Re: Initial analysis of the .ida "Code Red" Worm

From: Matt Power (mhpowerat_private)
Date: Wed Jul 18 2001 - 11:23:15 PDT

  • Next message: Marc Maiffret: "RE: "Code Red" worm questions"

    We've injected a copy of the Code Red worm onto one of our lab systems
    (Windows 2000 Server with SP1; IIS 5.0 with no content additions or
    configuration changes, e.g., the "The site you were trying to reach
    does not currently have a default page" home page; idq.dll from prior
    to the MS01-033/Q300972 patch). A few preliminary notes:
    
      -- Within about 10 seconds after the worm data was sent, the victim
         machine began generating port-80 SYN packets to many random IP
         addresses, as described in the other reports of this worm.
         However, there was no "Hacked By Chinese!" home page created on
         this machine. Also, in a similar attack on a Windows 2000 Server
         machine that had a brief c:\inetpub\wwwroot\default.htm file, the
         attack did not result in that home page being changed or
         replaced. I have also heard other reports of Code Red activity on
         machines that did not have a home-page defacement.
    
         This suggests that scanning your own networks for machines with
         a "Hacked By Chinese!" home page might not be an especially
         comprehensive way to identify machines compromised by Code Red.
    
      -- The victim machine sends the string "GET " to the attacking
         machine over the TCP connection that was used for the attack.
    
         It's possible that looking for short outgoing packets ending with
         the application data "GET ", with TCP source port 80, may be a
         useful way to detect breakins in some environments.
    
      -- fport (http://www.foundstone.com/rdlabs/proddesc/fport.html)
         listed about 100 TCP ports for inetinfo.exe on the victim
         machine. This may be useful in a rough first pass at assessing
         whether a suspected machine was compromised by Code Red.
    
    Matt Power
    BindView Corporation, RAZOR Team
    mhpowerat_private
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 11:59:53 PDT