North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Code Red II
There is a useful document at http://www.incidents.org/diary/diary.php which offers an explanation of what CRII does and some useful ways on how we can stop it eg by filtering at transparent caches etc - worth a read. Basically the new variant slaps a huge backdoor in infected machines, heres what I got connecting to one of the hosts that had tried to attack me with CRII: # telnet !!! 80 Trying !!!... Connected to !!!. Escape character is '^]'. GET /scripts/root.exe HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 05 Aug 2001 11:42:19 GMT Content-Type: application/octet-stream Microsoft Windows 2000 [Verze 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. c:\inetpub\scripts> Not good! I've copied below some of the details from a UNIRAS message which gives you an outline of why CRII is nasty: This variant uses the identifier "CodeRedII" for self-recognition and thus does not reinfect systems it has already infected. It checks whether Chinese (either Traditional or Simplified) is the language installed on the system. If it is Chinese, it creates 600 threads and spreads for 48hours. On a non-Chinese system it creates 300 threads and spreads for 24 hours. After that, it reboots the system. On 12am Oct 1, 2001 GMT it goes to sleep for good. The worm tends to probe nearby systems with probability 50% (4/8) - same Class A net (255.0.0.0) 37.5% (3/8) - same Class B subnet (255.255.0.0) 12.5% (1/8) ^� random. This variant also creates a backdoor. It tries to copy %windir%\CMD.EXE to c:\inetpub\scripts\root.exe, c:\progra~1\common~1\system\MSADC\root.exe, d:\inetpub\scripts\root.exe, and d:\progra~1\common~1\system\MSADC\root.exe It also tries to create the file c:\explorer.exe and d:\explorer.exe which it caries within itself. Explorer.exe trojan: Windows looks for c:\explorer.exe before looking for %windir%\explorer.exe. On the next reboot, the trojan calls the original explorer.exe. The trojan adds the value SFCDisable to SOFTWARE\Microsoft\Windows NT\CurrentVariant\Winlogon and modifies the keys under SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots. It then goes to sleep and remodifies the registry keys every 10 minutes. An infected system is automatically rebooted 24 hours from infection and will load the first copy of explorer.exe it comes across - in this case the modified one in the root directory. The system then appears to boot normally but in reality there is now an open door to the outside world to be exploited as necessary. An old Microsoft vulnerability (notified in MS00-052) (UNIRAS Briefing Notice - No. E111/00 dated 31.07.00) allows the system to load the first explorer.exe (or any file for that matter) that it comes across in the directory structure. In this case the first one will be the modified version of explorer.exe in the root directory, which is a Trojan. UNIRAS Assessment This new Code Red variant has the ability to infect systems originally infected with the first two variants. Variant three will overwrite the other variants. As this new variant does not have a flooding capability it will not flood the former Whitehouse IP address on the 20th of the month. The increased number of threads executed by the new variant, and its feature of searching thoroughly within a subnet means there is a much greater risk than before of localised Denial of Service. By 6 August there should be no non-Chinese systems infected with code red, only thousands of systems that contain a back door.