TUCoPS :: Malware :: al200114.txt

AusCERT Alert 2001.14 New Worm - "CodeRedII"


A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2001.14  --  AUSCERT ALERT
                           New Worm - "CodeRedII"
                                6 August 2001



	AusCERT is issuing this alert to warn members that a new worm has
	been released that exploits the same vulnerability as "Code Red".
	This worm exhibits different behaviour to the "Code Red" in that
	it does not launch a deliberate DDoS attack nor deface web pages,
	but will now install trojan binaries onto an infected system that
	may directly lead to administrative compromise.

	"CodeRedII" appears to use a different pattern of propagation.
	Instead of randomly trying to infect any site across the whole
	Internet, it will concentrate on spreading locally, and then move
	further afield when local systems are saturated. The worm has been
	observed to probe nearby systems with a probability of 50% for
	the same Class A subnet ( 37.5% for the same Class B
	subnet ( and 12.5% random. Additionally, this worm is
	reputed to use non-blocking I/O during the connection phase so
	should be able to eliminate unresponsive hosts more quickly than
	"Code Red" thus increasing the speed of propagation. It will also
	avoid scanning invalid IP addresses.

	This worm is able to detect its own presence on an exploited system
	using the identifier "CodeRedII" and will not reinfect already
	infected systems. It can, however, supplant infections of the
	original "Code Red" worm.

	"CodeRedII" targets the same recently patched vulnerability in
	the Microsoft Internet Information Server (IIS) Indexing Service
	DLL as for "Code Red". For more information about this
	vulnerability, refer to the details under the heading "PLATFORM"
	below.  More information about "Code Red" may be found in the
	previous AusCERT alert:
		Potential Increase in "Code Red" Worm Activity

	The "CodeRedII" worm attack sequence is similar to that of "Code
	Red", but with a differently crafted HTTP GET request (which can
	be identified on victim machines by the presence of the following
	string in IIS log files):


	The worm will still attempt to exploit irrespective of whether
	the intended victim is actually vulnerable or not.  As a result,
	the worm may have a denial-of-service effect on sites targeted
	during an outbreak.

	Once a host is infected with "CodeRedII", the behaviour diverges
	from that of the earlier "Code Red" worm.

	It checks whether Chinese (either Traditional or Simplified) is
	the language installed on the system.  If so, it creates 600
	threads and spreads for 48 hours before rebooting the system. On
	a non-Chinese system it creates 300 threads and spreads for 24
	hours before reboot. 

	This worm also attempts to create a backdoor by copying:




	It will also attempt to create trojan-horse versions of the files:


	to exploit a previously patched Microsoft vulnerability that allows
	the system to load the first explorer.exe accessed in the directory
	structure. This vulnerability was documented in the AusCERT
	External Security Bulletin:

		ESB-2000.189 Microsoft Security Bulletin (MS00-052)
		Patch Available for "Relative Shell Path" Vulnerability

	When the system is first rebooted by the worm, the trojan-horse
	version of explorer.exe, on vulnerable systems, will be executed
	instead of %windir%\explorer.exe.

	The trojan adds the value SFCDisable to:

		SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

	and adds keys under:

		SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots 

	It then goes to sleep and modifies the registry keys every 10
	minutes. In this state, the system is now vulnerable to remote
	administrative compromise.


	"CodeRedII" exploits the same vulnerability as exploited by "Code
	Red", so the following information from the previous AusCERT Alert
	is likely to remain valid.

	The Microsoft systems that are affected by "Code Red" are:

        * Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and
          Index Server 2.0 installed; and

        * Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing
          services installed

	For further details refer to the AusCERT External Security

                ESB-2001.238 Microsoft Security Bulletin MS01-033 -
                Unchecked Buffer in Index Server ISAPI Extension Could
                Enable Web Server Compromise

                ESB-2001.241 CERT Advisory CA-2001-13 -
                Buffer Overflow In IIS Indexing Service DLL

	Cisco released an advisory warning of both a direct and indirect
	threat posed by "Code Red", to certain Cisco products.  Due to
	its similarity to "Code Red", "CodeRedII" may also pose a threat
	to some Cisco products, but at this time no further statement has
	been made available by Cisco. From the Cisco Advisory for "Code

                       -------- Begin Extract --------

	    The following Cisco products are vulnerable because they run
	    affected versions of Microsoft IIS:

	    * Cisco CallManager
	    * Cisco Unity Server
	    * Cisco uOne
	    * Cisco ICS7750
	    * Cisco Building Broadband Service Manager

                        -------- End Extract --------

	For further details refer to AusCERT External Security Bulletin:

                ESB-2001.304 Cisco Security Advisory
		"Code Red" Worm Customer Impact

	AusCERT has received reports from its constituency of
	Hewlett-Packard JetDirect print servers experiencing a denial of
	service when scanned by "Code Red" and so also may be affected by
	"CodeRedII".  A JetDirect firmware fix may be available from
	Hewlett-Packard, please refer to the vendor.  Additionally, at
	least one model of Hewlett-Packard network switch has been reported
	to crash on receipt of the "Code Red" worm.  AusCERT advises that
	this information has not been endorsed by Hewlett-Packard so sites
	should conduct their own investigations into these issues.


	Infected systems may suffer a loss of integrity due to the addition
	of arbitrarily created executable files and may be vulnerable to
	further compromise due to the availability of a remotely accessible
	command-line shell.

	Additionally, performance degradation of networks may occur as a
	result of the propagating activity of this worm. This degradation
	may become quite severe, and potentially could cause some services
	to stop entirely. These impacts apply to both the Microsoft and
	Cisco products listed above.


	AusCERT stresses that this worm has the potential to adversely
	affect member sites, and we encourage system administrators to be
	alert for evidence of any activity on their systems that may
	indicate its presence.

	AusCERT is interested in any reports regarding this activity.  If
	you have any information, comments or questions about this threat,
	please contact us.

	A. Detection

	1) eEye Digital Security (http://www.eeye.com/) has recently
	   released a free tool which you can use to scan your network
	   for IIS servers which may still be vulnerable to the "Code Red"
	   (and hence "CodeRedII") worm.  You can download this tool from
	   the eEye site directly at:


	   Please note that reference to this product does not imply
	   endorsement.  Members are cautioned to evaluate this product
	   prior to use.

	2) It is possible to check for evidence of an attempted attack by
	   "CodeRedII".  The crafted HTTP GET request used by the worm
	   can be identified on victim machines by the presence of the
	   following string in IIS log files:


	   As mentioned previously, the worm will attempt to exploit
	   irrespective of whether the intended victim is actually
	   vulnerable or not.  As a result, the worm may have a
	   denial-of-service effect on sites targeted during an outbreak.

        B. Recovery and Prevention

	1) Systems currently infected with the "CodeRedII" worm are likely
	   to require reinstallation, due to the fact that remote
	   administrative-level access may have been already gained to
	   the system.

	2) To protect your systems from re-infection install Microsoft's
	   patch for the vulnerability that "CodeRedII" exploits:

	   *  Windows NT version 4.0:

	   * Windows 2000 Professional, Server and Advanced Server:

	   Useful step-by-step instructions for patch application are posted

	   Again, please note that reference to this web site does not imply
	   endorsement.  Members are cautioned to evaluate this information
	   prior to use.

	3) Sites may wish to protect vulnerable hosts or printers with
	   firewall rules that prevent access to port 80 from IP addresses
	   outside of their network.

	If you detect that your system is already compromised, then you
	may need to instigate a full recovery procedure.

	You should keep in mind that if a machine is compromised, anything
	on that system could have been modified, including the kernel,
	binaries, datafiles, running processes, and memory.  In general,
	the only way to trust that a machine is free from backdoors and
	intruder modifications is to reinstall the operating system from
	the distribution media and install all of the security patches
	before connecting back to the network. Merely determining and
	fixing the vulnerability that was used to initially compromise
	this machine may not be enough.

	We encourage you to restore your system using known clean binaries.
	In order to put the machine into a known state, you should
	re-install the operating system using the original distribution
	media.  You should also ensure that you have applied all relevant
	security fixes and patched all application software according to
	the latest vendor information.

	If you suspect that your site may have been compromised, there
	are several documents available from:


	eg. Windows NT Intruder Detection Checklist
	    Steps for Recovering from a UNIX or NT System Compromise

	which may provide some assistance.

	CERT/CC have also issued three Advisories on "Code Red" (CA-2001-19
	and CA-2001-23) that have been redistributed as AusCERT External
	Security Bulletins:

		ESB-2001.302 CERT Advisory CA-2001-19 - "Code Red" Worm
		Exploiting Buffer Overflow In IIS

		ESB-2001.322 - CERT Advisory CA-2001-23 - Continued Threat
		of the "Code Red" Worm

		ESB-2001.323 - CERT Advisory - Public Alert about the Code
		Red worm

- ----------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
Australian Computer Emergency Response Team
The University of Queensland
Qld  4072

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH