RE: "Code Red" worm questions

From: Marc Maiffret (marcat_private)
Date: Wed Jul 18 2001 - 13:30:41 PDT

  • Next message: Chip McClure: "Re: Http scanning for cgi based mail-relays."

    We know the worm can "deface" the website of servers it infects. We are
    still looking into the exact thing that makes it do so. It will be in our
    full analysis.
    
    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    
    |-----Original Message-----
    |From: Johannes B. Ullrich [mailto:jullrichat_private]
    |Sent: Wednesday, July 18, 2001 12:11 PM
    |To: Marc Maiffret
    |Cc: w1re p4ir; incidentsat_private
    |Subject: RE: "Code Red" worm questions
    |
    |
    |
    |I just checked a number of the potential 'Red Alert' victims I got at
    |DShield.org. None of them appear to be defaced. Are there multiple
    |variations? Is there a special url that's used for the defaced page?
    |
    |
    |On Wed, 18 Jul 2001, Marc Maiffret wrote:
    |
    |> It has a jump location that works on all win2k sp versions (have
    |only tested
    |> English, but from other research we think the worm only tries to attack
    |> English anyways). NT4 it just looks to crash it but we are not done with
    |> testing yet.
    |>
    |> It works very well and uses a lot of the new overflow techniques
    |which allow
    |> it to execute code more often then crashing IIS web servers.
    |>
    |> Signed,
    |> Marc Maiffret
    |> Chief Hacking Officer
    |> eEye Digital Security
    |> T.949.349.9062
    |> F.949.349.9538
    |> http://eEye.com/Retina - Network Security Scanner
    |> http://eEye.com/Iris - Network Traffic Analyzer
    |> http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    |>
    |> |-----Original Message-----
    |> |From: w1re p4ir [mailto:w1rep4irat_private]
    |> |Sent: Wednesday, July 18, 2001 8:44 AM
    |> |To: incidentsat_private
    |> |Subject: "Code Red" worm questions
    |> |
    |> |
    |> |I've read practically everything about this worm that has been
    |> |released. But there are a few questions that I have. First off, I
    |> |know the first exploit was written by hsj and it used the offsets
    |> |for the japanesse version of IIS. Now in this new worm, has the
    |> |code been modified with US (or other) offsets to attack english
    |> |versions? I have already had a call regarding a possible "break in
    |> |attempt." with very little other information. I would like to be
    |> |able to them either they are vulnerable to this worm or not. Thank you,
    |> |w1re
    |> |
    |> |____________________________________________________
    |> |FREE Disinformation E-book - http://www.disinfo.com
    |> |
    |> |
    |> |-------------------------------------------------------------------
    |> |---------
    |> |
    |> |
    |> |This list is provided by the SecurityFocus ARIS analyzer service.
    |> |For more information on this free incident handling, management
    |> |and tracking system please see:
    |> |
    |> |http://aris.securityfocus.com
    |> |
    |> |
    |>
    |>
    |>
    |>
    |-------------------------------------------------------------------
    |---------
    |>
    |>
    |> This list is provided by the SecurityFocus ARIS analyzer service.
    |> For more information on this free incident handling, management
    |> and tracking system please see:
    |>
    |> http://aris.securityfocus.com
    |>
    |
    |--
    |-------
    |jullrichat_private                    Join http://www.DShield.org
    |                                     Distributed Intrusion Detection System
    |
    |
    |
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 20:45:36 PDT