Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

CodeRed II (fwd)

From: Ryan Russell <ryan () securityfocus com>
Date: Sat, 4 Aug 2001 23:56:20 -0600 (MDT)
Marc Maiffret and Ryan Permeh from eEye Digital Security are in the
process of preparing a disassembly, like they did with CRv1.  This should
be posted here to the incidents list tonight (Pacific Time.)

I wanted to provide some initial details while we're waiting for the
disassembly.  My initial analysis is based mostly on my inspection of the
strings in the binary, so I can't guarantee all details quite yet.
However, some of the are pretty self-evident, so I'm not too worried.

First off, this isn't a variant of Code Red per se.  It does use the exact
same exploit, using even the exact same URL, excpet it uses X's instead of
N's.  It also does not inlcude the HOST:www.worm.com portion, and the
Content-length is smaller, since the worm is shorter.

IDS' will see the same attack signatures as with Code Red.  In addition,
so IDS' include a rule to react to any use of "cmd.exe" in a web request,
and we've seen a huge jump in ARIS for that activity, as well as an
overall increase in the original .ida overflow activity.  There are now
two worms contributing to the traffic at the same time, so it is overall
larger.  You can differentiate the two in web logs by the N's vs. X's.

The new worm contains the string "CodeRedII", so presumably its creator
drew inspiration from the original Code Red.  However, his intentions are
a bit more mischevious.  Other strings that leap out include:

CMD.EXE
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon   SFCDisable
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
/Scripts    /MSADC  /C  /D  c:\,,217    d:\,,217

It is apparant that a copy of cmd.exe is being made called root.exe.  It
appears that it is being placed in two spots on a d: drive, and that
virtual roots are being set to enable their use.  The SFCDisable key is
used to disable Windows File Protection, documentation here:
http://www.microsoft.com/hwdev/sfp/wfp.htm

The root.exe backdoor matches activites from the Chinese Hackers (or
"Honkers" during the week-long "Cyberwar", and later with the sadmind
worm.

Reference is made to:
d:\explorer.exe
EXPLORER.EXE

Possibly indicating either a copy of, or a trojan for, explorer.exe.

Other functions calls referenced are as follows:

LoadLibraryA CreateThread GetTickCount Sleep GetSystemDefaultLangID
GetSystemDirectoryA CopyFileA GlobalFindAtomA GlobalAddAtomA CloseHandle
_lcreat _lwrite _lclose GetSystemTime WS2_32.DLL socket closesocket
ioctlsocket connect select send recv gethostname gethostbyname
WSAGetLastError USER32.DLL ExitWindowsEx KERNEL32.dll ADVAPI32.dll Sleep
GetWindowsDirectoryA WinExec RegQueryValueExA RegSetValueExA RegOpenKeyExA
RegCloseKey

Note that there are calls for time functions, sockets, and DNS.  The
socket calls are explained at a minimum by the spreading mechanism.
Recall that Code Red failed to have an impact on the www.whitehouse.gov
site because it used hardcoded addresses.  It is possible that this has
been switched to a DNS lookup, if this worm is from the original
Code Red authors.

There are calls for the NT atomic functions, which is probably a way for
the worm to ensure that only one copy runs on a given victim.

A note about the spreading mechanism: My home machine is in the
64.167.x.x. Pacbell.net address space.  Almost every single attempt I've
had for this worm is from 64.x.x.x.  I'm pretty sure that this worm favors
neighboring networks.  I've had way too many attempts for this to be a
coincidence.

Like the previous Code Red, this worm appears to be designed to exist in
memory, though with all of the file function, it is possible that it will
make it to disk at some point.  We won't know that for certain until the
dissassembly is available.

Finally, there is no apparant HTML in this worm, which would represent a
defacement.

Side note:  a test attempt to access the root.exe file on a victim machine
resulted in the display of the Code Red defacement, rather than the
expected command results.  It appears that these two worms may be
interfering with each-other.  Note that this just appears to prevent the
output from being retrieved, the command will still likely execute as
expected.

More info as we get it.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: