----- Forwarded message from Marc Maiffret <marcat_private> ----- From: "Marc Maiffret" <marcat_private> To: "BUGTRAQ" <BUGTRAQat_private> Subject: Initial analysis of the .ida "Code Red" Worm Date: Tue, 17 Jul 2001 11:20:49 -0700 Message-ID: <EIEOJCKGEPCLJHGCNNOPIEHNDPAA.marcat_private> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) The following information was researched by Ryan Permeh (ryanat_private and Marc Maiffret (marcat_private of eEye Digital Security. We would like to specially thank Matthew Asham of Left Coast Systems Corp and Ken Eichman of Chemical Abstracts Service for providing us with logs and needed data to make this analysis possible. Introduction ------------ On Friday July 13th we received packet logs and information from 2 network administrators that were experiencing large amounts of attacks targeting the recent .ida vulnerability that eEye Digital Security discovered (http://www.eeye.com/html/Research/Advisories/AD20010618.html) on June 18, 2001. >From the first analysis of the logs that were sent to us we were able to deduce that in fact it looked as if someone had released a worm for the .ida vulnerability. Within the logs we could see connection attempts from over 5 thousand IIS 5 web servers targeting various other IIS web server and sending a .ida exploit to each of them. Evidence also showed that compromised hosts were being used to attack other hosts. We've designated this the .ida "Code Red" worm, because part of the worm is designed to deface webpages with the text "Hacked by Chinese" and also because code red mountain dew was the only thing that kept us awake all last night to be able to disassemble this exploit. Details ------- Note: Details are going to be short for now. We plan on releasing a full analysis of the worm but felt that it was important to get this message out ASAP as this worm is starting to affect a lot of people. The standard injection vector is a exploit that uses the .ida buffer overflow to execute code (as SYSTEM) on vulnerable remote systems. The worm performs the following on infected systems: * Spawns 100 threads which are used to scan for new IIS web servers to infect * Checks for the existence of c:\notworm and if it is found then it does not try to propagate itself to other hosts. * Defaces web pages with the message: <html><head><meta http-equiv="Content-Type" content="text/html; charset=English"><title>HELLO!</title></head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html> Analysis -------- Note: Again this is a quick brief analysis, more detail will follow. Upon infection the infected host will spawn 100 threads in a loop. This loop checks for the existence of c:\notworm and if the file does not exist then the worm will proceed to start scanning for vulnerable servers to infect. The worm does scan for random IP addresses. However, the worm uses the same seed for "randomization" of IP addresses. This means that each new infected host will start at the same IP and continue scanning further down the same track of IP's as every other infected host. The ramifications of this are severe because this means that hosts early in this "randomized" IP sequence will be hit over and over as new hosts are infected. This creates the potential for a denial of service against early IP addresses in the sequence. Also, evidence has proved that hosts can be infected multiple times therefore creating a drain on system resources. However, normal worm operation seems to have a cut off point as to how many times a host will be re-infected. Early analysis seems to suggest that the worm has a limit of 3 reinfections however that may have just been "by chance" in our test scenario. Other in house tests of the infections have shown that internal thread rate limiting seems to be broken in certain situations. Which means that some infected systems will continue to spawn new threads until system resources become so low that the entire web server computer crashes or becomes unusable. Summary ------- We will be releasing a full detailed analysis, complete with disassembled worm code and comments within the code. We have had reports from a few network administrators that their IDS systems have seen this .ida attack originating from over 5 thousand unique source addresses within a 3 day time span. Hosts early in the IP sequence will be hit with a traffic based denial of service and those hosts vulnerable to this worm will most likely grind to a halt. How to secure your system from this .ida attack ----------------------------------------------- Microsof patch for this .ida vulnerability http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp eEye Digital Security Advisory http://www.eeye.com/html/Research/Advisories/AD20010618.html The following is part of the packet data that is sent for this .ida "Code Red" worm attack: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 You can set your IDS to monitor for this to be able to see if your being hit with this worm or not. Also any IDS capable of detecting the .ida overflow should be able to detect this as an attack. Signed, eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 12:37:05 PDT