New CodeRed variant - CodeRed.d : x-posted intentionally.

From: Pete Sherwood (petersherwoodat_private)
Date: Wed Aug 22 2001 - 11:16:20 PDT

  • Next message: Mads Rasmussen: "Re: New CodeRed variant - CodeRed.d : x-posted intentionally."

    You may want to join AVIEN (Anti-Virus Information Exchange Network) 
    in order to have this type of EWS (Early Warning System) available for your Anti-Virus defenses.
    
    Excerpt:
    
    Hi all,
    
    A couple of weeks ago, I became curious to find out exactly what was 
    knocking on port 80 on my pcs. I figured it was probably a CodeRed, but 
    which one? To answer that question, I wrote a program which I call 
    WormCatcher to listen on port 80 and checksum whatever comes calling. 
    Recognized checksums are logged, and emailed to me every hour, and 
    unrecognized checksums (i.e. possible variations) are emailed to me 
    immediately. It's been live on just a few workstations for just a few days, 
    but it has found several variants which looked like they'd been modified by 
    some routers or repeaters along the way, which changed the code offsets, 
    and therefore rendered the worm sterile.
    
    This evening, WormCatcher found a new, although minor variant of CodeRed. 
    Specifically, the string "CodeRedII" has been replaced by underscores, and 
    the byte at offset 07C5 is changed from a 0 to an FF.
    
    Replacing "CodeRedII" with underscores appears to be an attempt to fool any 
    ids or av lame enough to look for that string as a detection. Changing the 
    byte at offset 07C5 appears to not change the code materially, but is 
    probably intended to throw off any checksummers which checksummed the body 
    of the virus, excluding the "CodeRedII" string.
    
    This is such a minor variation that I wouldn't have bothered mentioning it 
    except that WormCatcher found it once from an IP in Korea, and secondly 
    from a college here in the Eastern United States.
    
    What is noteworthy then is that it is probably a deliberate, if ill-thought 
    out attempt to populate a new variation into the wild.
    
    Functionality has not been changed. The initial "GET " and many "X" strings 
    are identical, so any IDSs looking for that will do fine. Patched servers 
    are still not vulnerable. No one needs to do anything unless they are 
    detecting by lame string or checksum.
    
    Regards
    
    Roger Thompson
    Technical Director of Malicious Code Research
    TruSecure Corporation
    
    -=-=-=-=
    
    Copied by:
    Pete Sherwood 613-260-0612 (home/office) : 613-591-8900 ext. 525 (voice-mail)
    PGP and Thawte digital keys available @ http://members.home.net/petersherwood/
    Founding member of http://AVIEN.org (Anti-Virus Information Exchange Network)
    Scan for malware: http://members.home.net/petersherwood/vulnerability_scanning.htm
    
    
    
    



    This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 11:25:27 PDT