FC: More on voracious, nasty new "Code Red"-esque worm

From: Declan McCullagh (declanat_private)
Date: Tue Sep 18 2001 - 13:21:01 PDT

  • Next message: Declan McCullagh: "FC: Clarification and exact wording of encryption poll question"

    We have an article by Michelle Delio here:
    http://www.wired.com/news/technology/0,1282,46944,00.html
    
    **********
    
    From: "Magdalena Donea" <maggyat_private>
    To: <declanat_private>
    Subject: RE: Voracious, nasty new "Code Red" worm may be spreading quickly
    Date: Tue, 18 Sep 2001 15:57:16 -0400
    In-Reply-To: <5.0.2.1.0.20010918114801.01ff1040at_private>
    
    Declan,
    
    The best description of namda I've seen so far is here:
    http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
    
    Yes, only Windows systems are affected, but this time this includes Windows
    desktops, servers, etc., whether running IIS or not (unlike Code Red).
    Viewing a page from an infected IIS server may be enough to infect a desktop
    system, because of the applet the virus launches. The "swiss army knife"
    analogy in the article above is really good. Of course, regardless of O/S
    brand you use, the collateral damage is still high, in terms of the high
    level of traffic this thing is producing.
    
    Among all our client servers, the earliest instance of a hit came at 6:10am
    EDT today from Belgium:
    
    XXXX.uunet.be - - [18/Sep/2001:06:10:53 -0400] "GET
    /scripts/..%c1%1c../winnt/system32/cmd.
    exe?/c+dir%20c:\ HTTP/1.0" 404 2550 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
    Windows NT 5.0)"
    
    ... thought I'd pass it on, hope it's useful.
    
    --Maggy
               _________________________
    
               KIA.NET Technical Support
               helpat_private
               _________________________
    
    
    **********
    
    To: declanat_private
    Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly
    From: pb@e-scribe.com (Paul Bissex)
    Date: Tue, 18 Sep 2001 16:19:18 -0400
    
    A few URLs on this worm ("Nimda"):
    
       http://www.newsbytes.com/news/01/170225.html
    
       http://www.sarc.com/avcenter/venc/data/w32.nimda.aat_private
    
       http://slashdot.org/articles/01/09/18/151203.shtml
    
    Newsbytes calls it "Code Rainbow," but I don't see anybody else using
    that name.
    
    Apparently the 16 holes it attempts to exploit are all well-known, and
    anybody with a properly patched IIS should be fine. (However, I Am Not
    A Security Expert.)
    
    best
    
    pb
    
    **********
    
    Date: Tue, 18 Sep 2001 15:54:10 -0400
    From: Ken Deutsch <deutschat_private>
    To: declanat_private
    Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly
    
    Declan McCullagh wrote:
    
    >[BTW I'm seeing similar attempts on Politech's website. Remember, folks, 
    >Code Red and its progeny only infect Windows systems. --Declan]
    
    
    Declan -
    
    While it only "infects" Windows systems, unlike code red this one is having 
    an impact on other systems. Rather then a couple of accesses to a site - 
    the speed of accesses to servers is much greater. We run web servers on Sun 
    with Apache and have had over 50 sites being attacked since 9:06 am with 
    tens of thousands of hits looking for files that only exist on unpatched NT 
    servers.  I concur with the message below that the accesses come at a 
    ferocious rate.
    
    
            - Ken
    
    **********
    
    From: "Glen L. Roberts" <glrat_private>
    To: <declanat_private>
    Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly
    Date: Tue, 18 Sep 2001 15:55:21 -0400
    
    So far, I've seen 15,000+ hits in my apache logs files for accesses to .exe
    files (no normal traffic would request a .exe file)... that is definitely
    much heavier traffic than code red had.
    
    **********
    
    Date: Tue, 18 Sep 2001 20:53:12 +0100
    To: declanat_private
    From: John Sullivan <listsat_private>
    Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading
       quickly
    
    At 04:48 PM 18/09/2001, you wrote:
    >[BTW I'm seeing similar attempts on Politech's website. Remember, folks, 
    >Code Red and its progeny only infect Windows systems. --Declan]
    
    >Here's a snippet from the Apache error log; this appears to constitute
    >the signature of this worm:
    >
    >A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /scripts/root.exe?/c+dir 
    >HTTP/1.0" 404 270
    
    >So far, all hits have come in groups of 16 and appear to be directed at
    >exploiting a vulnerability that's presumably found on Windows systems
    >running IIS.  They also *seem* to be largely localized, that is, the
    >IP addresses of the incoming probes are related to the IP addresses of
    >the systems being targeted.
    
    Declan,
    
    Looking at this log except, what the new worm is attempting to do is 
    contact the backdoor left by CodeRed II. This, of course, doesn't imply 
    that the same author wrote both viruses - it was a fairly well publicised 
    backdoor after all - but it's interesting (from an academic point of view) 
    that this virus takes a leg-up from a previous infection.
    
    This does, for course, mean that this virus not only only affects Windows 
    systems as you said, but also only affects Windows systems previous 
    infected by CodeRed II.
    
    **********
    
    From: "Glen L. Roberts" <glrat_private>
    To: <declanat_private>
    References: <5.0.2.1.0.20010918114801.01ff1040at_private>
    Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly
    Date: Tue, 18 Sep 2001 16:03:39 -0400
    MIME-Version: 1.0
    Content-Type: text/plain;
             charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    
    You don't suppose it's smart enough to follow a redirect, ie:
    in .htaccess
    
    redirect /scripts http://www.microsoft.com
    redirect /c http://www.microsoft.com
    redirect /d http://www.microsoft.com
    redirect /MSACD http://www.microsoft.com
    redirect /msacd http://www.microsoft.com
    
    **********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:08:22 PDT