Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Code Red II worm analysis
I (and probably others) are in a mad dash to decode this worm and provide initial analysis. So far it clearly looks different than the other one, and I'll post tidbits on what I find. These will be exceptionally brief and frantic, and much if it may prove to be wrong. But you might find this interesting.
First, this for sure writes to the filesystem and actually appears to disable System File Protection. This is what keeps you from walking on your system files, and this is bad new. Info on SFC can be found at http://www.microsoft.com/hwdev/sfp/wfp.htm .
I haven't gotten very far, but it also appears from reports here that it scans in a different pattern than the other ones (favoring "local") networks.
More as I find it.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
Bucko9
join:2001-04-24
Portland, OR | You rule. Thanks! |
|
bzar1
join:2001-05-15
Tucson, AZ
clubs:
| reply to Steve
well steve heres a little probably useless information for you but ill post it anyway.
today the scans to my computer increased to about 40 per hour and 80% of them are from computers on the @HOME network which coincidentally is the same network im on.just thought it was odd because it is the first time ive seen any kind of pattern.
--
Silly rider TRX are for kids. |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
|  reply to Steve
said by SJFriedl:
I haven't gotten very far, but it also appears from reports here that it scans in a different pattern than the other ones (favoring "local") networks.
Very interesting. After reading several posts here, I was noticing the same thing.
--
My other computer writes/reads data @ 1GigaByte/sec. |
|
Occasu$
join:2001-07-20
North Vancouver, BC
| reply to Steve
Steve what more can i say... u are da man !! u have just answered a whole lot of questions ( including mine  ) related to same ISP scanning by Code Red. Keep up the good work.. and here is another vote for u
--
Those who do not remember the past, are condemned to repeat it. |
|
Rocktagon
Slightly Bent
Premium
join:2000-11-04
Chattaroy, WA
clubs: 
| reply to bzar1
I to am on @home. Over 200 HTTP scans today with the most being from @home IP's.
Check this page out to see a log of my log activity today.
This pattern seems to be consistent with what others from other ISP's are seeing.
You go Steve, BTW, nice write up:
»www.unixwiz.net/techtips/CodeRedII.html
--
The only time success comes before work is in the dictionary |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
I'm confident this is an entirely new effort, bearing nearly no resemblance to the original Code Red worm.
1) The original main analyzers of the worm were the folks at eEye, and they published a detailed analysis of the worm that can be found at http://www.eeye.com/html/Research/Advisories/AL20010717.html . This contains a detailed disassembly of the worm with comments and the like. This worm doesn't look at all like theirs, so it doesn't look to me like somebody started with their work and tweaked it.
2) This worm contains the string "CodeRedII", but this name wasn't attached to the worm until after it had been released. This must have been created after the first one hit the fan. As such we should have no assumption that it behaves any way like the first one.
Sadly, I'm really lousy with disassembly, and the horrible piece-of-crap disassembler that I'm using (Sourcer) is not helping. I may poke a bit longer at it, but I think I'm not going to be the one that cracks the code on this one.
For what it's worth, I sent a copy to Steve Gibson this morning. This guy knows assembler so well that you could probably read him the hex bytes over the phone and he could tell you what it does
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
Brainless
Premium
join:2000-12-15
Sedalia, MO
·AT&T DSL Service
| reply to Steve
Good luck at finding a pattern on the scans. Most scans im getting are from other machines on my isp, but nothing else makes sense as far as a pattern is conserned. Some scan one ip and move on, some are scanning blocks if ip's. I have even seen some scan an ip then come back 10-15 mins later to scan another time on the same ip. Like last time they are scanning in 2s or 3s. mostly 3 attempts at a time. Im up to 44 per hour at this time.
Because of the worm scanning mostly on its own isp, it would be a good guess that people with small isp's will get less scans than those on bigger isp's.
Its all interesting to say the least.
--
Life = Just Learning |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Just heard from Marc at eEye: apparently they have gotten lots of these submitted to them, so it's looking like I wasn't the first to capture one. In the security biz, being first with something matters a lot, and I just so happen to be in the security biz. But I think I'm the first to publish the captured version.
We'll see...
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
Rxdoxx
Premium,Mod
join:2000-11-03
Middle River, MD
clubs:
 ·Verizon FIOS
 ·Comcast
Host:
Software
Washington & Balti..
| reply to Rocktagon
Rocktagon, your link gives me this->
Your session timed out, or you never logged in.
You must login to access the function you requested:
And I have had 186 hits in the past 4 hours, mostly from @home (which I am). I'm here watching the RD light blink nonstop for hours, but nothing is getting through.
SJFriedl, thanks, you are definitely keeping this Chimp posted
--
Voting link gone. Dot doomed while rating doomed sites should have rated itself. They got doomed |
|
guyver01
In Brightest Day
join:2001-01-04
Littleton, CO
clubs:
|  reply to Steve
On the RR/NYC network here... my firewall has been going crazy the last day or two, with port 80 hits. So much so that i disabled popup notification. I was closing out literally dozens a minutes.
When will this thing go away
--
One only appreciates the beauty of the mountain top when one has experienced the agony of the climb
Said by DSLR member HAZE in the RoadRunner forum. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| I'm still trying to wade through the IP address calculations, but I have a pretty good idea that the whole process starts with the current IP address of the machine. Depending on the munging that goes on, this could easily explain the scanning of "near" machines (which I'm of course seeing in my logs also).
It also excludes all IP addresses ending in .0 or .255 -- no surprise here
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Steve
Is anybody else working on the disassembly of this thing? If so, I can start posting some intermediate tidbits that might be helpful. For instance, the code references a special data area that contains the Win32 API functions it's calling, plus a few local temporaries. My list so far is:
DWORD PTR [EBP-8] FindLibrary
DWORD PTR [EBP-0CH] LoadLibraryA
DWORD PTR [EBP-10H] CreateThread
DWORD PTR [EBP-14H] GetTickCount
DWORD PTR [EBP-18H] Sleep
DWORD PTR [EBP-1CH] GetSystemDefaultLangID
DWORD PTR [EBP-20H] GetSystemDirectoryA
DWORD PTR [EBP-24H] CopyFileA
DWORD PTR [EBP-28H] GlobalFindAtomA
DWORD PTR [EBP-2CH] GlobalAddAtomA
DWORD PTR [EBP-30H] CloseHandle
DWORD PTR [EBP-34H] _lcreat
DWORD PTR [EBP-38H] _lwrite
DWORD PTR [EBP-3CH] _lclose
DWORD PTR [EBP-40H] GetSystemTime
DWORD PTR [EBP-44H] WS2_32.DLL
DWORD PTR [EBP-48H] socket
DWORD PTR [EBP-4CH] closesocket
DWORD PTR [EBP-50H] ioctlsocket
DWORD PTR [EBP-54H] connect
DWORD PTR [EBP-58H] select
DWORD PTR [EBP-5CH] send
DWORD PTR [EBP-60H] recv
DWORD PTR [EBP-64H] gethostname
DWORD PTR [EBP-68H] gethostbyname
DWORD PTR [EBP-6CH] WSAGetLastError
DWORD PTR [EBP-70H] USER32.DLL
DWORD PTR [EBP-74H] ExitWindowsEx
DWORD PTR [EBP-7CH] RandomSeed
DWORD PTR [EBP-80H] socketFD
DWORD PTR DS:[0FFFFFE58] my IP address
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
rrlover
join:2001-03-25
Marlborough, CT | reply to Steve
Great info. does this mean that the isp is infected or that actual personal machines are infected and sending out probes. i'm not that good of a techie. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| These are clearly individual machines, and the "same ISP" note is an ovesimplification that should really be "with numerically-close IP addresses".
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
928GTS
join:2000-10-09
Troy, NY | reply to Steve
Sorry for being dumb but could you sum it up in english what this means? |
|
RR Dude6
join:2000-12-23
<-N-Y-C->
clubs: | reply to Steve
Well, from my mouth it seems that this virus is using for example me I use RR and its using RR customers to scan their own kind.
All the attacks I've gotten are from 66.65.x.x which are RR in NYC. |
|
rrlover
join:2001-03-25
Marlborough, CT | reply to Steve
but does that mean the virus is running on win9x as well as win nt/2k??? |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by rrlover:
but does that mean the virus is running on win9x as well as win nt/2k???
I think this is doubtful, but I'm not ruling it out completely (simply because I don't know).
Homework Assignment for DSLR members
Look through your logs of "attacks" and try to visit the various web sites. Most of the time you won't see anything -- the site will be down -- but sometimes you may see the default IIS page (must be NT). But if you see a default Personal Web Server page -- and I don't know what those look like -- then we may have an answer.]
Edit - this homework only applies if you have actual web logs that show positive "new strain" probes. If all you have is firewall logs, you'll waste your time with a lot of old (and uninteresting) machines. In particular, if you see a page with black background and red text that says "We don't care much for USA Government" -- or words to that effect -- then you found and old worm machine. Ignore it.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
[text was edited by author 2001-08-04 22:42:17] |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Tidbit: the worm seems to exit if the current month is 10/2001 or later -- so it's finished in October (assuming your clock is right).
Steve
[text was edited by author 2001-08-04 22:01:44] |
|
