Security Incidents mailing list archives
New CodeRed variant - CodeRed.d
From: David Kennedy CISSP <david.kennedy () acm org>
Date: Wed, 22 Aug 2001 00:24:51 -0400
Forwarded by request:
Date: Wed, 22 Aug 2001 00:26:23 -0400 To: tsmalcode () postal trusecure com From: Roger Thompson <rogert () mindspring com> Subject: New CodeRed variant - CodeRed.d Cc: david Kennedy CISSP <david.kennedy () acm org>, Russ <Russ.Cooper () rc on ca> Hi all, A couple of weeks ago, I became curious to find out exactly what was knocking on port 80 on my pcs. I figured it was probably a CodeRed, but which one? To answer that question, I wrote a program which I call WormCatcher to listen on port 80 and checksum whatever comes calling. Recognized checksums are logged, and emailed to me every hour, and unrecognized checksums (ie possible variations) are emailed to me immediately. It's been live on just a few workstations for just a few days, but it has found several variants which looked like they'd been modified by some routers or repeaters along the way, which changed the code offsets, and therefore rendered the worm sterile. This evening, WormCatcher found a new, although minor variant of CodeRed. Specifically, the string "CodeRedII" has been replaced by underscores, and the byte at offset 07C5 is changed from a 0 to an FF. Replacing "CodeRedII" with underscores appears to be an attempt to fool any ids or av lame enough to look for that string as a detection. Changing the byte at offset 07C5 appears to not change the code materially, but is probably intended to throw off any checksummers which checksummed the body of the virus, excluding the "CodeRedII" string. This is such a minor variation that I wouldn't have bothered mentioning it except that WormCatcher found it once from an IP in Korea, and secondly from a college here in the Eastern United States. What is noteworthy then is that it is probably a deliberate, if ill-thought out attempt to populate a new variation into the wild. Functionality has not been changed. The initial "GET " and many "X" strings are identical, so any IDSs looking for that will do fine. Patched servers are still not vulnerable. No one needs to do anything unless they are detecting by lame string or checksum. Roger Regards Roger Thompson Technical Director of Malicious Code Research TruSecure Corporation
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New CodeRed variant - CodeRed.d David Kennedy CISSP (Aug 22)
- Re: New CodeRed variant - CodeRed.d Ryan Russell (Aug 22)