Broadband Tech > Security > Security > Code Red II worm analysis

Code Red II worm analysis

You rule. Thanks!

reply to Steve
well steve heres a little probably useless information for you but ill post it anyway.
today the scans to my computer increased to about 40 per hour and 80% of them are from computers on the @HOME network which coincidentally is the same network im on.just thought it was odd because it is the first time ive seen any kind of pattern.
--
Silly rider TRX are for kids.

reply to Steve

said by SJFriedl:

---

I haven't gotten very far, but it also appears from reports here that it scans in a different pattern than the other ones (favoring "local") networks.

---

reply to Steve
Steve what more can i say... u are da man !! u have just answered a whole lot of questions ( including mine ) related to same ISP scanning by Code Red. Keep up the good work.. and here is another vote for u
--
Those who do not remember the past, are condemned to repeat it.

reply to bzar1
I to am on @home. Over 200 HTTP scans today with the most being from @home IP's.
Check this page out to see a log of my log activity today.
This pattern seems to be consistent with what others from other ISP's are seeing.
You go Steve, BTW, nice write up:
»www.unixwiz.net/techtips/CodeRedII.html
--
The only time success comes before work is in the dictionary

reply to Steve
I'm confident this is an entirely new effort, bearing nearly no resemblance to the original Code Red worm.

1) The original main analyzers of the worm were the folks at eEye, and they published a detailed analysis of the worm that can be found at http://www.eeye.com/html/Research/Advisories/AL20010717.html . This contains a detailed disassembly of the worm with comments and the like. This worm doesn't look at all like theirs, so it doesn't look to me like somebody started with their work and tweaked it.

2) This worm contains the string "CodeRedII", but this name wasn't attached to the worm until after it had been released. This must have been created after the first one hit the fan. As such we should have no assumption that it behaves any way like the first one.

Sadly, I'm really lousy with disassembly, and the horrible piece-of-crap disassembler that I'm using (Sourcer) is not helping. I may poke a bit longer at it, but I think I'm not going to be the one that cracks the code on this one.

For what it's worth, I sent a copy to Steve Gibson this morning. This guy knows assembler so well that you could probably read him the hex bytes over the phone and he could tell you what it does

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net

reply to Steve
Good luck at finding a pattern on the scans. Most scans im getting are from other machines on my isp, but nothing else makes sense as far as a pattern is conserned. Some scan one ip and move on, some are scanning blocks if ip's. I have even seen some scan an ip then come back 10-15 mins later to scan another time on the same ip. Like last time they are scanning in 2s or 3s. mostly 3 attempts at a time. Im up to 44 per hour at this time.

Because of the worm scanning mostly on its own isp, it would be a good guess that people with small isp's will get less scans than those on bigger isp's.

Its all interesting to say the least.
--
Life = Just Learning

reply to Steve
Just heard from Marc at eEye: apparently they have gotten lots of these submitted to them, so it's looking like I wasn't the first to capture one. In the security biz, being first with something matters a lot, and I just so happen to be in the security biz. But I think I'm the first to publish the captured version.

We'll see...

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net

reply to Rocktagon
Rocktagon, your link gives me this->
Your session timed out, or you never logged in.

You must login to access the function you requested:

And I have had 186 hits in the past 4 hours, mostly from @home (which I am). I'm here watching the RD light blink nonstop for hours, but nothing is getting through.

SJFriedl, thanks, you are definitely keeping this Chimp posted
--
Voting link gone. Dot doomed while rating doomed sites should have rated itself. They got doomed

reply to Steve
On the RR/NYC network here... my firewall has been going crazy the last day or two, with port 80 hits. So much so that i disabled popup notification. I was closing out literally dozens a minutes.

When will this thing go away
--
One only appreciates the beauty of the mountain top when one has experienced the agony of the climb
Said by DSLR member HAZE in the RoadRunner forum.

I'm still trying to wade through the IP address calculations, but I have a pretty good idea that the whole process starts with the current IP address of the machine. Depending on the munging that goes on, this could easily explain the scanning of "near" machines (which I'm of course seeing in my logs also).

It also excludes all IP addresses ending in .0 or .255 -- no surprise here

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net

reply to Steve
Is anybody else working on the disassembly of this thing? If so, I can start posting some intermediate tidbits that might be helpful. For instance, the code references a special data area that contains the Win32 API functions it's calling, plus a few local temporaries. My list so far is:

DWORD PTR [EBP-8]           FindLibrary
DWORD PTR [EBP-0CH]         LoadLibraryA
DWORD PTR [EBP-10H]         CreateThread
DWORD PTR [EBP-14H]         GetTickCount
DWORD PTR [EBP-18H]         Sleep
DWORD PTR [EBP-1CH]         GetSystemDefaultLangID
DWORD PTR [EBP-20H]         GetSystemDirectoryA
DWORD PTR [EBP-24H]         CopyFileA
DWORD PTR [EBP-28H]         GlobalFindAtomA
DWORD PTR [EBP-2CH]         GlobalAddAtomA
DWORD PTR [EBP-30H]         CloseHandle
DWORD PTR [EBP-34H]         _lcreat
DWORD PTR [EBP-38H]         _lwrite
DWORD PTR [EBP-3CH]         _lclose
DWORD PTR [EBP-40H]         GetSystemTime
DWORD PTR [EBP-44H]         WS2_32.DLL
DWORD PTR [EBP-48H]         socket
DWORD PTR [EBP-4CH]         closesocket
DWORD PTR [EBP-50H]         ioctlsocket
DWORD PTR [EBP-54H]         connect
DWORD PTR [EBP-58H]         select
DWORD PTR [EBP-5CH]         send
DWORD PTR [EBP-60H]         recv
DWORD PTR [EBP-64H]         gethostname
DWORD PTR [EBP-68H]         gethostbyname
DWORD PTR [EBP-6CH]         WSAGetLastError
DWORD PTR [EBP-70H]         USER32.DLL
DWORD PTR [EBP-74H]         ExitWindowsEx
DWORD PTR [EBP-7CH]         RandomSeed
DWORD PTR [EBP-80H]         socketFD
DWORD PTR DS:[0FFFFFE58]    my IP address

reply to Steve
Great info. does this mean that the isp is infected or that actual personal machines are infected and sending out probes. i'm not that good of a techie.

These are clearly individual machines, and the "same ISP" note is an ovesimplification that should really be "with numerically-close IP addresses".

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net

reply to Steve
Sorry for being dumb but could you sum it up in english what this means?

reply to Steve
Well, from my mouth it seems that this virus is using for example me I use RR and its using RR customers to scan their own kind.

All the attacks I've gotten are from 66.65.x.x which are RR in NYC.

reply to Steve
but does that mean the virus is running on win9x as well as win nt/2k???

said by rrlover:

---

but does that mean the virus is running on win9x as well as win nt/2k???

---

Tidbit: the worm seems to exit if the current month is 10/2001 or later -- so it's finished in October (assuming your clock is right).

Steve
[text was edited by author 2001-08-04 22:01:44]