 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to TheGiant
Re: Code Red II worm analysis said by rooster69:
Do web surfers need to worry about this worm?
Not at all, other than if your favorite site has been hacked. quote:
What can we do to help?
Vote up my posts?  quote:
actual web logs
Believe me, everybody has more web logs than they know what to do with. SecurityFocus.com and dshield.org are both running services that will take your logs and coordinate them to notify the owners. I'd use them instead of trying to do it myself.
ARIS is at http://aris.securityfocus.com/ , and DShield.org is at http://www.dshield.org .
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
 RocktagonSlightly BentPremium
join:2000-11-04
Chattaroy, WA | reply to Steve
said by SJFriedl:
said by mr sean:
I have been watching developments here and elsewhere
If anybody runs across detailed technial analysis of this worm other than here and at my web site, I'd like to know about it. Not so interested in the spread (just now) but of analysis of the worm itself.
Pointers welcome!
Steve
From Bugtraq:
quote:
---------- Forwarded message ----------
Date: Sat, 4 Aug 2001 23:00:39 -0600 (MDT)
From: Alfred Huger
To: incidents@securityfocus.com
Subject: Code Red Revision
Evening all,
I had planned on sending out a thanks this evening to all of the
contributors (in terms of logs) who came through on the Code Red (revision
2) surge last week. Regrettably it looks like I will have to wait due to a
new variant or rather new worm on the loose.
As some of you know a new worm has been released into the wild which uses
the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI
Buffer Overflow Attack (»www.securityfocus.com/bid/2880). However,
this is most likely not a revision of the initial Code Red worm but a new
worm which simply uses uses the same entry point. It carries an actual
malicious payload and has a number of other very interesting features. The
SecurityFocus ARIS Team and eEye Digital Security will be releasing an
in-depth writeup in the next hour or two with technical details as well as
information about it's spread to date.
As opposed to filling the list with logs of attacks I will reserve the
list for discussion of the worm's payload and features - after we post an
analysis. So very shortly. Until then, it would be fantastic if you can
send your log files to:
aris-report@securityfocus.com
Because we have caught this very early we plan on starting the
notification process tonight. We sent close to 400,000 notifications
against Code Red 1 & 2 previously - hopefully because we are on top of
this our notifications now will help address the situation much, much
faster.
If you would like to send offending IP data - Please send it in the
following format:
IP ADDRESS DATE/TIME
Or something similar to this. Please ensure the information is contained
to IP address and date per line as we do our notification automatically
and our system needs to be to understand the los you send us.
We will be posting more shortly.
-Al
VP Engineering
SecurityFocus.com
"Vae Victis"
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (»www.grisoft.com).
Version: 6.0.265 / Virus Database: 137 - Release Date: 7/18/01
I guess we wait and see what's new.
--
The only time success comes before work is in the dictionary |
|
|
|
| reply to Anon
What makes you think worm writers are a Happy Bunch?
Anyway, they are few. Takes some real skill. Just look at how this version II begins:
enter 001C8,000
With that s/he's setting up a 456 byte stack frame to store local variables. And it's an 80186 instruction to boot! The code is much slicker than version I.
To me it looks like one of the old school virus writers (pre Win95) who really knew their assembler. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Kesh:
Takes some real skill.
Gosh yes, this code is a work of art, and there is no way that somebody started with a C program and diddled with the output. This thing uses techniques that only somebody who thinks assembler like I think C would use, and I'm learning an unbelievable amount from it. What an education.
I only know one person who has that kind of skill: anybody know if Steve Gibson can account for his whereabouts lately?
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
 mole2
join:2000-12-08
Longs, SC
| reply to stev32k
said by stev32k:
Check out this. Its one of the addresses that probed me today:
»cmc3075849-b.toney1.al.home.com/
I would post a screen shoot if I knew how. Its kinda spooky
Ok..I've been reading this thread. When I went to this site, Nortons AntiVirus immediately told me I just received and infection from a virus. It then attempted to clean the file and, being unable to do so, quarantined it. The virus is: Backdoor.Sadmind.Dr
Don't know if this was a bogus warning or not but the temporary internet file was quarantined.
Just a warning to others. You will/may get infected visiting this site.
Edited:
OK..SORRY FOLKS: Reading further in the thread I'm assured that the warning is bogus; it's an infection of the site and not the local machine. Phew...got scared there.
[text was edited by author 2001-08-05 02:35:21] |
|
| reply to Steve
Re: Found the scanning pattern! LOLOLOL... I think that is what happened to our university. But they don't listen to me cos they think I'm a hack. Serves them right.
--
***your friendly neighborhood linux dood*** |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
I'm pretty sure I got the scanning pattern backward, so it's not half the time scanning the local network, but I still have to do more checking. Don't bet the farm on this being right...
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
Anon | reply to Steve
Re: Code Red II worm idea? ok from what I see is that no malicous code has been put into the virus yet. my question is can we send code to the program to goto microsoft.com and patch itself automatically? |
|
 bzar1
join:2001-05-15
Tucson, AZ | reply to Steve
Re: Code Red II worm analysis BTW steve i noticed they mention your site and app when reading here »www.incidents.org/diary/diary.php .so im assuming your little tool is recieving positive feedback by users of it?
congrats on the recognition.
--
Silly rider TRX are for kids. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by bzar1:
BTW steve i noticed they mention your site and app when reading here
Yes, incidents picked up my websnarf tool -- I'm so glad I wrote it before this infestation came around -- and they'll be pointing to my ongoing analysis on my web site shortly. Much of this will become uninteresting once the Big Boys post their real analysis, but as far as I know, I've had the most complete ongoing commentary all day (even though I didn't originally find the thing).
They also picked this up on slashdot, which has kept my web server and spare DSL circuit hopping.
It's been a good day, though very tiring.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
 PapaDosCum Grano SalisPremium,MVM
join:2001-02-08
Lasalle, QC
kudos:2 | reply to Steve
Re: Found the scanning pattern! Steve,
What is the status of the disassembling force right now ?
I am willing to take a look at that code.
So anyone, where can I find the actual code ?
--
Nunc est bibendum... |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by PapaDos:
What is the status of the disassembling force right now ?
At this point it's probably too late to jump fresh, because The Big Boys at eEye have been on this all day, and they are the best around. Their full (but preliminary) analysis is due in a couple of hours, and I only kept this up all day to provide ongoing minor-league commentary while the trained professionals did their thing.
You can find everything on my ongoing web page that I subtly drop in here all the time: http://www.unixwiz.net/techtips/CodeRedII.html It includes a link to download the actual binary.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
PapaDosCum Grano SalisPremium,MVM
join:2001-02-08
Lasalle, QC
kudos:2 | Thanks. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
Updated (and correct) pattern scanning algorithm OK, I got the pattern wrong before -- it's been a long day and I'm not great with assembler. I forgot that "Intel" and "network" byte ordering was different, and I got confused.- 1 out of 8: entirely random IP
- 4 out of 8: stay in same class A
- 3 out of 8: stay in same class B
and I have the algorithm on my Code Red page on my web site.
Ugh :-(
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
Automatic reboots! It seems that the worm will automatically reboot the machine a day after it's been infected (or two days if Chinese)! After the worker threads are all spun off, the worm goes to sleep: 2 days for Chinese, 1 day for everybody else, and then it forces a hard reboot.
I suspect that this has something to do with the Windows File Protection business: changing the setting may require a reboot, and by doing so the worm insures that the setting will "stick" and be available soon.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
I'm Done At this point I have exhausted my limited disassembler skills (especially with this miserable piece of crap Sourcer), and I will now step aside and let the Big Boys post their thing. I'm sure that Ryan and Marc are still dosing out on the Code Red in order to finalize their disassembly and analysis, but I hope my play-by-play throughout the day was helpful. It sure was an entertaining day...
Good night,
Steve Zzzzzzzzzzzzzzzzzzzzzzzzz
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
 The DoctorVivaciti BroadbandPremium
join:2001-05-21
UK | reply to Steve
Re: Code Red II worm analysis Just to add my bit.
I don't think it is limited to your local ISP.
My firewall exception report (normaly about 10k) has just come to me at over 250k with scan from ip ranges not local to my ISP. (fortunatly it has not been able to get anywhere yet)
--
Processing power?
NASA would be impressed! |
|
 sydney078$From Beneath You, It Devours
join:2001-06-10
Hurley, SD | reply to Steve
just the news about this from msnbc.com
»www.msnbc.com/news/606910.asp?0si=-
--
Whatever part of you touches me, you won't be getting back! |
|
| reply to Steve
9:20 AM, still being scanned. when is the scanning gonna stop? |
|
| reply to Steve
Re: Automatic reboots! I'd reboot in order to get rid of CodeRed I To ensure a nice playing ground you don't want all those other threads bogging down the system.
The shutting down of the web server would also be a priority. |
|
