 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to rrlover
Re: Code Red II worm analysis These are clearly individual machines, and the "same ISP" note is an ovesimplification that should really be "with numerically-close IP addresses".
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
 rrlover
join:2001-03-25
Marlborough, CT | but does that mean the virus is running on win9x as well as win nt/2k??? |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
| said by rrlover:
but does that mean the virus is running on win9x as well as win nt/2k???
I think this is doubtful, but I'm not ruling it out completely (simply because I don't know).
Homework Assignment for DSLR members
Look through your logs of "attacks" and try to visit the various web sites. Most of the time you won't see anything -- the site will be down -- but sometimes you may see the default IIS page (must be NT). But if you see a default Personal Web Server page -- and I don't know what those look like -- then we may have an answer.]
Edit - this homework only applies if you have actual web logs that show positive "new strain" probes. If all you have is firewall logs, you'll waste your time with a lot of old (and uninteresting) machines. In particular, if you see a page with black background and red text that says "We don't care much for USA Government" -- or words to that effect -- then you found and old worm machine. Ignore it.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net
[text was edited by author 2001-08-04 22:42:17] |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
| Tidbit: the worm seems to exit if the current month is 10/2001 or later -- so it's finished in October (assuming your clock is right).
Steve
[text was edited by author 2001-08-04 22:01:44] |
|
| I keep getting this server busy message.
I'm going to start probing these hits to see if I can find a common denominator.
Page I get:
The page cannot be displayed
There are too many people accessing the Web site at this time.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button, or try again later.
Open the adsl-61-4-56.mia.bellsouth.net home page, and then look for links to the information you want.
HTTP 403.9 - Access Forbidden: Too many users are connected
Internet Information Services
--------------------------------------------------------------------------------
Technical Information (for support personnel)
Background:
This error can occur if the Web server is busy and cannot process your request due to heavy traffic.
More information:
Microsoft Support
|
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Publius:
I keep getting this server busy message.
This is not a surprise, because I think the worm actually disables the server. But some of them have inevitably been rebooted since they hit your logs, so if you go through enough (dozens, perhaps), you may find some that are up. I would start with the older entries in your logs and work to newer.
If this sounds tedious, "welcome to the world of security research" 
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
| reply to Steve
Steve, you've hooked my curiosity
I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment.
But due to a disk-crash I'll have to work on a 486. Only machine left with a Win system.
This variant is now the main one in my log file. Concluded by the neighbourhood preference... |
|
|
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Kesh:
I'll have a look at that wormie thing (thank's for posting it btw). My tools: Hackers View (HIEWxxx) DOS on-the-fly disassembly file browser, and W32DASM - code file creator and debugger. Perfect - small and fast - disassembly environment.
Well it's nice to have more eyes on the project besides eEye
I'm using Sourcer, which is just a horrid piece of software under NT (limit of 8-char labels, for instance). I'm also hampered by not being very good with the whole world of segment registers.
More tidbits for the assembler dudes: there is a chunk of data referenced by DWORD PTR DS:[0FFFFFE58H][EBP] where the hex is replaced by some other offset. I am fuzzy on the addressing (though I know these are ultimately negative numbers), but I've found some correspondences to real variables:
0FFFFFE58H my IP address
0FFFFFE5CH generic 260-byte string buffer
0FFFFFE3CH buffer for SYSTEMTIME
0FFFFFE38H 0 for new infections, 1 for second visits by new worms
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | By the way: if you're going to dig at the assembler, you must have the analysis done by the eEye folks -- it's a fantastic starting point, and I'm pretty sure I'd not have even tried this without their outstanding initial research. The web page is at http://www.eeye.com/html/Research/Advisories/AL20010717.html , but you have to download a ZIP file that has the detailed analysis and disassembler.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
| reply to Kesh
I got a total of 114 probes from the first CodeRed. So far I've gotten 160 from this one from 105 distinct IPs. The common thing about the new one appears to be that they're all from 24.x.y.z where my current IP is a 24.159.a.b address. It must just vary the last 3 octets of the IP. Not just from my ISP but rather all other addresses in the same Class A subnet sort of. |
|
 stev32kPremium
join:2000-04-27
Mobile, AL
kudos:1 | reply to Steve
Check out this. Its one of the addresses that probed me today:
»cmc3075849-b.toney1.al.home.com/
I would post a screen shoot if I knew how. Its kinda spooky |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | This is an infection of the first version of the worm, and let's just say that it expresses a certain amount of distaste for the US Government.
I should note that my "homework assignment" really only applies to people who have actual web logs that show the XXXXX infection attempts. If all you have is firewall logs, you'll waste a lot of time on machines that aren't interesting.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
smoylan5
join:2000-10-04
Ridgefield Park, NJ | reply to Steve
I took a look through IE at several of the IP addresses that the port 80 attacks are coming from, and so far most of them seem to be running IIS. On some of the sites my Norton informed me that the web site was infected with the sandmind.backdoor.dr worm and when the web site came up, all it said was **** USA Government. |
|
stev32kPremium
join:2000-04-27
Mobile, AL
kudos:1 | reply to Steve
I apologize for wasting your precious time. I promise it won't happen again.
btw; be careful not to trip over your ego. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by stev32k:
I apologize for wasting your precious time.
Folks, in my frantic haste to attend to 57 things at once, I was much too short with our DSLR member from Mobile and easily appeared to publicly dismiss him. Though the "F*CK US Government" web sites are the Code Red version #1 and do not apply here, my saying "not interesting" sounds like a personal dismissal.
It was a poor choice of words brought on by not previewing enough, and I very much appreciate anybody who's trying to help in here.
Steve in Alabama: I'm sorry.
Steve in California
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
 mole2
join:2000-12-08
Longs, SC
| reply to stev32k
said by stev32k:
Check out this. Its one of the addresses that probed me today:
»cmc3075849-b.toney1.al.home.com/
I would post a screen shoot if I knew how. Its kinda spooky
Ok..I've been reading this thread. When I went to this site, Nortons AntiVirus immediately told me I just received and infection from a virus. It then attempted to clean the file and, being unable to do so, quarantined it. The virus is: Backdoor.Sadmind.Dr
Don't know if this was a bogus warning or not but the temporary internet file was quarantined.
Just a warning to others. You will/may get infected visiting this site.
Edited:
OK..SORRY FOLKS: Reading further in the thread I'm assured that the warning is bogus; it's an infection of the site and not the local machine. Phew...got scared there.
[text was edited by author 2001-08-05 02:35:21] |
|
