Re: "Code Red" worm - there MUST be at least two versions.

[Ethan Butterfield <primus () veris org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jul 20, 2001 at 05:30:16PM +0100, Chris Paget wrote:

> The only conclusion is that there is another version of the "Code Red"
> worm in the wild, which has a correct randomisation routine (and
> possibly other differences).  

As I posted yesterday, and followed-up by more log parsing done this
morning, all the evidence I have points to this conclusion as well. Logs
at three sites show two different types of attacks:

1) A large netblock port scan, followed up by a targetted attack to open
HTTP ports along the scan.

2) Random attacks, by a single host against a single host, with no
follow-up or hint of an impending attack.

The attacks on my home netblock (a /28 on a DSL connection) were skewed
about 60/40 in favor of the scanning variant, and there were 65 total
attacks through the six-hour period between 1000 PDT and 1600 PDT (1800 -
0000 GMT). Attacks on my corporate and production networks (discontiguous
netblocks through a colo) were not only stacked about 90/10 in favor of
the random directed variant, but were also over 100x greater in frequency
during the same time period. Also, the frequency of the scanning variant
attacks dropped off during the time period, while the frequency of the
random directed version increased. I saw no scanning attacks after about
1445 PDT.

This suggests that the random directed variant is more virulent, and also
(unless I'm just lucky) has some sort of logic which puts a lesser weight
on known cable/DSL/dial-up netblocks, and a higher one on netblocks with
more legitimate targets.
 
> The GET request logged by the second worm variant is as follows:
>
> GET /default.ida
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>
> Firstly, can someone confirm whether this is the same as the GET
> request logged by the hard-coded worm?

The first request was from a scanning attack:

12.39.137.80 - - [19/Jul/2001:10:32:27 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53
1b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 322

The second request is from a random directed attack:

203.127.71.178 - - [19/Jul/2001:16:31:47 -0700] "GET
/default.ida?NNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u
531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 322

Both were taken from my home Apache 1.3.19 webserver. They are identical.

> I intend to add egress filters to one of my servers and allow it to
> become infected; if anyone wants to volunteer to help me pick it apart
> afterwards it would be appreciated.

My disassembly skills are non-existent, but I and I'm sure the community
would love to hear the results.

- -- 

 "A true friend stabs you in the front."
     - Oscar Wilde

-----BEGIN PGP SIGNATURE-----
Comment: For info see http://www.gnupg.org

iD8DBQE7WHdV36NTGsm+2Z4RAthEAKCAxikWj/r+dfdPDgmq+34+SYimOgCfdA1Y
31GnTACEgLrtcaXFgRaMVQw=
=yrl1
-----END PGP SIGNATURE-----