Security Incidents mailing list archives
Early Bird: A realtime Code Red attempt reporting utility.
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Thu, 9 Aug 2001 02:34:51 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
TITLE : EARLY BIRD -- A realtime Code Red attempt reporting utility
AUTHOR : Jay D. Dyson <jdyson () treachery net>
VERSION : 1.0 (Released 08/09/2001)
REQUIRES: PERL v5.003 or higher, Net::Whois::Raw PERL module
(available at http://www.cpan.org/) and a one-line tweak to
Apache's (v1.3.x) httpd.conf.
RESOURCE: http://www.treachery.net/~jdyson/earlybird/
----------------------------------------------------------------------
---[ DESCRIPTION ]----------------------------------------------------
After seeing close to one thousand Code Red exploit attempts on
several non-IIS systems I maintain (and after tiring of generating
reports to send off to multiple ISPs regarding multiple breaches on
their networks, only to see the scans continue unabated days later), I
decided to automate the notification process on a transactional basis.
This utility suite is the end product of that goal.
---[ RATIONALE ]------------------------------------------------------
If there is one thing that Code Red has clearly demonstrated, it is
that people who run vulnerable systems on the 'net either do not know
or do not care that their recklessness impacts other people. As a
consequence, I have come to the conclusion that most people just won't
take care of a problem until it becomes *their* problem. This
transaction-oriented notification system is not designed to be a
problem, but it *is* designed to make the responsible party *aware*
of the problem and its impact.
This utility has a larger goal in that immediate reporting will also
help circumvent the potential for abuse of already-compromised
systems. Let's face it, when a Code Red v2 system scans your box,
that's little more than a great flashing light stating that the box
in question is ripe for takeover by any interested hostile party.
These realtime notices -- at the very least -- may help curtail the
further abuse of non-compromised systems by the already-affected
systems.
Some might argue that this is the wrong way to go about fighting
the Code Red worm. That's their opinion and they are certainly
entitled to it. Just don't expect me to share that point of view.
Until a means can be determined to shut the worm down permanently
without engaging in potentially illegal acts of unauthorized intrusion
on already-compromised systems, I'll consider this approach optimal.
---[ DETAILS ]--------------------------------------------------------
Before going much further, I'll state for the record that this utility
is not the most elegant work of code. Then again, neither is the worm
it was created to combat.
This utility is designed around the notion of setting up a decoy
'default.ida' executable on a UNIX system. When the worm hits this
decoy script, a quick note is made as to the version of the worm (v1
or v2), and a lookup is performed via ARIN on the connecting IP
address to determine the parent netblock owner. An e-mail is then
composed with those details and sent off to said contact.
The text of the message sent out with each exploit attempt is thus:
-----
You are receiving this notice since your domain is listed as the
primary contact in the American Registry of Internet Numbers (ARIN).
The following Code Red intrusion attempt was mad against our system.
ADDRESS: (IP address of offending system)
ATTEMPT: (Full URI requested)
Please advise your user that their system has been compromised and is
being actively utilized as an attack launchpoint against other
systems.
Thank you for your prompt attention to this matter.
-----
With this information alone, the recipient admin will be able to not
only identify the offending system on their network, but will have
sufficient evidence in the quoted URI that an exploit attempt was
indeed made. In a perfect world, this information should expedite
action...but I'm not holding my breath. If the recipient wants to
continue receiving an avalanche of such notices because they either
can't or won't fix the problem, that's no skin off my nose.
Just for grins, this utility also generates a brief HTML reply to the
worm's intrusion attempt. There isn't much data generated since the
worm *is* an automated intrusion agent and -- no matter how much
artificial intelligence is crammed into the beast -- it isn't likely
to appreciate my wry sense of humor. ;)
-----[ ACQUISITION, INSTALLATION & CONFIGURATION ]--------------------
You can download the source tarball for this utility at:
http://www.treachery.net/~jdyson/earlybird/
Setting up this utility is fairly trivial. The critical files are
as follows:
FILENAME FUNCTION
----------- ----------------------------------------------
default.ida Acts as bait for the worm.
arin Two-line external script (used to overcome a
minor shortcoming in the Net::Whois::Raw PERL
module)
Installation of this worm bait will also require a one-line tweak to
your Apache httpd.conf. If you're unwilling or uncomfortable in doing
such, you may as well stop reading now.
Still with me? Cool. Here's what you'll need to do:
1. Open 'httpd.conf' with your favorite editor. (I prefer vi.)
Search for : AddHandler cgi-script .cgi
Add : AddHandler cgi-script .ida
Save the changes and restart Apache.
2. Copy 'default.ida' and 'arin' to your primary/default web
document root directory. You need not copy it to every vhost
directory on your system since the Code Red worm only goes by
IP addresses rather than domain names.
3. Open up 'default.ida' with your preferred editor. (Again, vi
is preferred.) You'll want to check (and possibly change) the
following variables:
$sendmail # Sendmail location
$username # Your contact address
$domain # Your full domain name
exec'/PATH/TO/arin',$s; # Change /PATH to suit yours
4. Once all the variable values are appropriately set, you will
need to set the execute bits on both 'default.ida' and 'arin'.
chmod 0555 default.ida
chmod 0555 arin
That's it. Your worm bait is now in place and ready to badger the
offending network admins into cleaning house. To test that the script
is functioning properly, simply open your favorite web browser and
plug in the URL in the form of:
http://www.your-domain.tld/default.ida
The script will reply with its standard HTML response, but will *NOT*
send out a notice e-mail since the requesting URI does not contain the
worm's typical exploit strings.
-----[ CAVEATS & DISCLAIMER ]-----------------------------------------
This code and related documentation is released under the terms of the
Gnu Public License. See http://www.gnu.org/copyleft/gpl.html for
details.
By use of this code, you agree to hold me harmless from any and all
consequences that arise from use or misuse thereof.
As with all files I release, everything is PGP-signed. If your copy
of this file is *not* PGP-signed, nuke it and grab a copy of this
utility at: http://www.treachery.net/~jdyson/earlybird/.
My PGP keys are at: http://www.treachery.net/~jdyson/jdd_keys.html
-----[ IN CLOSING ]---------------------------------------------------
Thanks for your interest in combatting Code Red. CR wasn't the first
worm we've encountered, and I'm sure it won't be the last. Let's just
hope that everyone else is ready for what's next.
-- Jay D. Dyson
08/09/2001
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iQCVAwUBO3JKCLlDRyqRQ2a9AQHIDgP/aVX+kZctzhfjGwVXYGnrZ7N43XzWGWrD
riH02NyT0YpVi9LdTk8rmQ3MIH9ch0lkt33pS8DHenZDbUtrqoSTdBkg6Q1vEFFy
Hjw/0fS6HU7AKDtQblrjvx8R6Ed6svv4Wh+MF/H4ibcuFeCYQw2ekc8K4lZ09XXD
YSkQBFDb2B8=
=040v
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Early Bird: A realtime Code Red attempt reporting utility. Jay D. Dyson (Aug 09)