-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2001.14 -- AUSCERT ALERT
New Worm - "CodeRedII"
6 August 2001
===========================================================================
PROBLEM:
AusCERT is issuing this alert to warn members that a new worm has
been released that exploits the same vulnerability as "Code Red".
This worm exhibits different behaviour to the "Code Red" in that
it does not launch a deliberate DDoS attack nor deface web pages,
but will now install trojan binaries onto an infected system that
may directly lead to administrative compromise.
"CodeRedII" appears to use a different pattern of propagation.
Instead of randomly trying to infect any site across the whole
Internet, it will concentrate on spreading locally, and then move
further afield when local systems are saturated. The worm has been
observed to probe nearby systems with a probability of 50% for
the same Class A subnet (255.0.0.0) 37.5% for the same Class B
subnet (255.255.0.0) and 12.5% random. Additionally, this worm is
reputed to use non-blocking I/O during the connection phase so
should be able to eliminate unresponsive hosts more quickly than
"Code Red" thus increasing the speed of propagation. It will also
avoid scanning invalid IP addresses.
This worm is able to detect its own presence on an exploited system
using the identifier "CodeRedII" and will not reinfect already
infected systems. It can, however, supplant infections of the
original "Code Red" worm.
"CodeRedII" targets the same recently patched vulnerability in
the Microsoft Internet Information Server (IIS) Indexing Service
DLL as for "Code Red". For more information about this
vulnerability, refer to the details under the heading "PLATFORM"
below. More information about "Code Red" may be found in the
previous AusCERT alert:
AL-2001.13 AUSCERT ALERT
Potential Increase in "Code Red" Worm Activity
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.13
The "CodeRedII" worm attack sequence is similar to that of "Code
Red", but with a differently crafted HTTP GET request (which can
be identified on victim machines by the presence of the following
string in IIS log files):
GET/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u0078%u0000%u00=a
The worm will still attempt to exploit irrespective of whether
the intended victim is actually vulnerable or not. As a result,
the worm may have a denial-of-service effect on sites targeted
during an outbreak.
Once a host is infected with "CodeRedII", the behaviour diverges
from that of the earlier "Code Red" worm.
It checks whether Chinese (either Traditional or Simplified) is
the language installed on the system. If so, it creates 600
threads and spreads for 48 hours before rebooting the system. On
a non-Chinese system it creates 300 threads and spreads for 24
hours before reboot.
This worm also attempts to create a backdoor by copying:
%windir%\CMD.EXE
to:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
It will also attempt to create trojan-horse versions of the files:
c:\explorer.exe
d:\explorer.exe
to exploit a previously patched Microsoft vulnerability that allows
the system to load the first explorer.exe accessed in the directory
structure. This vulnerability was documented in the AusCERT
External Security Bulletin:
ESB-2000.189 Microsoft Security Bulletin (MS00-052)
Patch Available for "Relative Shell Path" Vulnerability
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.189
When the system is first rebooted by the worm, the trojan-horse
version of explorer.exe, on vulnerable systems, will be executed
instead of %windir%\explorer.exe.
The trojan adds the value SFCDisable to:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
and adds keys under:
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
It then goes to sleep and modifies the registry keys every 10
minutes. In this state, the system is now vulnerable to remote
administrative compromise.
PLATFORM:
"CodeRedII" exploits the same vulnerability as exploited by "Code
Red", so the following information from the previous AusCERT Alert
is likely to remain valid.
The Microsoft systems that are affected by "Code Red" are:
* Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and
Index Server 2.0 installed; and
* Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing
services installed
For further details refer to the AusCERT External Security
Bulletins:
ESB-2001.238 Microsoft Security Bulletin MS01-033 -
Unchecked Buffer in Index Server ISAPI Extension Could
Enable Web Server Compromise
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.238
ESB-2001.241 CERT Advisory CA-2001-13 -
Buffer Overflow In IIS Indexing Service DLL
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.241
Cisco released an advisory warning of both a direct and indirect
threat posed by "Code Red", to certain Cisco products. Due to
its similarity to "Code Red", "CodeRedII" may also pose a threat
to some Cisco products, but at this time no further statement has
been made available by Cisco. From the Cisco Advisory for "Code
Red":
-------- Begin Extract --------
The following Cisco products are vulnerable because they run
affected versions of Microsoft IIS:
* Cisco CallManager
* Cisco Unity Server
* Cisco uOne
* Cisco ICS7750
* Cisco Building Broadband Service Manager
-------- End Extract --------
For further details refer to AusCERT External Security Bulletin:
ESB-2001.304 Cisco Security Advisory
"Code Red" Worm Customer Impact
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.304
AusCERT has received reports from its constituency of
Hewlett-Packard JetDirect print servers experiencing a denial of
service when scanned by "Code Red" and so also may be affected by
"CodeRedII". A JetDirect firmware fix may be available from
Hewlett-Packard, please refer to the vendor. Additionally, at
least one model of Hewlett-Packard network switch has been reported
to crash on receipt of the "Code Red" worm. AusCERT advises that
this information has not been endorsed by Hewlett-Packard so sites
should conduct their own investigations into these issues.
IMPACT:
Infected systems may suffer a loss of integrity due to the addition
of arbitrarily created executable files and may be vulnerable to
further compromise due to the availability of a remotely accessible
command-line shell.
Additionally, performance degradation of networks may occur as a
result of the propagating activity of this worm. This degradation
may become quite severe, and potentially could cause some services
to stop entirely. These impacts apply to both the Microsoft and
Cisco products listed above.
RECOMMENDATIONS:
AusCERT stresses that this worm has the potential to adversely
affect member sites, and we encourage system administrators to be
alert for evidence of any activity on their systems that may
indicate its presence.
AusCERT is interested in any reports regarding this activity. If
you have any information, comments or questions about this threat,
please contact us.
A. Detection
1) eEye Digital Security (http://www.eeye.com/) has recently
released a free tool which you can use to scan your network
for IIS servers which may still be vulnerable to the "Code Red"
(and hence "CodeRedII") worm. You can download this tool from
the eEye site directly at:
http://www.eeye.com/html/Research/Tools/codered.html
Please note that reference to this product does not imply
endorsement. Members are cautioned to evaluate this product
prior to use.
2) It is possible to check for evidence of an attempted attack by
"CodeRedII". The crafted HTTP GET request used by the worm
can be identified on victim machines by the presence of the
following string in IIS log files:
GET/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u0078%u0000%u00=a
As mentioned previously, the worm will attempt to exploit
irrespective of whether the intended victim is actually
vulnerable or not. As a result, the worm may have a
denial-of-service effect on sites targeted during an outbreak.
B. Recovery and Prevention
1) Systems currently infected with the "CodeRedII" worm are likely
to require reinstallation, due to the fact that remote
administrative-level access may have been already gained to
the system.
2) To protect your systems from re-infection install Microsoft's
patch for the vulnerability that "CodeRedII" exploits:
* Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
* Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Useful step-by-step instructions for patch application are posted
at:
http://www.digitalisland.com/codered/
Again, please note that reference to this web site does not imply
endorsement. Members are cautioned to evaluate this information
prior to use.
3) Sites may wish to protect vulnerable hosts or printers with
firewall rules that prevent access to port 80 from IP addresses
outside of their network.
If you detect that your system is already compromised, then you
may need to instigate a full recovery procedure.
You should keep in mind that if a machine is compromised, anything
on that system could have been modified, including the kernel,
binaries, datafiles, running processes, and memory. In general,
the only way to trust that a machine is free from backdoors and
intruder modifications is to reinstall the operating system from
the distribution media and install all of the security patches
before connecting back to the network. Merely determining and
fixing the vulnerability that was used to initially compromise
this machine may not be enough.
We encourage you to restore your system using known clean binaries.
In order to put the machine into a known state, you should
re-install the operating system using the original distribution
media. You should also ensure that you have applied all relevant
security fixes and patched all application software according to
the latest vendor information.
If you suspect that your site may have been compromised, there
are several documents available from:
http://www.auscert.org.au/Information/Auscert_info/papers.html
eg. Windows NT Intruder Detection Checklist
Steps for Recovering from a UNIX or NT System Compromise
which may provide some assistance.
CERT/CC have also issued three Advisories on "Code Red" (CA-2001-19
and CA-2001-23) that have been redistributed as AusCERT External
Security Bulletins:
ESB-2001.302 CERT Advisory CA-2001-19 - "Code Red" Worm
Exploiting Buffer Overflow In IIS
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.302
ESB-2001.322 - CERT Advisory CA-2001-23 - Continued Threat
of the "Code Red" Worm
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.322
ESB-2001.323 - CERT Advisory - Public Alert about the Code
Red worm
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.323
- ----------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO2/Opih9+71yA2DNAQF6wQP9GjPGFJBPADdpl+3PVs9AuhD1XCCLPEGy
mabvufP1/Db+Nq5XAc6/AGqf3rurLO/DeESOIehf2yiWgwEEtRL4vPNhH2376+po
f1plVJV+NldvaILj6KowlDg9acSbkI/Zk3lu9gCTgA+rqnKPyEcCsf2W36YBlPtO
Zd6W0D+NJzM=
=9rSu
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
