__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
ADVISORY NOTICE
The Code Red Worm
July 19, 2001 24:00 GMT Number L-117
______________________________________________________________________________
PROBLEM: The Code Red worm is spreading on the Internet utilizing the
.ida (indexing service) vulnerability in the Microsoft Internet
Information Server IIS. After infection the worm attacks other
systems and does a denial of service attack on
www.whitehouse.gov.
PLATFORM: Web servers utilizing the IIS server on Windows NT and Windows
2000 with the index server or indexing service enabled.
DAMAGE: Infected machines will randomly attack other web servers and
perform a denial of service attack on www.whitehouse.gov. The
home page of infected machines will be defaced.
SOLUTION: Disable the indexing server or apply the patches as recommended
in Microsoft Security Bulletin MS01-033 or CIAC Bulletin L-098,
"Microsoft Index Server ISAPI Extension Buffer Overflow".
Reboot the system to eliminate the worm from memory.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. The worm is spreading rapidly around the
ASSESSMENT: Internet.
______________________________________________________________________________
[Update to L-120 on July 29, 2001 with additional tool information]
A tool has been released for the detection of the Code Red Worm.
You may download this tool from the following location:
http://www.eeye.com/html/Research/Tools/codered.html
The Code Red Worm
=================
The Code Red Worm has been detected spreading to systems throughout the
Internet. From the number of different hosts detected performing attacks,
it is apparent that many thousands of systems worldwide are infected by
this worm. A disassembly and analysis of this worm was performed by Marc
Maiffret of eEye Digital Security and friends. This bulletin is based on
that analysis. The complete analysis including an annotated disassembly
listing is available at
http://www.eeye.com/html/advisories/codered.zip
Worm Operation
==============
The worm exploits the Index Server (.ida) buffer overflow vulnerability
reported in CIAC Bulletin L-098, Microsoft Index Server ISAPI Extension
Buffer Overflow and Microsoft Security Bulletin MS01-033, Unchecked Buffer
in Index Server ISAPI Extension Could Enable Web Server Compromise. The
buffer overflow allows the worm to execute code within the IIS server to
spread itself, to deface the server's home page, and to run a denial of
service attack on www.whitehouse.gov.
The worm arrives at the web server as a Get /default.ida request. That
request exploits the .ida vulnerability and starts the worm code executing.
The worm code executes only in memory and is not written to disk so no
residue of the worm will be found by examining the disk.
The worm first starts 100 worm threads in memory. That is, there are 100
copies of the worm running at the same time. Next, it checks for the
existence of c:\notworm. If that file exists, the worm goes dormant. This
is apparently to prevent the worm from spreading on the developer's system.
Next, the worm gets the current date from the system clock and if the date
is before the 20th of the month the worm starts infecting new systems.
If the date is between the 20th and 27th of the month the worm starts a
denial of service attack on www.whitehouse.gov.
The worm attacks other systems by randomly generating an IP address and
then probing that address to see if it can connect to port 80. If it can,
it sends a copy of the buffer overflow attack to that machine. The random
IP address generator appears to always start with the same random seed
so the list of machines attacked by the worm is identical for every copy
of the worm. The result is that machines whose IP addresses are low on
the list of random IP addresses will be probed over and over again by
each thread of the worm in every infected machine, creating an effective
denial of service attack. Also, vulnerable systems can be compromised
multiple times, resulting in multiple copies of the worm running in them
each with 100 separate threads. After each attack, the worm again checks
the date and decides to either attack another machine or attack
www.whitehouse.gov.
The denial of service attack on www.whitehouse.gov is performed by
sending 98,304 (18,000h) packets to the www.whitehouse.gov server.
After sending these packets, the worm goes to sleep for 4 1/2 hours
and then does it again. All 100 threads of the worm code participate
in the denial of service attacks which continue until the system is
rebooted. Note that a system can sustain multiple infections so a single
system may be responsible for many times the 100 * 98,304 packets every
4 1/2 hours.
The 100th thread of the worm code defaces the web server's home page. It
only does this if the operating system's code page is U.S. English. The
100th thread first sleeps for 2 hours, apparently to let the attacking
threads to spread the worm before it shows a visible presence by changing
the home page. After 2 hours, the worm replaces a link in the executing
code in memory that returns data to a web client. That link is then pointed
to worm code that produces the web page below, which indicates that the web
page was hacked by the Chinese.
HELLO!
Welcome to http://www.worm.com !
Hacked By Chinese!
The change remains in effect for ten hours and then the web server is
returned to normal operation. Note that the change in the home page is not
done by changing the home page disk files, but is done by hacking the code
in memory that returns data to a user to return the html codes for the
defaced web page instead. The result is that the defaced web page is returned
to anyone who makes any request to the web server.
Detecting the Worm
==================
As the worm runs only in memory, you will not be able to find a file or
other tell-tale evidence on the disk that indicates the worms presence.
If the worm is active in a server, the server will show a heavy load and
will show a lot of external connections to port 80 on other machines.
Execute the following command in a command window to see what external
connections a system currently has open.
netstat -a
If you are using an intrusion detection system, it should be able to detect
the worm's attacks. The beginning of the worm's attack packet looks like the
following:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3
Removing the Worm and Patching a System
=======================================
This worm is only in memory on a system and is not written to disk, so
simply rebooting a system removes the worm and restores the system.
However, due to the large number of infected systems and the fact that
they attack the same list of IP addresses, the odds are that a system
will be reinfected as soon as it reboots. To protect a system you have
two options: 1) disable .ida processing or 2) patch the .ida processor.
If you are not using the index server, you should disable .ida
processing otherwise you must patch your system. After disabling .ida
processing or patching a system, be sure to reboot the system to insure
that the worm is removed from memory.
See the following bulletins for information on disabling and patching
systems for this vulnerability.
CIAC Bulletin L-098, Microsoft Index Server ISAPI Extension Buffer
Overflow
Microsoft Security Bulletin MS01-033, Unchecked Buffer in Index
Server ISAPI Extension Could Enable Web Server Compromise
Note: You can remotely test a server to see if .ida processing is
enabled or not by making a request to the server for an ida file that
does not exist. Type the following request in a web browser with your
server replacing the one in the request.
http://www.yourwebserver.gov/default.ida
if it returns the following text, .ida processing is enabled.
The IDQ file default.ida could not be found.
On the other hand, if .ida processing has been disabled, the server
will return a 404 file not found error.
HTTP Error 404
404 Not Found
Realize that this does not tell you if you have the patched version
of the .ida processor only if .ida processing is disabled or not.
_______________________________________________________________________________
CIAC wishes to thank Marc Maiffret of eEye Digital Security and his friends
for the hours they spent disassembling and analyzing this worm which provided
the information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-108: Oracle 8i TNS Listener Vulnerability
L-110: HP Open View Event Correlation Services Vulnerability
L-111: FreeBSD Signal Handling Flaw
l-109: VPN-1/FireWall-1 RDP Communication Vulnerability
L-112: Cisco SN 5420 Storage Routers Vulnerabilities
L-113: Microsoft Outlook View Control Exposes Unsafe Functionality
L-115: Hewlett-Packard login Vulnerability
L-116: Lightweight Directory Access Protocol (LDAP) Vulnerabilities
L-118: Hewlett-Packard ftpd and ftp Vulnerability
L-119: Hewlett-Packard mkacct Program Vulnerability