Code Red III - Latest Updated Info on this newly released worm from NTBugTraq
Russ over at NTBugTraq has issued more information regarding the specifics of the new Code Red III. Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.
The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).
Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.
Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates)...
Ok, here's the latest on this new variant.
1. It makes a copy of CMD.EXE called ROOT.EXE in the;
inetpubscripts
and
program filescommon filessystemmsadc
directories. Does this on both drive C: and D: (doesn't fail if D:
doesn't exist).
2. It then runs its attack program code to infect itself upon
numerous other boxes. This is done randomly, although there is a bias
to attack boxes that are part of the same class A as infected
attacker (so it hits your own boxes sooner rather than later). Attack
code runs for 24 hours, 48 hours on Chinese language systems.
3. After attack code runs (and it seems to be based on clock ticks,
not date), it then writes out a Trojan.
File Explorer.exe (8192bytes or 7K as displayed by Windows) is
dropped (from the code in the original attacking URL) to the root of
drive C: and D: (again, doesn't matter if D: doesn't exist).
4. The system is then rebooted (probably a forced reboot).
5. When the system restarts, it loads the trojan Explorer.exe from
the root directory on the boot drive. This code then does several
things;
a) Launches the real Explorer.exe, so the system looks normal.
b) Sets SFCDisable in hklmsoftwaremicrosoftwindows
ntcurrentversionwinlogon to some undocumented value. Presumably
this disables Windows File Protection (so critical files could be
overwritten)
c) Creates two virtual directories (via the registry) in
hklmsystemcurrentcontrolsetservicesw3svcparametersvirtual
roots. Called "C" and "D", they are mapped to the root directories of
the two drives and permissions are established in the virtual
directory to allow script, read, and write access as well as setting
execute permissions to scripts and executables.
d) goes into an endless sleep loop.
The end result of all of this action is to leave your box wide open
to remote connection and total compromise.
Credits:
The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and
friends) and Roger Thompson of TruSecure. Additional help came from
Bruce Hughes of the ICSA Labs.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
From MSNBC is the following updated and synopsis of the Code Red III situation
A new computer worm that acts much like Code Red but has a much nastier payload began spreading around the Internet on Saturday. The worm leaves a ?backdoor? in infected systems, making them easy for a intruder to infiltrate. If the worm spreads as quickly as last week?s Code Red outbreak, hundreds of thousands of Web sites could be completely unprotected from computer hackers within the next 24-48 hours.
IT WAS NOT IMMEDIATELY clear if the new worm was a variant of Code Red or just a nastier copycat, but security experts have already started calling it Code Red III.
Last week, experts had warned that Code Red?s real danger was that it paved the way for creation of a much more destructive worm that employed Code Red?s successful tactics. Last week?s worm, while a nuisance, generally did nothing more than deface Web sites and attempt to spread itself.
The new worm realizes some of the those fears. Upon infection, the worm leaves a backdoor so an attacker ? any attacker ? could easily enter an infected system and steal data.
?The end result ... is to leave your box wide open to remote connection and total compromise,? wrote Russ Cooper in an analysis of the worm posted to TruSecure Corp.?s NTBugtraq. Cooper moderates the popular mailing list.
In his analysis, Cooper said the only way victims can reclaim a compromised system is to reformat it, essentially wiping it clean.
A hastily written message on the SANS Institute Web site indicated that Code Red ?probes? had increased on Saturday, suggesting a fresh spurt of activity. SANS, a computer security think-tank, had also discovered the new version installs a backdoor.
?The backdoor makes a command shell available to any attacker,? SANS said. A command shell gives an attacker a command line, familiar to users of MS-DOS. From a command line, an attacker can issue any command to the computer.
It was unclear early Sunday morning how fast the worm had spread, but anecdotal reports on computer security mailing lists suggest it is successfully propagating at a rate similar to last week?s Code Red outbreak. If that occurs, it would mean hundreds of thousands of Web servers around the Internet would be available to computer criminals for easy break-ins within a few hours.
Click here to continue reading Bob Sullivan's article at the MSNBC web site.
