Bugtraq mailing list archives
"Code Red" worm - there MUST be at least two versions.
From: Chris Paget <mad.nutter () mindless com>
Date: Fri, 20 Jul 2001 17:30:16 +0100
I have two different webservers, each of which has been logging infrequent attempts from the Code Red worm to attack it (each box has so far received around 20 such attacks since 18/07/01). Both are immune to it (one has been patched, and the other has the .ida mapping removed). The two servers are using completely different addresses on completely different subnets. Comparing the logfiles for each server, it is clear that no single IP address has attacked both servers. If the only "wild" version of Code Red effectively has a hard-coded sequence of addresses to attack (due to the fixed randomisation seed), one server must necessarily be attacked before the other. Therefore, it would follow that both logs should contain the same IP Addresses, with some time difference between them (unless one or other server has had downtime, which they have not). This is not the case. The only conclusion is that there is another version of the "Code Red" worm in the wild, which has a correct randomisation routine (and possibly other differences). The GET request logged by the second worm variant is as follows: GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a Firstly, can someone confirm whether this is the same as the GET request logged by the hard-coded worm? Secondly, can someone capture a copy of this second variant and dis-assemble it? I intend to add egress filters to one of my servers and allow it to become infected; if anyone wants to volunteer to help me pick it apart afterwards it would be appreciated. Chris -- Chris Paget mad.nutter () mindless com In the battle of Linux Vs Microsoft, remember this: It's hard to not engage in holy wars when everybody knows everything.
Current thread:
- "Code Red" worm - there MUST be at least two versions. Chris Paget (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Ethan Butterfield (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Don Papp (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Jon-o Addleman (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Ryan Russell (Jul 20)
- <Possible follow-ups>
- Re: "Code Red" worm - there MUST be at least two versions. Adam (Jul 20)
- RE: "Code Red" worm - there MUST be at least two versions. Kuo, Jimmy (Jul 20)