Initial analysis of the .ida "Code Red" Worm

From: aleph1at_private
Date: Tue Jul 17 2001 - 11:43:12 PDT

  • Next message: Scott Nursten: "Re: Strange web traffic"

    ----- Forwarded message from Marc Maiffret <marcat_private> -----
    
    From: "Marc Maiffret" <marcat_private>
    To: "BUGTRAQ" <BUGTRAQat_private>
    Subject: Initial analysis of the .ida "Code Red" Worm
    Date: Tue, 17 Jul 2001 11:20:49 -0700
    Message-ID: <EIEOJCKGEPCLJHGCNNOPIEHNDPAA.marcat_private>
    X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
    
    The following information was researched by Ryan Permeh (ryanat_private and
    Marc Maiffret (marcat_private of eEye Digital Security.
    We would like to specially thank Matthew Asham of Left Coast Systems Corp
    and Ken Eichman of Chemical Abstracts Service for providing us with logs and
    needed data to make this analysis possible.
    
    Introduction
    ------------
    
    On Friday July 13th we received packet logs and information from 2 network
    administrators that were experiencing large amounts of attacks targeting the
    recent .ida vulnerability that eEye Digital Security discovered
    (http://www.eeye.com/html/Research/Advisories/AD20010618.html) on June 18,
    2001.
    
    >From the first analysis of the logs that were sent to us we were able to
    deduce that in fact it looked as if someone had released a worm for the .ida
    vulnerability. Within the logs we could see connection attempts from over 5
    thousand IIS 5 web servers targeting various other IIS web server and
    sending a .ida exploit to each of them. Evidence also showed that
    compromised hosts were being used to attack other hosts.
    
    We've designated this the .ida "Code Red" worm, because part of the worm is
    designed to deface webpages with the text "Hacked by Chinese" and also
    because code red mountain dew was the only thing that kept us awake all last
    night to be able to disassemble this exploit.
    
    Details
    -------
    Note: Details are going to be short for now. We plan on releasing a full
    analysis of the worm but felt that it was important to get this message out
    ASAP as this worm is starting to affect a lot of people.
    
    The standard injection vector is a exploit that uses the .ida buffer
    overflow to execute code (as SYSTEM) on vulnerable remote systems.
    
    The worm performs the following on infected systems:
    * Spawns 100 threads which are used to scan for new IIS web servers to
    infect
    * Checks for the existence of c:\notworm and if it is found then it does not
    try to propagate itself to other hosts.
    * Defaces web pages with the message:
    <html><head><meta http-equiv="Content-Type" content="text/html;
    charset=English"><title>HELLO!</title></head><bady><hr size=5><font
    color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked
    By Chinese!</font></hr></bady></html>
    
    Analysis
    --------
    Note: Again this is a quick brief analysis, more detail will follow.
    
    Upon infection the infected host will spawn 100 threads in a loop. This loop
    checks for the existence of c:\notworm and if the file does not exist then
    the worm will proceed to start scanning for vulnerable servers to infect.
    
    The worm does scan for random IP addresses. However, the worm uses the same
    seed for "randomization" of IP addresses. This means that each new infected
    host will start at the same IP and continue scanning further down the same
    track of IP's as every other infected host. The ramifications of this are
    severe because this means that hosts early in this "randomized" IP sequence
    will be hit over and over as new hosts are infected. This creates the
    potential for a denial of service against early IP addresses in the
    sequence. Also, evidence has proved that hosts can be infected multiple
    times therefore creating a drain on system resources. However, normal worm
    operation seems to have a cut off point as to how many times a host will be
    re-infected. Early analysis seems to suggest that the worm has a limit of 3
    reinfections however that may have just been "by chance" in our test
    scenario.
    
    Other in house tests of the infections have shown that internal thread rate
    limiting seems to be broken in certain situations. Which means that some
    infected systems will continue to spawn new threads until system resources
    become so low that the entire web server computer crashes or becomes
    unusable.
    
    Summary
    -------
    We will be releasing a full detailed analysis, complete with disassembled
    worm code and comments within the code.
    
    We have had reports from a few network administrators that their IDS systems
    have seen this .ida attack originating from over 5 thousand unique source
    addresses within a 3 day time span.
    
    Hosts early in the IP sequence will be hit with a traffic based denial of
    service and those hosts vulnerable to this worm will most likely grind to a
    halt.
    
    How to secure your system from this .ida attack
    -----------------------------------------------
    Microsof patch for this .ida vulnerability
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS01-033.asp
    
    eEye Digital Security Advisory
    http://www.eeye.com/html/Research/Advisories/AD20010618.html
    
    The following is part of the packet data that is sent for this .ida "Code
    Red" worm attack:
    /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
    u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
    HTTP/1.0
    
    You can set your IDS to monitor for this to be able to see if your being hit
    with this worm or not. Also any IDS capable of detecting the .ida overflow
    should be able to detect this as an attack.
    
    Signed,
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    
    
    ----- End forwarded message -----
    
    -- 
    Elias Levy
    SecurityFocus.com
    http://www.securityfocus.com/
    Si vis pacem, para bellum
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 12:37:05 PDT