"Code Red" worm - there MUST be at least two versions.

From: Chris Paget (mad.nutterat_private)
Date: Fri Jul 20 2001 - 09:30:16 PDT

Next message: Ken Eichman: "Re(2): Re(2): 'Code Red' does not seem to be scanning for IIS"

Previous message: George William Herbert: "Re: 'Code Red' does not seem to be scanning for IIS"
Next in thread: Ethan Butterfield: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Ethan Butterfield: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Don Papp: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Adam: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Kuo, Jimmy: "RE: "Code Red" worm - there MUST be at least two versions."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have two different webservers, each of which has been logging
infrequent attempts from the Code Red worm to attack it (each box has
so far received around 20 such attacks since 18/07/01).  Both are
immune to it (one has been patched, and the other has the .ida mapping
removed).  The two servers are using completely different addresses on
completely different subnets.

Comparing the logfiles for each server, it is clear that no single IP
address has attacked both servers.

If the only "wild" version of Code Red effectively has a hard-coded
sequence of addresses to attack (due to the fixed randomisation seed),
one server must necessarily be attacked before the other.  Therefore,
it would follow that both logs should contain the same IP Addresses,
with some time difference between them (unless one or other server has
had downtime, which they have not).  This is not the case.

The only conclusion is that there is another version of the "Code Red"
worm in the wild, which has a correct randomisation routine (and
possibly other differences).  

The GET request logged by the second worm variant is as follows:

GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

Firstly, can someone confirm whether this is the same as the GET
request logged by the hard-coded worm?

Secondly, can someone capture a copy of this second variant and
dis-assemble it?

I intend to add egress filters to one of my servers and allow it to
become infected; if anyone wants to volunteer to help me pick it apart
afterwards it would be appreciated.

Chris

-- 
Chris Paget
mad.nutterat_private
In the battle of Linux Vs Microsoft, remember this:
It's hard to not engage in holy wars when everybody knows everything.

Next message: Ken Eichman: "Re(2): Re(2): 'Code Red' does not seem to be scanning for IIS"
Previous message: George William Herbert: "Re: 'Code Red' does not seem to be scanning for IIS"
Next in thread: Ethan Butterfield: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Ethan Butterfield: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Don Papp: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Adam: "Re: "Code Red" worm - there MUST be at least two versions."
Reply: Kuo, Jimmy: "RE: "Code Red" worm - there MUST be at least two versions."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 11:05:43 PDT