dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
45103

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

Code Red II worm analysis

I (and probably others) are in a mad dash to decode this worm and provide initial analysis. So far it clearly looks different than the other one, and I'll post tidbits on what I find. These will be exceptionally brief and frantic, and much if it may prove to be wrong. But you might find this interesting.

First, this for sure writes to the filesystem and actually appears to disable System File Protection. This is what keeps you from walking on your system files, and this is bad new. Info on SFC can be found at http://www.microsoft.com/hwdev/sfp/wfp.htm .

I haven't gotten very far, but it also appears from reports here that it scans in a different pattern than the other ones (favoring "local") networks.

More as I find it.

Steve

Bucko9
join:2001-04-24
Portland, OR

Bucko9

Member

You rule. Thanks!

bzar1
join:2001-05-15
Tucson, AZ

bzar1 to Steve

Member

to Steve
well steve heres a little probably useless information for you but ill post it anyway.
today the scans to my computer increased to about 40 per hour and 80% of them are from computers on the @HOME network which coincidentally is the same network im on.just thought it was odd because it is the first time ive seen any kind of pattern.
astirusty
Premium Member
join:2000-12-23
Henderson, NV

astirusty to Steve

Premium Member

to Steve
said by SJFriedl:
I haven't gotten very far, but it also appears from reports here that it scans in a different pattern than the other ones (favoring "local") networks.

Very interesting. After reading several posts here, I was noticing the same thing.

Occasu$
join:2001-07-20
North Vancouver, BC

Occasu$ to Steve

Member

to Steve
Steve what more can i say... u are da man !! u have just answered a whole lot of questions ( including mine ) related to same ISP scanning by Code Red. Keep up the good work.. and here is another vote for u

Rocktagon
Slightly Bent
Premium Member
join:2000-11-04
Chattaroy, WA

Rocktagon to bzar1

Premium Member

to bzar1
I to am on @home. Over 200 HTTP scans today with the most being from @home IP's.
Check this page out to see a log of my log activity today.
This pattern seems to be consistent with what others from other ISP's are seeing.
You go Steve, BTW, nice write up:
»www.unixwiz.net/techtips ··· dII.html

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

I'm confident this is an entirely new effort, bearing nearly no resemblance to the original Code Red worm.

1) The original main analyzers of the worm were the folks at eEye, and they published a detailed analysis of the worm that can be found at http://www.eeye.com/html/Research/Advisories/AL20010717.html . This contains a detailed disassembly of the worm with comments and the like. This worm doesn't look at all like theirs, so it doesn't look to me like somebody started with their work and tweaked it.

2) This worm contains the string "CodeRedII", but this name wasn't attached to the worm until after it had been released. This must have been created after the first one hit the fan. As such we should have no assumption that it behaves any way like the first one.

Sadly, I'm really lousy with disassembly, and the horrible piece-of-crap disassembler that I'm using (Sourcer) is not helping. I may poke a bit longer at it, but I think I'm not going to be the one that cracks the code on this one.

For what it's worth, I sent a copy to Steve Gibson this morning. This guy knows assembler so well that you could probably read him the hex bytes over the phone and he could tell you what it does

Steve

Brainless
Premium Member
join:2000-12-15
Nicholasville, KY

Brainless to Steve

Premium Member

to Steve
Good luck at finding a pattern on the scans. Most scans im getting are from other machines on my isp, but nothing else makes sense as far as a pattern is conserned. Some scan one ip and move on, some are scanning blocks if ip's. I have even seen some scan an ip then come back 10-15 mins later to scan another time on the same ip. Like last time they are scanning in 2s or 3s. mostly 3 attempts at a time. Im up to 44 per hour at this time.

Because of the worm scanning mostly on its own isp, it would be a good guess that people with small isp's will get less scans than those on bigger isp's.

Its all interesting to say the least.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

Just heard from Marc at eEye: apparently they have gotten lots of these submitted to them, so it's looking like I wasn't the first to capture one. In the security biz, being first with something matters a lot, and I just so happen to be in the security biz. But I think I'm the first to publish the captured version.

We'll see...

Steve

Rxdoxx

join:2000-11-03
Middle River, MD

Rxdoxx to Rocktagon

to Rocktagon
Rocktagon, your link gives me this->
Your session timed out, or you never logged in.

You must login to access the function you requested:

And I have had 186 hits in the past 4 hours, mostly from @home (which I am). I'm here watching the RD light blink nonstop for hours, but nothing is getting through.

SJFriedl, thanks, you are definitely keeping this Chimp posted

guyver01
In Brightest Day
join:2001-01-04
Littleton, CO

guyver01 to Steve

Member

to Steve
On the RR/NYC network here... my firewall has been going crazy the last day or two, with port 80 hits. So much so that i disabled popup notification. I was closing out literally dozens a minutes.

When will this thing go away

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

I'm still trying to wade through the IP address calculations, but I have a pretty good idea that the whole process starts with the current IP address of the machine. Depending on the munging that goes on, this could easily explain the scanning of "near" machines (which I'm of course seeing in my logs also).

It also excludes all IP addresses ending in .0 or .255 -- no surprise here

Steve
Steve

Steve

Is anybody else working on the disassembly of this thing? If so, I can start posting some intermediate tidbits that might be helpful. For instance, the code references a special data area that contains the Win32 API functions it's calling, plus a few local temporaries. My list so far is:
DWORD PTR [EBP-8]           FindLibrary
DWORD PTR [EBP-0CH] LoadLibraryA
DWORD PTR [EBP-10H] CreateThread
DWORD PTR [EBP-14H] GetTickCount
DWORD PTR [EBP-18H] Sleep
DWORD PTR [EBP-1CH] GetSystemDefaultLangID
DWORD PTR [EBP-20H] GetSystemDirectoryA
DWORD PTR [EBP-24H] CopyFileA
DWORD PTR [EBP-28H] GlobalFindAtomA
DWORD PTR [EBP-2CH] GlobalAddAtomA
DWORD PTR [EBP-30H] CloseHandle
DWORD PTR [EBP-34H] _lcreat
DWORD PTR [EBP-38H] _lwrite
DWORD PTR [EBP-3CH] _lclose
DWORD PTR [EBP-40H] GetSystemTime
DWORD PTR [EBP-44H] WS2_32.DLL
DWORD PTR [EBP-48H] socket
DWORD PTR [EBP-4CH] closesocket
DWORD PTR [EBP-50H] ioctlsocket
DWORD PTR [EBP-54H] connect
DWORD PTR [EBP-58H] select
DWORD PTR [EBP-5CH] send
DWORD PTR [EBP-60H] recv
DWORD PTR [EBP-64H] gethostname
DWORD PTR [EBP-68H] gethostbyname
DWORD PTR [EBP-6CH] WSAGetLastError
DWORD PTR [EBP-70H] USER32.DLL
DWORD PTR [EBP-74H] ExitWindowsEx
DWORD PTR [EBP-7CH] RandomSeed
DWORD PTR [EBP-80H] socketFD
DWORD PTR DS:[0FFFFFE58] my IP address


Steve

rrlover
join:2001-03-25
Marlborough, CT

rrlover to Steve

Member

to Steve
Great info. does this mean that the isp is infected or that actual personal machines are infected and sending out probes. i'm not that good of a techie.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

These are clearly individual machines, and the "same ISP" note is an ovesimplification that should really be "with numerically-close IP addresses".

Steve

928GTS0
join:2000-10-09
Troy, NY

928GTS0 to Steve

Member

to Steve
Sorry for being dumb but could you sum it up in english what this means?

RR Dude6
join:2000-12-23
<-N-Y-C->

RR Dude6 to Steve

Member

to Steve
Well, from my mouth it seems that this virus is using for example me I use RR and its using RR customers to scan their own kind.

All the attacks I've gotten are from 66.65.x.x which are RR in NYC.

rrlover
join:2001-03-25
Marlborough, CT

rrlover to Steve

Member

to Steve
but does that mean the virus is running on win9x as well as win nt/2k???

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by rrlover:
but does that mean the virus is running on win9x as well as win nt/2k???
I think this is doubtful, but I'm not ruling it out completely (simply because I don't know).

Homework Assignment for DSLR members

Look through your logs of "attacks" and try to visit the various web sites. Most of the time you won't see anything -- the site will be down -- but sometimes you may see the default IIS page (must be NT). But if you see a default Personal Web Server page -- and I don't know what those look like -- then we may have an answer.]

Edit - this homework only applies if you have actual web logs that show positive "new strain" probes. If all you have is firewall logs, you'll waste your time with a lot of old (and uninteresting) machines. In particular, if you see a page with black background and red text that says "We don't care much for USA Government" -- or words to that effect -- then you found and old worm machine. Ignore it.

Steve
Steve

Steve

Tidbit: the worm seems to exit if the current month is 10/2001 or later -- so it's finished in October (assuming your clock is right).

Steve
[text was edited by author 2001-08-04 22:01:44]

Publius5
join:2001-06-08
Mandeville, LA

Publius5

Member

I keep getting this server busy message.

I'm going to start probing these hits to see if I can find a common denominator.

Page I get:

The page cannot be displayed
There are too many people accessing the Web site at this time.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

Open the adsl-61-4-56.mia.bellsouth.net home page, and then look for links to the information you want.
HTTP 403.9 - Access Forbidden: Too many users are connected
Internet Information Services

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Background:
This error can occur if the Web server is busy and cannot process your request due to heavy traffic.

More information:
Microsoft Support

RenHoek
You Eeeediot
Premium Member
join:2000-10-02
Peyton, CO

RenHoek to Steve

Premium Member

to Steve
It (the server you are trying to access) is probably too busy trying to probe other machines to try to infect. I've seen multiple (8+) attempts from the same machine, so I'm sure it just will sit there and bang away on a range of IP's trying to find a new host to infect.

It looks like for whatever reason, this thing even retries IP's at some interval.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to Publius5

to Publius5
said by Publius:
I keep getting this server busy message.
This is not a surprise, because I think the worm actually disables the server. But some of them have inevitably been rebooted since they hit your logs, so if you go through enough (dozens, perhaps), you may find some that are up. I would start with the older entries in your logs and work to newer.

If this sounds tedious, "welcome to the world of security research"

Steve

Kesh
@telia.com

Kesh to Steve

Anon

to Steve
Steve, you've hooked my curiosity

I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment.

But due to a disk-crash I'll have to work on a 486. Only machine left with a Win system.

This variant is now the main one in my log file. Concluded by the neighbourhood preference...

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by Kesh:
I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment.
Well it's nice to have more eyes on the project besides eEye

I'm using Sourcer, which is just a horrid piece of software under NT (limit of 8-char labels, for instance). I'm also hampered by not being very good with the whole world of segment registers.

More tidbits for the assembler dudes: there is a chunk of data referenced by
DWORD PTR DS:[0FFFFFE58H][EBP]
where the hex is replaced by some other offset. I am fuzzy on the addressing (though I know these are ultimately negative numbers), but I've found some correspondences to real variables:

0FFFFFE58H my IP address
0FFFFFE5CH generic 260-byte string buffer
0FFFFFE3CH buffer for SYSTEMTIME
0FFFFFE38H 0 for new infections, 1 for second visits by new worms

Steve
Steve

Steve

By the way: if you're going to dig at the assembler, you must have the analysis done by the eEye folks -- it's a fantastic starting point, and I'm pretty sure I'd not have even tried this without their outstanding initial research. The web page is at http://www.eeye.com/html/Research/Advisories/AL20010717.html , but you have to download a ZIP file that has the detailed analysis and disassembler.

Steve
ArkiMage
join:2001-06-30
Kingsport, TN

ArkiMage to Kesh

Member

to Kesh
I got a total of 114 probes from the first CodeRed. So far I've gotten 160 from this one from 105 distinct IPs. The common thing about the new one appears to be that they're all from 24.x.y.z where my current IP is a 24.159.a.b address. It must just vary the last 3 octets of the IP. Not just from my ISP but rather all other addresses in the same Class A subnet sort of.

stev32k
Premium Member
join:2000-04-27
Mobile, AL

stev32k to Steve

Premium Member

to Steve
Check out this. Its one of the addresses that probed me today:

»cmc3075849-b.toney1.al.home.com/

I would post a screen shoot if I knew how. Its kinda spooky

Ryan
Premium Member
join:2001-03-03
Boston, MA

Ryan to Steve

Premium Member

to Steve
This site will give you a scare!
[text was edited by author 2001-08-04 23:07:06]

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to stev32k

to stev32k
This is an infection of the first version of the worm, and let's just say that it expresses a certain amount of distaste for the US Government.

I should note that my "homework assignment" really only applies to people who have actual web logs that show the XXXXX infection attempts. If all you have is firewall logs, you'll waste a lot of time on machines that aren't interesting.

Steve