Bugtraq mailing list archives

"Code Red" worm - there MUST be at least two versions.

From: Chris Paget <mad.nutter () mindless com>
Date: Fri, 20 Jul 2001 17:30:16 +0100


I have two different webservers, each of which has been logging
infrequent attempts from the Code Red worm to attack it (each box has
so far received around 20 such attacks since 18/07/01).  Both are
immune to it (one has been patched, and the other has the .ida mapping
removed).  The two servers are using completely different addresses on
completely different subnets.

Comparing the logfiles for each server, it is clear that no single IP
address has attacked both servers.

If the only "wild" version of Code Red effectively has a hard-coded
sequence of addresses to attack (due to the fixed randomisation seed),
one server must necessarily be attacked before the other.  Therefore,
it would follow that both logs should contain the same IP Addresses,
with some time difference between them (unless one or other server has
had downtime, which they have not).  This is not the case.

The only conclusion is that there is another version of the "Code Red"
worm in the wild, which has a correct randomisation routine (and
possibly other differences).  

The GET request logged by the second worm variant is as follows:

GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

Firstly, can someone confirm whether this is the same as the GET
request logged by the hard-coded worm?

Secondly, can someone capture a copy of this second variant and
dis-assemble it?

I intend to add egress filters to one of my servers and allow it to
become infected; if anyone wants to volunteer to help me pick it apart
afterwards it would be appreciated.

Chris

-- 
Chris Paget
mad.nutter () mindless com
In the battle of Linux Vs Microsoft, remember this:
It's hard to not engage in holy wars when everybody knows everything.

Current thread:

"Code Red" worm - there MUST be at least two versions. Chris Paget (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Ethan Butterfield (Jul 20)
- Re: "Code Red" worm - there MUST be at least two versions. Don Papp (Jul 20)
  - Re: "Code Red" worm - there MUST be at least two versions. Jon-o Addleman (Jul 20)
  - Re: "Code Red" worm - there MUST be at least two versions. Ryan Russell (Jul 20)
- <Possible follow-ups>
- Re: "Code Red" worm - there MUST be at least two versions. Adam (Jul 20)
- RE: "Code Red" worm - there MUST be at least two versions. Kuo, Jimmy (Jul 20)