Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Jul 23, 2001 (Vol. 6, #54 - Issue #289)
Urgent Alert! Code Red Worm
This issue of W2Knews contains:
- EDITORS CORNER
- Urgent Alert! Code Red Worm
- TECH BRIEFING
- Code Red Worm - How does it look? What do I do?
- PRODUCT OF THE WEEK
- Incident Response - You've been hacked. What now?
SecureIIS protects Microsoft IIS Web servers from known and unknown
attacks. It wraps around IIS and works within it, verifying and
analyzing incoming and outgoing Web server data for any possible
security breaches. SecureIIS combines the best features of Intrusion
Detection Systems and Conventional Network Firewalls all into one,
with very low overhead. Cost? Just $495. This would have stopped
the Code Red Worm from compromising your servers! Download here:
Visit SecureIIS for more information.
Urgent Alert! Code Red Worm
This is a Security Special Flash that takes the space of the Monday
issue. We're sending this early and I hope you are getting this on
time, but if you don't here are some hints to protect yourself and/or
fix this nasty little critter.
In the last issue (#288) you just got, the Tech Briefing described a
new malicious worm. It replicated like a firestorm, and the estimates
are that now hundreds of thousands of IIS webservers are compromised.
I even have a picture of a Microsoft Windows Update server that was
hit by this one. You can see that here, this is how it looks, and
check the URL, that's a real one!
In short, what is it? The www.incidents.org describes it as follows,
but the numbers they have in this piece of copy are already old:
"The CODE RED worm is a malicious piece of software that replicates
and propagates to unpatched Microsoft IIS webservers running on
Windows NT or 2000. Once the worm has infected a machine it begins
scanning random IP addresses looking for other IIS servers to
infect. The worm is currently estimated to have infected at least
50,000 servers and is spreading fast. The scanning traffic generated
by the worm is now causing denial of service effects on many networks.
An analysis of the worm's programs indicates that all infected
machines will begin waging a flooding attack against www.whitehouse.gov
sometime tomorrow (July 20th). The effect of this many machines
operating in concert in a DdoS attack could possibly be devastating
to the Internet infrastructure".
The White House System Admins were warned by Marc Maiffret and changed
their IP's so that attack was foiled, but this thing will re-infect
your servers, so here is my urgent suggestion:
GET YOUR IIS WEBSERVERS PATCHED - NOW!
(email me with feedback: [email protected])
SPONSOR: NEED TO MIGRATE YOUR DATA?
Moving from NT to W2K? Consolidating Servers? Implementing a new
Storage Architecture like a SAN? Sunbelt Software Services can help
you get the job done. Our experienced System Engineers can come to your
site, and migrate all your data to your new platform in a SECURE way.
Check out this page, and then get in touch with Julie, our Services
Coordinator for a quote. Want to see her million dollar smile? Click:
Visit NEED TO MIGRATE YOUR DATA? for more information.
Code Red Worm - How does it look? What do I do?
Here is the short technical backgrounder by a few of the developers
of eEye, a security software developer that has a few products Sunbelt
carries (SecureIIS and Retina). Credit: Ryan Permeh and Marc Maiffret.
As stated earlier the .ida "Code Red" worm is spreading throughout
IIS Web servers on the Internet via the .ida buffer-overflow attack
that was published last month.
The following are the steps that the worm takes once it has infected
a vulnerable Web server:
We have calculated that the worm can attempt to infect roughly half
a million IP addresses a day. This is a rough estimate generated
by testing on a very slow network.
- Setup initial worm environment on infected system.
- Setup 100 threads of the worm.
- Use the first 99 threads to spread the worm (infect other Web
- The worm spreads itself by creating a sequence of random IP
addresses. However, the worm's list of IP addresses to attack is
not all together random. In fact, there seems to be a static seed
(a beginning IP address that is always the same) that the worm uses
when generating new IP addresses. Therefore every computer infected
by this worm is going to go through the same list of "random" IP
Because of this feature, the worm will end up re-infecting the
same systems multiple times, and traffic will cross traffic back
and forth between hosts ultimately creating a denial-of-service
type effect. The denial-of-service will be due to the amount of
data being transferred between all of the IP addresses in the
sequence of random IP addresses.
The worm could have done truly random IP generation and that would
have allowed it to infect many more systems much faster. We are not
sure why this was not done, but a friend of ours did pose an
interesting idea: If the person who wrote this worm owned an IP
address that was one of the first hundred or thousand to be scanned,
then they could setup a "sniffer" and anytime and IP address tried
to connect to port 80 on their server they would get confirmation
that the IP address that connected to them was infected with the worm.
With this knowledge, they would be able to create a list of the
majority of systems that were infected by this worm.
- The 100th thread checks to see if it is running on an English
(US) Windows NT/2000 system.
- If the infected system is found to be a English (US) system,
the worm will proceed to deface the infected system's website.
The local Web server's Web page will be changed to a message
that says: "Welcome to http://www.worm.com!, Hacked By Chinese!".
This hacked Web page message will stay "live" on the Web server
for 10 hours and then disappear. The message will not appear again
unless the system is re-infected by another computer.
- If the system is not an English (US) Windows NT/2000 system,
the 100th worm thread is also used to infect other systems.
- Each worm thread checks for c:\notworm.
- If the file c:\notworm is found, the worm goes dormant.
- If the file is not found, each thread will continue to attempt
to infect more systems.
- Each worm thread checks the infected computer's system time.
- If the date is past the 20th of the month (GMT), the thread
will stop searching for systems to infect and will instead attack
www.whitehouse.gov. The attack consists of the infected system
sending 100k bytes of data (1 byte at a time + 40 bytes overheard
for the actually TCP/IP packet) to port 80 of www.whitehouse.gov.
This flood of data (410 megabytes of data every 4 and a half hours
per instance of the worm) would potentially amount to a denial-of-
service attack against www.whitehouse.gov.
- If the date is between the 1st and the 19th of the month, this
worm thread will not attack www.whitehouse.gov and will continue
to try to find and infect new Web servers.
At the time of writing this document (July 19th, 3:00pm), we have
had reports from administrators that have been probed by over 196
thousand unique hosts. This leads us to believe that this worm
has infected at least 196 thousand computers.
During testing we noticed that sometimes the worm does not execute
"normally" and will continue to spawn new threads until the infected
machine crashes and has to be rebooted, effectively killing itself.
We have not been able to isolate the cause of this behavior.
I have been infected by this worm, what can I do?
The first thing you must do is go to the Microsoft security site,
as referenced below, and install the .ida patch as soon as possible.
The worm will remain in memory until you reboot your server so make
sure to reboot after installing the .ida patch.
I think I am infected, how can I tell?
An infected system will show an increase in load (processor/network).
It will also show a number of external connections (or attempts)
to port 80 from random IP addresses. You can see this by doing a
"netstat -an" from a MS-DOS prompt. Either way, do not take any
chances; if your system is missing the .ida patch, install it and
Microsoft's bulletin on the ida vulnerability is here:
And if you want to protect your IIS-boxes against all these kinds of
attacks in one fell swoop, I suggest you check out this new category
"application firewall" tool. It's called SecureIIS and just $500 per
server. This code red worm is a good example you can use to justify
a small insurance policy like this. Here's the eval:
PRODUCT OF THE WEEK
Incident Response - You've been hacked. What now?
This is one of the first books available that explains what to
do after you've been hacked. Written by FBI insiders, this book
reveals the computer forensics process and offers authoritative
solutions designed to counteract and conquer hacker attacks.
You will learn the strategies for recovering from computer
crime incidents, respond to security breaches and hacker attacks
the right way with help from this insightful and practical guide.
You'll get details on the entire computer forensic process and
learn the importance of following specific procedures immediately
after a computer crime incident occurs. Investigate various software
including UNIX, Windows NT, Windows 2000, and application servers.