[ISN] Early Bird: A realtime Code Red attempt reporting utility.

From: InfoSec News (isnat_private)
Date: Thu Aug 09 2001 - 04:32:20 PDT

  • Next message: InfoSec News: "Re: [ISN] Code Red is Not The Problem"

    [Pinched from another list...  :)   - WK]
    TITLE	: EARLY BIRD -- A realtime Code Red attempt reporting utility
    AUTHOR	: Jay D. Dyson <jdysonat_private>
    VERSION	: 1.0 (Released 08/09/2001)
    REQUIRES: PERL v5.003 or higher, Net::Whois::Raw PERL module 
    	  (available at http://www.cpan.org/) and a one-line tweak to
    	  Apache's (v1.3.x) httpd.conf.
    RESOURCE: http://www.treachery.net/~jdyson/earlybird/
    ---[ DESCRIPTION ]----------------------------------------------------
    After seeing close to one thousand Code Red exploit attempts on 
    several non-IIS systems I maintain (and after tiring of generating
    reports to send off to multiple ISPs regarding multiple breaches on
    their networks, only to see the scans continue unabated days later), I
    decided to automate the notification process on a transactional basis.
    This utility suite is the end product of that goal.
    ---[ RATIONALE ]------------------------------------------------------
    If there is one thing that Code Red has clearly demonstrated, it is
    that people who run vulnerable systems on the 'net either do not know
    or do not care that their recklessness impacts other people.  As a
    consequence, I have come to the conclusion that most people just won't
    take care of a problem until it becomes *their* problem.  This
    transaction-oriented notification system is not designed to be a
    problem, but it *is* designed to make the responsible party *aware*
    of the problem and its impact.
    This utility has a larger goal in that immediate reporting will also
    help circumvent the potential for abuse of already-compromised 
    systems.  Let's face it, when a Code Red v2 system scans your box,
    that's little more than a great flashing light stating that the box
    in question is ripe for takeover by any interested hostile party.
    These realtime notices -- at the very least -- may help curtail the
    further abuse of non-compromised systems by the already-affected
    Some might argue that this is the wrong way to go about fighting
    the Code Red worm.  That's their opinion and they are certainly
    entitled to it.  Just don't expect me to share that point of view.
    Until a means can be determined to shut the worm down permanently
    without engaging in potentially illegal acts of unauthorized intrusion
    on already-compromised systems, I'll consider this approach optimal.
    ---[ DETAILS ]--------------------------------------------------------
    Before going much further, I'll state for the record that this utility
    is not the most elegant work of code.  Then again, neither is the worm
    it was created to combat.
    This utility is designed around the notion of setting up a decoy
    'default.ida' executable on a UNIX system.  When the worm hits this
    decoy script, a quick note is made as to the version of the worm (v1 
    or v2), and a lookup is performed via ARIN on the connecting IP
    address to determine the parent netblock owner.  An e-mail is then 
    composed with those details and sent off to said contact.
    The text of the message sent out with each exploit attempt is thus:
    You are receiving this notice since your domain is listed as the
    primary contact in the American Registry of Internet Numbers (ARIN).
    The following Code Red intrusion attempt was mad against our system.
    	ADDRESS: (IP address of offending system)
    	ATTEMPT: (Full URI requested)
    Please advise your user that their system has been compromised and is
    being actively utilized as an attack launchpoint against other
    Thank you for your prompt attention to this matter.
    With this information alone, the recipient admin will be able to not
    only identify the offending system on their network, but will have 
    sufficient evidence in the quoted URI that an exploit attempt was
    indeed made.  In a perfect world, this information should expedite 
    action...but I'm not holding my breath.  If the recipient wants to
    continue receiving an avalanche of such notices because they either
    can't or won't fix the problem, that's no skin off my nose.
    Just for grins, this utility also generates a brief HTML reply to the
    worm's intrusion attempt.  There isn't much data generated since the
    worm *is* an automated intrusion agent and -- no matter how much
    artificial intelligence is crammed into the beast -- it isn't likely
    to appreciate my wry sense of humor.  ;)
    -----[ ACQUISITION, INSTALLATION & CONFIGURATION ]--------------------
    You can download the source tarball for this utility at:
    Setting up this utility is fairly trivial.  The critical files are
    as follows:
    	-----------	----------------------------------------------
    	default.ida	Acts as bait for the worm.
    	arin		Two-line external script (used to overcome a
    			minor shortcoming in the Net::Whois::Raw PERL
    Installation of this worm bait will also require a one-line tweak to
    your Apache httpd.conf.  If you're unwilling or uncomfortable in doing
    such, you may as well stop reading now.
    Still with me?  Cool.  Here's what you'll need to do:
    1.	Open 'httpd.conf' with your favorite editor.  (I prefer vi.)
    	Search for	: AddHandler cgi-script .cgi
    	Add		: AddHandler cgi-script .ida
    	Save the changes and restart Apache.
    2.	Copy 'default.ida' and 'arin' to your primary/default web
    	document root directory.  You need not copy it to every vhost
    	directory on your system since the Code Red worm only goes by
    	IP addresses rather than domain names.
    3.	Open up 'default.ida' with your preferred editor.  (Again, vi
    	is preferred.)  You'll want to check (and possibly change) the
    	following variables:
    	$sendmail			# Sendmail location
    	$username			# Your contact address
    	$domain				# Your full domain name
    	exec'/PATH/TO/arin',$s;		# Change /PATH to suit yours
    4.	Once all the variable values are appropriately set, you will
    	need to set the execute bits on both 'default.ida' and 'arin'.
    	chmod 0555 default.ida
    	chmod 0555 arin
    That's it.  Your worm bait is now in place and ready to badger the
    offending network admins into cleaning house.  To test that the script
    is functioning properly, simply open your favorite web browser and
    plug in the URL in the form of:
    The script will reply with its standard HTML response, but will *NOT*
    send out a notice e-mail since the requesting URI does not contain the
    worm's typical exploit strings.
    -----[ CAVEATS & DISCLAIMER ]-----------------------------------------
    This code and related documentation is released under the terms of the
    Gnu Public License.  See http://www.gnu.org/copyleft/gpl.html for
    By use of this code, you agree to hold me harmless from any and all 
    consequences that arise from use or misuse thereof.
    As with all files I release, everything is PGP-signed.  If your copy
    of this file is *not* PGP-signed, nuke it and grab a copy of this
    utility at: http://www.treachery.net/~jdyson/earlybird/.
    My PGP keys are at: http://www.treachery.net/~jdyson/jdd_keys.html
    -----[ IN CLOSING ]---------------------------------------------------
    Thanks for your interest in combatting Code Red.  CR wasn't the first
    worm we've encountered, and I'm sure it won't be the last.  Let's just
    hope that everyone else is ready for what's next.
    					-- Jay D. Dyson
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    -----END PGP SIGNATURE-----
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 06:38:15 PDT