Vulnerability Development mailing list archives
Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
From: DerHexXer () gmx net
Date: Wed, 5 Sep 2001 15:56:01 +0200 (MEST)
@Markus Kern: Thank you for sharing this great piece of code ... ... it actually is a great solution (a much better one than mine) for the problem i was addressing. Let me resume what your code does: Host [A] is compromised by CodeRedI/II. Host [B] has your CRclean.dll isapi-filter installed (either installed by user or automated). Host [A] sends out exploit plus CodeRed to random addresses and hits Host [B]. Host [B] counters this infection attempt by sending it's own exploit (CRclean.asm). * Host [A] downloads CRclean.dll from Host [B] * Host [A] executes CRclean.dll via rundll32 (func 'run') with system privileges. This is what happens then: (we are now in func 'run' from CRclean.dll.) * determines OS version * load needed dlls * download and apply patch (determine lang, dl patch, execute it, terminate hotfix.exe, cleanup tempdir) * remove CRII (delete explorer.exe, remove root.exe, reenable fileprotection, cleanup registry [mapping backdoors]) * add CRclean.dll isapi-filter (registry) * restart iis (iisrestart.exe /restart /timeout:30) After new filter is installed, Host [A] will join the fight against CodeRed. Again ... this is a great solution, but I think that there are several problems in your code: a) rundll32 is called with system privileges. I had some problems while accessing the registry with system privileges. It might be possible that CRclean is not able to install itself as a new filter. b) If on Host [A] one of the CRII explorer.exe backdoors is running, this file can't be deleted (and can't be terminated via TerminateProcess [GetLastError: 5 (access denied)]). The main problem (isapi-filter bufferoverrun vulnerability) is solved, but there still remain the backdoors CRII injected on many systems. You should test your code under "in-the-wild" conditions. @Stanley Bubrouski:
Another worm...lovely...
do you know how hard it is, to write such a worm?
Why not just flee the country?
Well ... i can't remember when i have commited a crime (did I?) Anyways ... i am enjoying my holidays.
Great. A lack of responsibility is the cornerstone to microsoft's terms
of service, why should anyone expect any higher of it's users. Should i go out yelling "hey i have written a worm that might take bandwidth and could render systems useless. i will take all the resonability?" ???
Tell that to the kids who unleash this and eat up ...
There is something you might have not considered: what happens if someone uses this vulnerability plus the backdoors CRII injected to spread code that performs dDoS attacks?
How about making a tool that patches machines and isn't a worm?
Such a tool already exists ... let me remember ... microsoft has produced it ... oh yeah it's called patch -). Sorry ... but you should visit focus-virus, if you want to flame some authors. Bye, Der HexXer. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
Current thread:
- CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Herbert HexXer (Sep 01)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 01)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 05)
- <Possible follow-ups>
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Paige, Randall (Sep 04)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 04)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) DerHexXer (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Meritt James (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Stanley G. Bubrouski (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Jonathan Rickman (Sep 05)
- CodeGreen free? // Re: Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Steinhart Alexander (Sep 07)
- RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) t. patrick o'hara (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Blue Boar (Sep 05)
- Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) Markus Kern (Sep 05)