New CodeRed variant - CodeRed.d

[David Kennedy CISSP <david.kennedy () acm org>]

Forwarded by request:

> Date: Wed, 22 Aug 2001 00:26:23 -0400
> To: tsmalcode () postal trusecure com
> From: Roger Thompson <rogert () mindspring com>
> Subject: New CodeRed variant - CodeRed.d
> Cc: david Kennedy CISSP <david.kennedy () acm org>, Russ <Russ.Cooper () rc on ca>
>
> Hi all,
>
> A couple of weeks ago, I became curious to find out exactly what was 
> knocking on port 80 on my pcs. I figured it was probably a CodeRed, but 
> which one? To answer that question, I wrote a program which I call 
> WormCatcher to listen on port 80 and checksum whatever comes calling. 
> Recognized checksums are logged, and emailed to me every hour, and 
> unrecognized checksums (ie possible variations) are emailed to me 
> immediately. It's been live on just a few workstations for just a few days, 
> but it has found several variants which looked like they'd been modified by 
> some routers or repeaters along the way, which changed the code offsets, 
> and therefore rendered the worm sterile.
>
> This evening, WormCatcher found a new, although minor variant of CodeRed. 
> Specifically, the string "CodeRedII" has been replaced by underscores, and 
> the byte at offset 07C5 is changed from a 0 to an FF.
>
> Replacing "CodeRedII" with underscores appears to be an attempt to fool any 
> ids or av lame enough to look for that string as a detection. Changing the 
> byte at offset 07C5 appears to not change the code materially, but is 
> probably intended to throw off any checksummers which checksummed the body 
> of the virus, excluding the "CodeRedII" string.
>
> This is such a minor variation that I wouldn't have bothered mentioning it 
> except that WormCatcher found it once from an IP in Korea, and secondly 
> from a college here in the Eastern United States.
>
> What is noteworthy then is that it is probably a deliberate, if ill-thought 
> out attempt to populate a new variation into the wild.
>
> Functionality has not been changed. The initial "GET " and many "X" strings 
> are identical, so any IDSs looking for that will do fine. Patched servers 
> are still not vulnerable. No one needs to do anything unless they are 
> detecting by lame string or checksum.
>
> Roger
>
>
>
> Regards
>
> Roger Thompson
> Technical Director of Malicious Code Research
> TruSecure Corporation


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com