New version of Code Red

Printable View

March 12th, 2003, 10:51 AM
SirDice

New version of Code Red

Just a heads up.

There seems to be a new version of Code Red. The infection vector and payload are the same. The only difference is that the drop-dead date (every 20th of th month) has been removed. It also seems to infect more rapidly.

http://www.ntbugtraq.com/default.asp...&L=ntbugtraq#2
March 12th, 2003, 11:06 AM
Phat_Penguin

Oh yeah another round with Code Red - great !! .... thankfully it doesn't effect my linux machine but does clutter the logs - I found this to help clear my apache logs of this rubbish;

# Use a cron job to remove them from logs .
# Ok maybe a stupid script but it works.

# Name it clearlogtext and place it in /usr/sbin
# chown 0.0 clearlogtext
# chmod 750 clearlogtext

#!/bin/sh
#
# Clears the windows entries from log files.
#
if [ $# != 2 ] ; then
echo "syntax: $0 logfile text"
else
awk !/$2/{print} $1 > t;>$1;cat t > $1; rm t
fi

Then make a cronjob to run daily or hourly and copy it to
/etc/cron.daily or /etc/cron.hourly

#!/bin/bash
#
/usr/sbin/clearlogtext /var/log/httpd/access_log \.exe
/usr/sbin/clearlogtext /var/log/httpd/access_log \.ida
/usr/sbin/clearlogtext /var/log/httpd/access_log winnt
/usr/sbin/clearlogtext /var/log/httpd/error_log \.exe
/usr/sbin/clearlogtext /var/log/httpd/error_log winnt
March 12th, 2003, 11:48 AM
Amanda

I remember the older varient and how around the 20th of the month it would do dDoS on govermental targets and displays "hacked" by chineas." Does it still do dDoS only it's not timed on the 20th or does it just replicate only at a higher rate of speed?

I tried looking around but all I could find was the older versions of the worm.
March 12th, 2003, 12:05 PM
SirDice

Quote:

Originally posted here by Amanda
I remember the older varient and how around the 20th of the month it would do dDoS on govermental targets and displays "hacked" by chineas." Does it still do dDoS only it's not timed on the 20th or does it just replicate only at a higher rate of speed?

I tried looking around but all I could find was the older versions of the worm.

I am not sure about the DDoS. I have not seen any analysis of this new version. I based the fact that it replicates faster on my own experiences. I always see about the same number of Code Red attacks every day on my IDS. My IDS is going ballistic the last few days on this new version.

Just FYI the patch is the same as for the older versions. The patch is nearly 2 years old.

As soon as I get to catch one I will try to analyse it.
March 12th, 2003, 03:02 PM
Und3ertak3r

Thanks for the Heads Up SD

Seem that Symantec have finaly caught up with the Code red...

Cheers

Quote:

CodeRed.F
Discovered on: March 11, 2003
Last Updated on: March 12, 2003 02:59:25 AM

As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.

This variant differs in only two bytes from the original CodeRed II. CodeRed II would reboot the system if the year was greater than 2001. This is no longer the case in this variant.

Symantec Antivirus definitions will detect this variant as CodeRed Worm if saved to a file. The worm also drops a trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and clean this new variant.

Please click here for information on how best to leverage Symantec technologies to combat the CodeRed threat.

The worm scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 web servers and uses a buffer overflow vulnerability to infect remote machines. The worm injects itself directly into memory, rather than copying itself over as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.

If you are running Microsoft IIS Server, it is strongly recommended that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.

A cumulative patch for IIS that includes the four patches released to date is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.

In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address that problem and to stop the Trojan from reinfecting the computer: http://www.microsoft.com/technet/sec...n/MS00-052.asp

Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.a.worm [McAfee]
Type: Trojan Horse, Worm
Systems Affected: Microsoft IIS
CVE References: CVE-2001-0500, CVE-2001-0506