Re: code red - some questions

["Nick FitzGerald" <nick () virus-l demon co uk>]

robinton () GMX de (Soeren Ziehe) wrote:

> I've got a few questions concerning the "Code Red" worm.
>
> "Code Red" exploits the IIS vulnerability referenced in
> http://www.eeye.com/html/Research/Advisories/AD20010618.html
> and CA-2001-13. OK. But how can one exactly determine, if a system has  
> been compromised?

Good question -- right now, "with difficulty" would be the answer.  
An advanced process viewer may do it -- if you know what the typical 
number of IIS child threads is, you may be able to spot it from this 
number being elevated by 100 (or more -- multiple infestations are 
reputedly possible)...  To date, I'd not thought to look into this.

> In the full analysis (http://www.eeye.com/html/advisories/codered.zip)  
> it is said that the worm sets up 100 threads. But in what context are  
> they running?  ...

In the same context as IIS or the index server/service.

> ...  How, if, can they be seen in Task Manager or an other  
> tool? I would guess IIS.exe taking up more memory and processing power  
> than normal may be an indication?

Yes -- anything that can tell you how many threads or other resources 
are allocated to what processes and a refined sense of what is 
"normal".  Right now that may not help much (apart from the thread 
count) as the threads should all be sleeping for 20-something days...

> During the sleeping period indications like spreading attempts or attack
> attempts on www1.whitehouse.gov cannot be observed to weed out infected  
> systems.
> So how to find dormant "code red" instances?

Another good question -- I have no good answer though.

> If I'm not mistaken a reboot would clear "code red".
> So should anybody reboot and patch? What would be the generic "safe"  
> answer to customers?

I'd suggest patch then reboot would be the slightly more efficient 
approach.    8-)

If someone has not applied the patches from MS01-033, or is not sure, 
they should apply the patch and reboot.  They should do this sooner, 
rather than later as the longer they leave it the greater (by some 
completely unknown amount) the threat of their machines being 
hi-jacked by something else via the exact same exploit.  Just because 
someone has been hit by Code Red does not make them magically immune 
to the vulnerability...

> BTW does anyone know a working security contact for Hotmail?
> security () hotmail com came back as "account disabled". Other obvious  
> addreses did not result in any reaction.

Sorry (but I can't say I'm entirely surprised).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com