Forwarded by request: >Date: Wed, 22 Aug 2001 00:26:23 -0400 >To: tsmalcodeat_private >From: Roger Thompson <rogertat_private> >Subject: New CodeRed variant - CodeRed.d >Cc: david Kennedy CISSP <david.kennedyat_private>, Russ <Russ.Cooperat_private> > >Hi all, > >A couple of weeks ago, I became curious to find out exactly what was >knocking on port 80 on my pcs. I figured it was probably a CodeRed, but >which one? To answer that question, I wrote a program which I call >WormCatcher to listen on port 80 and checksum whatever comes calling. >Recognized checksums are logged, and emailed to me every hour, and >unrecognized checksums (ie possible variations) are emailed to me >immediately. It's been live on just a few workstations for just a few days, >but it has found several variants which looked like they'd been modified by >some routers or repeaters along the way, which changed the code offsets, >and therefore rendered the worm sterile. > >This evening, WormCatcher found a new, although minor variant of CodeRed. >Specifically, the string "CodeRedII" has been replaced by underscores, and >the byte at offset 07C5 is changed from a 0 to an FF. > >Replacing "CodeRedII" with underscores appears to be an attempt to fool any >ids or av lame enough to look for that string as a detection. Changing the >byte at offset 07C5 appears to not change the code materially, but is >probably intended to throw off any checksummers which checksummed the body >of the virus, excluding the "CodeRedII" string. > >This is such a minor variation that I wouldn't have bothered mentioning it >except that WormCatcher found it once from an IP in Korea, and secondly >from a college here in the Eastern United States. > >What is noteworthy then is that it is probably a deliberate, if ill-thought >out attempt to populate a new variation into the wild. > >Functionality has not been changed. The initial "GET " and many "X" strings >are identical, so any IDSs looking for that will do fine. Patched servers >are still not vulnerable. No one needs to do anything unless they are >detecting by lame string or checksum. > >Roger > > > >Regards > >Roger Thompson >Technical Director of Malicious Code Research >TruSecure Corporation > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:31:28 PDT