Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Malware :: in200108.htm

Code Red Worm exploits buffer overflow



CERT Incident Note IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL

"Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL

Release Date: July 19, 2001

Systems Affected

  • Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled
  • Systems running Microsoft Windows 2000 (Professional, Server, Advanced Server, Datacenter Server)
  • Systems running beta versions of Microsoft Windows XP

Overview

The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CERT Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the "Code Red" worm has already affected more than 13,000 hosts.

Description

In examples we have seen, the "Code Red" worm attack sequence proceeds as follows:

Additional detailed analysis of this worm has been published by eEye Digital Security at http://www.eeye.com.

Impact

In addition to web site defacement, affected systems may experience performance degradation as a result of this worm.

Each instance of the "Code Red" worm uses the same random number generator seed to create the list of IP addresses it scans. Therefore, each victim host begins scanning the same IP addresses that previous instances have scanned, which could result in a denial of service against the IP addresses earliest in the list.

Furthermore, it is important to note that while the "Code Red" worm appears to merely deface web pages on affected systems and attack other systems, the IIS indexing vulnerability it exploits can be used to execute arbitrary code in the Local System security context, effectively giving an attacker complete control of the victim system. It is therefore imperative to apply the remedies described in the Solutions section of this document.

System Footprint

The "Code Red" worm can be identified on victim machines by the presence of the following string in IIS log files:

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a 

Additionally, web pages on victim machines may be defaced with the following message:

HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

Network Footprint

A host running an active instance of the "Code Red" worm will scan random IP addresses on port 80/TCP looking for other hosts to infect.

Solutions

The CERT/CC encourages all Internet sites to review CERT Advisory CA-2001-13 and ensure workarounds or patches have been applied on all affected hosts on your network.

If you believe a host under your control has been compromised, you may wish to refer to

Steps for Recovering from a UNIX or NT System Compromise

Reporting

The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org.


Author(s): Allen Householder


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH