly affected by the IIS vulnerability (this is not an exhaustive list): * Cisco 600 series of DSL routers that have not been patched per the Cisco Security Advisory, http://www.cisco.com/warp/public/707/CBOS-multiple.shtml, will stop forwarding traffic when scanned by a system infected by the "Code Red" worm. The power must be cycled to restore normal service. * Cisco Network Management products are not directly affected but might be installed on a Microsoft platform running a vulnerable version of IIS." For further details refer to AusCERT External Security Bulletin: ESB-2001.304 Cisco Security Advisory - "Code Red" Worm Customer Impact ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.304 IMPACT: Infected systems may experience web site defacement as well as performance degradation as a result of the propagating activity of this worm. This degradation may become quite severe, and potentially could cause some services to stop entirely. These impacts apply to both the Microsoft and Cisco products listed above. RECOMMENDATIONS: AusCERT stresses that this worm has the potential to adversely affect member sites, and we encourage system administrators to be alert for evidence of any activity on their systems that may indicate its presence. AusCERT is interested in any reports regarding this activity. If you have any information, comments or questions about this threat, please contact us. A. Detection 1) eEye Digital Security (http://www.eeye.com/) has recently released a free tool which you can use to scan your network for IIS servers which may still be vulnerable to the "Code Red" worm. You can download this tool from the eEye site directly at: http://www.eeye.com/html/Research/Tools/codered.html 2) Please note that reference to this product does not imply endorsement. Members are cautioned to evaluate this product prior to use. It is possible to check for evidence of an attempted attack by "Code Red". The crafted HTTP GET request used by the worm can be identified on victim machines by the presence of the following string in IIS log files: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u 0003%u8b00%u531b%u53ff%u0078%u0000%u00=a As mentioned previously, the worm will attempt the exploit irrespective of whether the intended victim is actually vulnerable or not. As a result, the worm may have a denial-of-service effect on sites targeted early in an outbreak. B. Recovery and Prevention 1) For systems currently infected with the "Code Red" worm, a reboot is required. Also any Cisco 600 series routers scanned by the "Code Red" worm will not resume normal service until the power to the router has been cycled. 2) To protect your systems from re-infection install Microsoft's patch for the vulnerability that "Code Red" exploits: * Windows NT version 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 * Windows 2000 Professional, Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 Useful step-by-step instructions for these actions are posted at http://www.digitalisland.com/codered/ If you suspect that your site may have been compromised, there are several documents available from: http://www.auscert.org.au/Information/Auscert_info/papers.html eg. Windows NT Intruder Detection Checklist Steps for Recovering from a UNIX or NT System Compromise which may provide some assistance. CERT/CC have also issued three Advisories on "Code Red" (CA-2001-19 and CA-2001-23) that have been redistributed as AusCERT External Security Bulletins: ESB-2001.302 CERT Advisory CA-2001-19 - "Code Red" Worm Exploiting Buffer Overflow In IIS ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.302 ESB-2001.322 - CERT Advisory CA-2001-23 - Continued Threat of the "Code Red" Worm ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.322 ESB-2001.323 - CERT Advisory - Public Alert about the Code Red worm ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.323 - --------------------------------------------------------------------------- The AusCERT team has made every effort to ensure that the information contained in this document is accurate at the time of publication. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AusCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AusCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT Advisories, and other computer security information. AusCERT maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 AUSTRALIA =========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO2WbGyh9+71yA2DNAQH6hQQAhzz0A57IIyR/pOo3BSYr26xX7fiiepJ7 j2X9vqtN9Ja92oM5Lfvo77O7FvewJo1gZfJghaC49lewpz7SBJgpDuPqoUbWOwVD vtMr2642aec3PY+Gp+icvBNRdTOCoZYp0vvG1A/oZ0hlqxna98m3chj9us7zqgoU 7ScM9yEvkTw= =ir1V -----END PGP SIGNATURE-----