[pchelpers] CodeRed alert

Hi all

Thought this would be timely info for all.

Take a look also at the hacked Microsoft Windows
Update website...a screen shot at

http://www.sunbeltsoftware.com/stu/graphics/windowsupdate.gif

Here's an extract from a newsletter W2Knews: 

   TECH BRIEFING
 
 
Code Red Worm - How does it look? What do I do?

Here is the short technical backgrounder by a few of
the developers of eEye, a security software developer
that has a few products Sunbelt carries (SecureIIS and
Retina). Credit: Ryan Permeh and Marc Maiffret. 


--------------------------------------------------------------------------------
Explanation

As stated earlier the .ida "Code Red" worm is
spreading throughout IIS Web servers on the Internet
via the .ida buffer-overflow attack that was published
last month. 

The following are the steps that the worm takes once
it has infected a vulnerable Web server: 

Setup initial worm environment on infected system. 
Setup 100 threads of the worm. 
Use the first 99 threads to spread the worm (infect
other Web servers). 
The worm spreads itself by creating a sequence of
random IP addresses. However, the worm's list of IP
addresses to attack is not all together random. In
fact, there seems to be a static seed (a beginning IP
address that is always the same) that the worm uses
when generating new IP addresses. Therefore every
computer infected by this worm is going to go through
the same list of "random" IP addresses.
Because of this feature, the worm will end up
re-infecting the same systems multiple times, and
traffic will cross traffic back and forth between
hosts ultimately creating a denial-of-service type
effect. The denial-of-service will be due to the
amount of data being transferred between all of the IP
addresses in the sequence of random IP addresses.
The worm could have done truly random IP generation
and that would have allowed it to infect many more
systems much faster. We are not sure why this was not
done, but a friend of ours did pose an interesting
idea: If the person who wrote this worm owned an IP
address that was one of the first hundred or thousand
to be scanned, then they could setup a "sniffer" and
anytime and IP address tried to connect to port 80 on
their server they would get confirmation that the IP
address that connected to them was infected with the
worm.
With this knowledge, they would be able to create a
list of the majority of systems that were infected by
this worm. 
The 100th thread checks to see if it is running on an
English (US) Windows NT/2000 system. 
If the infected system is found to be a English (US)
system, the worm will proceed to deface the infected
system's website. The local Web server's Web page will
be changed to a message that says: "Welcome to
http://www.worm.com!, Hacked By Chinese!". This hacked
Web page message will stay "live" on the Web server
for 10 hours and then disappear. The message will not
appear again unless the system is re-infected by
another computer. 
If the system is not an English (US) Windows NT/2000
system, the 100th worm thread is also used to infect
other systems. 
Each worm thread checks for c:\notworm. 
If the file c:\notworm is found, the worm goes
dormant. 
If the file is not found, each thread will continue to
attempt to infect more systems. 
Each worm thread checks the infected computer's system
time. 
If the date is past the 20th of the month (GMT), the
thread will stop searching for systems to infect and
will instead attack www.whitehouse.gov. The attack
consists of the infected system sending 100k bytes of
data (1 byte at a time + 40 bytes overheard for the
actually TCP/IP packet) to port 80 of
www.whitehouse.gov.
This flood of data (410 megabytes of data every 4 and
a half hours per instance of the worm) would
potentially amount to a denial-of- service attack
against www.whitehouse.gov. 
If the date is between the 1st and the 19th of the
month, this worm thread will not attack
www.whitehouse.gov and will continue to try to find
and infect new Web servers. 
We have calculated that the worm can attempt to infect
roughly half a million IP addresses a day. This is a
rough estimate generated by testing on a very slow
network. 
At the time of writing this document (July 19th,
3:00pm), we have had reports from administrators that
have been probed by over 196 thousand unique hosts.
This leads us to believe that this worm has infected
at least 196 thousand computers. 

During testing we noticed that sometimes the worm does
not execute "normally" and will continue to spawn new
threads until the infected machine crashes and has to
be rebooted, effectively killing itself. We have not
been able to isolate the cause of this behavior. 


--------------------------------------------------------------------------------
I have been infected by this worm, what can I do?
The first thing you must do is go to the Microsoft
security site, as referenced below, and install the
.ida patch as soon as possible. The worm will remain
in memory until you reboot your server so make sure to
reboot after installing the .ida patch. 
I think I am infected, how can I tell?
An infected system will show an increase in load
(processor/network). It will also show a number of
external connections (or attempts) to port 80 from
random IP addresses. You can see this by doing a
"netstat -an" from a MS-DOS prompt. Either way, do not
take any chances; if your system is missing the .ida
patch, install it and reboot. 

Microsoft's bulletin on the ida vulnerability is here:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp



 


____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie

Other related posts: