Re: scans for root.exe

[Daniel Harrison <danielh () loudcloud com>]

> From the outside to confirm if it's code red or some other variant could be tough.
I am not sure off the top of my head what would be the best method. Scanning for
root.exe obviously is going to show machines that are infected by both
sadmin/unicode and code red. Although the sadmin one defaces index.htm/.asp and
default.htm/.asp so you could search for multiple things. I also think that the cr
v1 included a specific defacement that could help you determine which worm is the
culprit.

If my looking at the packet traces from the eeye scanner are correct, they are
looking for the server to puke back an error code that matches "0xc0000005", this
error is seen on both NT and W2k machines . A patched machine will spit back
"Error 0x80040e14 caught while processing query."


-dan


Christian Kuhtz wrote:

> Jacek Lipkowski wrote:
>
> So, how the heck do you positively confirm CR (v1 & v2) infection then?  Seems
> all the eEye scanner does is check the response of GET /scripts/root.exe which
> according to what you just wrote isn't necessarily indicative of CR.
>
> Around here, we've had at least one case of suspected false positive (by eEye)
> that would confirm that.  It had the root.exe backdoor, but it didn't have any
> of the other signs of CRv2 (registry, no explorer.exe trojan etc).
>
> So, how do you positively confirm CRv2 infection from the outside?  I haven't
> been able to find any conclusive documentation.  If I missed it, please give
> me a point with a fence post.
>
> Thanks,
> Chris
>
> --
> Christian Kuhtz <ck () arch bellsouth net> -wk, <ck () gnu org> -hm
> Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S.
> "I speak for myself only."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com