Re: code red - some questions

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Mon Jul 23 2001 - 07:16:14 PDT

  • Next message: Crist Clark: "IPP (631/tcp) Scans"

    robintonat_private (Soeren Ziehe) wrote:
    
    > I've got a few questions concerning the "Code Red" worm.
    > 
    > "Code Red" exploits the IIS vulnerability referenced in
    > http://www.eeye.com/html/Research/Advisories/AD20010618.html
    > and CA-2001-13. OK. But how can one exactly determine, if a system has  
    > been compromised?
    
    Good question -- right now, "with difficulty" would be the answer.  
    An advanced process viewer may do it -- if you know what the typical 
    number of IIS child threads is, you may be able to spot it from this 
    number being elevated by 100 (or more -- multiple infestations are 
    reputedly possible)...  To date, I'd not thought to look into this.
    
    > In the full analysis (http://www.eeye.com/html/advisories/codered.zip)  
    > it is said that the worm sets up 100 threads. But in what context are  
    > they running?  ...
    
    In the same context as IIS or the index server/service.
    
    > ...  How, if, can they be seen in Task Manager or an other  
    > tool? I would guess IIS.exe taking up more memory and processing power  
    > than normal may be an indication?
    
    Yes -- anything that can tell you how many threads or other resources 
    are allocated to what processes and a refined sense of what is 
    "normal".  Right now that may not help much (apart from the thread 
    count) as the threads should all be sleeping for 20-something days...
    
    > During the sleeping period indications like spreading attempts or attack
    > attempts on www1.whitehouse.gov cannot be observed to weed out infected  
    > systems.
    > So how to find dormant "code red" instances?
    
    Another good question -- I have no good answer though.
    
    > If I'm not mistaken a reboot would clear "code red".
    > So should anybody reboot and patch? What would be the generic "safe"  
    > answer to customers?
    
    I'd suggest patch then reboot would be the slightly more efficient 
    approach.    8-)
    
    If someone has not applied the patches from MS01-033, or is not sure, 
    they should apply the patch and reboot.  They should do this sooner, 
    rather than later as the longer they leave it the greater (by some 
    completely unknown amount) the threat of their machines being 
    hi-jacked by something else via the exact same exploit.  Just because 
    someone has been hit by Code Red does not make them magically immune 
    to the vulnerability...
    
    > BTW does anyone know a working security contact for Hotmail?
    > securityat_private came back as "account disabled". Other obvious  
    > addreses did not result in any reaction.
    
    Sorry (but I can't say I'm entirely surprised).
    
    
    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 14:44:14 PDT