more Code Red analysis

["robert_david_graham" <robert_david_graham () yahoo com>]

Maybe these items have been discussed already:

First, connecting back to systems attacking me, I notice that most now are
returning "403 Access Forbidden: Too many users are connected". I'm thinking
that every time CodeRedII re-infects a system, it uses up another connection
resource until nobody else can connect. This prevents people from exploiting
the /scripts/root.exe backdoor -- the worm is DoSing its own backdoor. This
likewise makes it hard to create defensive measures, such as a
counterattacking worm or a counterattack of the form
"/scripts/root.exe?/c+net+stop+w3svc".

Code Red has design flaw: it uses blocking sockets. This can be exploited in
a couple of ways to stop scans. I've tweaked a webserver so that upon
detecting an .ida attack, it sets aside the TCP connection in a special
list. When the worm does a recv(), it will block until it either gets a
response from the server, or the server closes the connection. By doing
neither, my webserver holds onto the thread INDEFINITELY. I've over a
hundred now, many more than a day old. At any time, I could stop the
webserver, which would release the worms caught in my snare to continue
scanning other people.

I created another program (<http://robertgraham.com/deredoc>) that sniffs
the wire looking for SYNs to port 80 and responds with SYN-ACK. This also
causes the worm to halt (in the send() function I think). Putting this on a
/8 Class A subnet that is dark (either firewalled or unused) could almost
completely halt the original Code Red (because every thread will eventually
hit the /8 within a few hours). However, since pretty much all the
vulnerable systems are now infected, I'm not sure that's useful.

I've noticed that a lot of the scans that wedge themselves on my server are
coming from NATted connections. When you ask sockets for a random port,
Microsoft gives you one between 1024 and 5000. However, I see inbounds
attack were the client's port is 38000. The only way this can occur is if a
NAT has translated the port. I estimate about 20% of my non-local-subnet
probes used a high port number. This indicates to me that the worm has
successfully managed to penetrate behind a LOT of firewalls on the Internet.
Talking with various large corporations, I'm finding that Code Red has
successfully penetrated deep within their corporations. This demonstrates
that there are clear infection paths around firewalls, which means that
hackers can likely also bypass firewalls.

The CodeRedII method of scanning nearby machines is much better than
randomizing across the entire Internet space. First of all, it spreads
better behind firewalls. Second, it causes dramatically less traffic across
backbones - the less you annoy people, the longer you'll have a chance to
spread. I think this will become an important algorithm for future worms.
Third, it builds a larger base locally before people remotely detect that
there is a worm.

Code Red is certainly a wake up call showing how easily a few hundred
thousand machines can be hacked in a day. However, I get several exploit
attempts from Linux worms on my machine every day. (About half of all port
111 attempts are from Linux worms according to my measurements).

Whether you are a Linux distro supplier or Microsoft, the single most
important thing you can do is to ship boxes in a relatively locked down
mode. Virtually everyone that got hit by the worm today doesn't care to run
Microsoft's Index Server (remember, it is an Index Server exploit, not an
IIS exploit). Why was that installed by default? Microsoft is removing
default features in IIS 6/WinXP, and the latest RedHat installs less. If we
want to stop worms in the future, this has to be a higher concern for
vendors. The same applies to samples and demo features likewise supplied
with software.

The biggest danger the net now faces is the next IIS exploit. I saw
something similar back in 1988 - the Morris Worm injected the community with
a lot of knowledge about worms. We saw that with the ADMworm that spawned
numerous similar Linux worms that compromised other vulnerabilities. There
are thousands of hackers out there studying the details of the two Code Red
worms. When the next IIS exploit is announced, we've got two weeks to patch
a million systems before that next worm takes down the Internet. There is
even a danger that a worm will be written first, then the next exploit added
to it later. Thus, the worm may appear on the first day the next
vulnerability is announced, even though the writer didn't have 0-day
knowledge.

I'm sure people have fully grasped the situation. We read a lot about
website defacements and DDoS zombie networks with a few thousand machines
under the control of a single hacker. However, when you consider that
hundreds of thousands of machines are vulnerable, we are seeing a
surprisingly little amount of hacking. My own measurements of ISP backbone
traffic show that potentially hundreds of thousands of desktop machines have
been compromised with remote admin Trojans. There are DoS attacks looming on
the horizon that make the current ones look like child's toys. The hacking
culture within our school systems has risen to levels where it might become
a cultural force similar in scope to the hippies in the 1960s, preaching
"free information" instead of "free love". This isn't an alarmist diatribe -
it's just in the past we thought of hacking/infosec as specialty areas, but
now these areas are defining the big picture.

If anybody has a large dark subnet to play with, I'd love to install by
deredoc program mentioned above. It not only plays with the current worms,
it can be used to encourage 0-day worms to reveal themselves. Does anybody
know how I can apply for a large address range simply for this purpose (and
backscatter monitoring)? (E.g. rather than leaving unassigned Class As dark,
put them in a pool somewhere off a an interexchange point until to sniff
packets until they are removed and assigned for actual use).

Robert Graham



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com