New CodeRed variant - CodeRed.d

From: David Kennedy CISSP (david.kennedyat_private)
Date: Tue Aug 21 2001 - 21:24:51 PDT

Next message: Vern Paxson: "Re: Flash Worms"

Previous message: Konrad Michels: "24 hour strobes from 10.0.x.x"
Next in thread: Ryan Russell: "Re: New CodeRed variant - CodeRed.d"
Reply: Ryan Russell: "Re: New CodeRed variant - CodeRed.d"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded by request:

>Date: Wed, 22 Aug 2001 00:26:23 -0400
>To: tsmalcodeat_private
>From: Roger Thompson <rogertat_private>
>Subject: New CodeRed variant - CodeRed.d
>Cc: david Kennedy CISSP <david.kennedyat_private>, Russ <Russ.Cooperat_private>
>
>Hi all,
>
>A couple of weeks ago, I became curious to find out exactly what was 
>knocking on port 80 on my pcs. I figured it was probably a CodeRed, but 
>which one? To answer that question, I wrote a program which I call 
>WormCatcher to listen on port 80 and checksum whatever comes calling. 
>Recognized checksums are logged, and emailed to me every hour, and 
>unrecognized checksums (ie possible variations) are emailed to me 
>immediately. It's been live on just a few workstations for just a few days, 
>but it has found several variants which looked like they'd been modified by 
>some routers or repeaters along the way, which changed the code offsets, 
>and therefore rendered the worm sterile.
>
>This evening, WormCatcher found a new, although minor variant of CodeRed. 
>Specifically, the string "CodeRedII" has been replaced by underscores, and 
>the byte at offset 07C5 is changed from a 0 to an FF.
>
>Replacing "CodeRedII" with underscores appears to be an attempt to fool any 
>ids or av lame enough to look for that string as a detection. Changing the 
>byte at offset 07C5 appears to not change the code materially, but is 
>probably intended to throw off any checksummers which checksummed the body 
>of the virus, excluding the "CodeRedII" string.
>
>This is such a minor variation that I wouldn't have bothered mentioning it 
>except that WormCatcher found it once from an IP in Korea, and secondly 
>from a college here in the Eastern United States.
>
>What is noteworthy then is that it is probably a deliberate, if ill-thought 
>out attempt to populate a new variation into the wild.
>
>Functionality has not been changed. The initial "GET " and many "X" strings 
>are identical, so any IDSs looking for that will do fine. Patched servers 
>are still not vulnerable. No one needs to do anything unless they are 
>detecting by lame string or checksum.
>
>Roger
>
>
>
>Regards
>
>Roger Thompson
>Technical Director of Malicious Code Research
>TruSecure Corporation
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Vern Paxson: "Re: Flash Worms"
Previous message: Konrad Michels: "24 hour strobes from 10.0.x.x"
Next in thread: Ryan Russell: "Re: New CodeRed variant - CodeRed.d"
Reply: Ryan Russell: "Re: New CodeRed variant - CodeRed.d"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:31:28 PDT