Marc Maiffret and Ryan Permeh from eEye Digital Security are in the process of preparing a disassembly, like they did with CRv1. This should be posted here to the incidents list tonight (Pacific Time.) I wanted to provide some initial details while we're waiting for the disassembly. My initial analysis is based mostly on my inspection of the strings in the binary, so I can't guarantee all details quite yet. However, some of the are pretty self-evident, so I'm not too worried. First off, this isn't a variant of Code Red per se. It does use the exact same exploit, using even the exact same URL, excpet it uses X's instead of N's. It also does not inlcude the HOST:www.worm.com portion, and the Content-length is smaller, since the worm is shorter. IDS' will see the same attack signatures as with Code Red. In addition, so IDS' include a rule to react to any use of "cmd.exe" in a web request, and we've seen a huge jump in ARIS for that activity, as well as an overall increase in the original .ida overflow activity. There are now two worms contributing to the traffic at the same time, so it is overall larger. You can differentiate the two in web logs by the N's vs. X's. The new worm contains the string "CodeRedII", so presumably its creator drew inspiration from the original Code Red. However, his intentions are a bit more mischevious. Other strings that leap out include: CMD.EXE d:\inetpub\scripts\root.exe d:\progra~1\common~1\system\MSADC\root.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SFCDisable SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots /Scripts /MSADC /C /D c:\,,217 d:\,,217 It is apparant that a copy of cmd.exe is being made called root.exe. It appears that it is being placed in two spots on a d: drive, and that virtual roots are being set to enable their use. The SFCDisable key is used to disable Windows File Protection, documentation here: http://www.microsoft.com/hwdev/sfp/wfp.htm The root.exe backdoor matches activites from the Chinese Hackers (or "Honkers" during the week-long "Cyberwar", and later with the sadmind worm. Reference is made to: d:\explorer.exe EXPLORER.EXE Possibly indicating either a copy of, or a trojan for, explorer.exe. Other functions calls referenced are as follows: LoadLibraryA CreateThread GetTickCount Sleep GetSystemDefaultLangID GetSystemDirectoryA CopyFileA GlobalFindAtomA GlobalAddAtomA CloseHandle _lcreat _lwrite _lclose GetSystemTime WS2_32.DLL socket closesocket ioctlsocket connect select send recv gethostname gethostbyname WSAGetLastError USER32.DLL ExitWindowsEx KERNEL32.dll ADVAPI32.dll Sleep GetWindowsDirectoryA WinExec RegQueryValueExA RegSetValueExA RegOpenKeyExA RegCloseKey Note that there are calls for time functions, sockets, and DNS. The socket calls are explained at a minimum by the spreading mechanism. Recall that Code Red failed to have an impact on the www.whitehouse.gov site because it used hardcoded addresses. It is possible that this has been switched to a DNS lookup, if this worm is from the original Code Red authors. There are calls for the NT atomic functions, which is probably a way for the worm to ensure that only one copy runs on a given victim. A note about the spreading mechanism: My home machine is in the 64.167.x.x. Pacbell.net address space. Almost every single attempt I've had for this worm is from 64.x.x.x. I'm pretty sure that this worm favors neighboring networks. I've had way too many attempts for this to be a coincidence. Like the previous Code Red, this worm appears to be designed to exist in memory, though with all of the file function, it is possible that it will make it to disk at some point. We won't know that for certain until the dissassembly is available. Finally, there is no apparant HTML in this worm, which would represent a defacement. Side note: a test attempt to access the root.exe file on a victim machine resulted in the display of the Code Red defacement, rather than the expected command results. It appears that these two worms may be interfering with each-other. Note that this just appears to prevent the output from being retrieved, the command will still likely execute as expected. More info as we get it. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 22:58:18 PDT