Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Initial analysis of the .ida "Code Red" Worm

From: Matt Power <mhpower () bos bindview com>
Date: Wed, 18 Jul 2001 14:23:15 -0400
We've injected a copy of the Code Red worm onto one of our lab systems
(Windows 2000 Server with SP1; IIS 5.0 with no content additions or
configuration changes, e.g., the "The site you were trying to reach
does not currently have a default page" home page; idq.dll from prior
to the MS01-033/Q300972 patch). A few preliminary notes:

  -- Within about 10 seconds after the worm data was sent, the victim
     machine began generating port-80 SYN packets to many random IP
     addresses, as described in the other reports of this worm.
     However, there was no "Hacked By Chinese!" home page created on
     this machine. Also, in a similar attack on a Windows 2000 Server
     machine that had a brief c:\inetpub\wwwroot\default.htm file, the
     attack did not result in that home page being changed or
     replaced. I have also heard other reports of Code Red activity on
     machines that did not have a home-page defacement.

     This suggests that scanning your own networks for machines with
     a "Hacked By Chinese!" home page might not be an especially
     comprehensive way to identify machines compromised by Code Red.

  -- The victim machine sends the string "GET " to the attacking
     machine over the TCP connection that was used for the attack.

     It's possible that looking for short outgoing packets ending with
     the application data "GET ", with TCP source port 80, may be a
     useful way to detect breakins in some environments.

  -- fport (http://www.foundstone.com/rdlabs/proddesc/fport.html)
     listed about 100 TCP ports for inetinfo.exe on the victim
     machine. This may be useful in a rough first pass at assessing
     whether a suspected machine was compromised by Code Red.

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: