Results 1 to 5 of 5

Thread: New version of Code Red

  1. March 12th, 2003, 10:51 AM #1
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    New version of Code Red

    Just a heads up.

    There seems to be a new version of Code Red. The infection vector and payload are the same. The only difference is that the drop-dead date (every 20th of th month) has been removed. It also seems to infect more rapidly.

    http://www.ntbugtraq.com/default.asp...&L=ntbugtraq#2

    Reply With Quote Reply With Quote
  2. March 12th, 2003, 11:06 AM #2
    Phat_Penguin
    Phat_Penguin is offline
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Oh yeah another round with Code Red - great !! .... thankfully it doesn't effect my linux machine but does clutter the logs - I found this to help clear my apache logs of this rubbish;

    # Use a cron job to remove them from logs .
    # Ok maybe a stupid script but it works.

    # Name it clearlogtext and place it in /usr/sbin
    # chown 0.0 clearlogtext
    # chmod 750 clearlogtext

    #!/bin/sh
    #
    # Clears the windows entries from log files.
    #
    if [ $# != 2 ] ; then
    echo "syntax: $0 logfile text"
    else
    awk !/$2/{print} $1 > t;>$1;cat t > $1; rm t
    fi


    Then make a cronjob to run daily or hourly and copy it to
    /etc/cron.daily or /etc/cron.hourly

    #!/bin/bash
    #
    /usr/sbin/clearlogtext /var/log/httpd/access_log \.exe
    /usr/sbin/clearlogtext /var/log/httpd/access_log \.ida
    /usr/sbin/clearlogtext /var/log/httpd/access_log winnt
    /usr/sbin/clearlogtext /var/log/httpd/error_log \.exe
    /usr/sbin/clearlogtext /var/log/httpd/error_log winnt
    Reply With Quote Reply With Quote
  3. March 12th, 2003, 11:48 AM #3
    Amanda
    Amanda is offline
    Banned
    Join Date
    Jan 2003
    Posts
    30
    I remember the older varient and how around the 20th of the month it would do dDoS on govermental targets and displays "hacked" by chineas." Does it still do dDoS only it's not timed on the 20th or does it just replicate only at a higher rate of speed?

    I tried looking around but all I could find was the older versions of the worm.
    Reply With Quote Reply With Quote
  4. March 12th, 2003, 12:05 PM #4
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Amanda
    I remember the older varient and how around the 20th of the month it would do dDoS on govermental targets and displays "hacked" by chineas." Does it still do dDoS only it's not timed on the 20th or does it just replicate only at a higher rate of speed?

    I tried looking around but all I could find was the older versions of the worm.
    I am not sure about the DDoS. I have not seen any analysis of this new version. I based the fact that it replicates faster on my own experiences. I always see about the same number of Code Red attacks every day on my IDS. My IDS is going ballistic the last few days on this new version.

    Just FYI the patch is the same as for the older versions. The patch is nearly 2 years old.

    As soon as I get to catch one I will try to analyse it.
    Reply With Quote Reply With Quote
  5. March 12th, 2003, 03:02 PM #5
    Und3ertak3r
    Und3ertak3r is offline
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Thanks for the Heads Up SD

    Seem that Symantec have finaly caught up with the Code red...

    Cheers

    CodeRed.F
    Discovered on: March 11, 2003
    Last Updated on: March 12, 2003 02:59:25 AM


    As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.

    This variant differs in only two bytes from the original CodeRed II. CodeRed II would reboot the system if the year was greater than 2001. This is no longer the case in this variant.

    Symantec Antivirus definitions will detect this variant as CodeRed Worm if saved to a file. The worm also drops a trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and clean this new variant.

    Please click here for information on how best to leverage Symantec technologies to combat the CodeRed threat.

    The worm scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 web servers and uses a buffer overflow vulnerability to infect remote machines. The worm injects itself directly into memory, rather than copying itself over as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.

    If you are running Microsoft IIS Server, it is strongly recommended that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.

    A cumulative patch for IIS that includes the four patches released to date is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.

    In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address that problem and to stop the Trojan from reinfecting the computer: http://www.microsoft.com/technet/sec...n/MS00-052.asp


    Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.a.worm [McAfee]
    Type: Trojan Horse, Worm
    Systems Affected: Microsoft IIS
    CVE References: CVE-2001-0500, CVE-2001-0506
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules