Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

YACRV (Yet Another Code Red Variant)

By chrisqeld in Internet
Mon Aug 06, 2001 at 02:50:56 AM EST
Tags: Internet (all tags)

It looks like there's a new Code Red variant out that is hitting the infected users local subnet first instead of just striking out randomly. I haven't been able to find any information about this yet, but now I've seen it myself and I'm not the only one.

The difference is quite noticeable. As anyone who's been hit by Code Red knows(and who hasn't been hit 100-200 times by now?), Code Red URLs look something like default.ida?NNNNN... and a bunch of unicode. This new one is essentially the same, except it has XXXXX instead of NNNNNN. Also, everyone I've talked to with log entries of these has noticed that the source IP's are within their own subnet(usually 1.2.x.x). Since I can't find any further information about this, I was wondering if anyone else out there knew anything. Maybe there are other differences in this new strain, it's not exactly my area of expertise.

There are upsides to the new strain. Being at university, it's not too hard to find people responsible and I've already contacted one owner of an infected box. Of course, on a cable network, this is still basically useless and will just lead to a lot more infected cable users.

Just something to look out for.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Code Red
o Is a major problem 30%
o Enough already 49%
o (insert joke answer of choice) 20%

Votes: 53
Results | Other Polls

Related Links
o Code Red
o Also by chrisqeld

Display: Sort:
YACRV (Yet Another Code Red Variant) | 22 comments (19 topical, 3 editorial, 0 hidden)
Wow (3.00 / 2) (#1)
by J'raxis on Sat Aug 04, 2001 at 03:28:44 PM EST

Just as I was reading this story, I checked my packet sniffer to see what's been going on: twelve connect attempts on port 80, since 15:17 (it's now 15:35), all from *.ne.mediaone.net addresses.

I think this is all your fault. :)

-- The %u270145 Raxis

[ J’raxis·Com | Liberty in your lifetime ]

Well (2.75 / 4) (#2)
by spacejack on Sat Aug 04, 2001 at 03:31:27 PM EST

Looks like I might need to patch my sig. Thanks for the heads-up.

Found one! (4.00 / 4) (#6)
by spacejack on Sat Aug 04, 2001 at 04:08:31 PM EST

Just perused my logs today (yup, code red is alive and well yet) and spotted the XXXXX variant. 2 occurances already from different IPs.

What's wierd is the NNN version gives me a 400 error, while XXX gives me a 404 (unix/apache). Why's this?

Right... (4.00 / 2) (#7)
by chrisqeld on Sat Aug 04, 2001 at 04:52:04 PM EST

I actually did notice that, too, but forgot to mention it, thanks for pointing it out. It does seem odd to me and contributed to my guess that there might be more this variant than meets the eye..or it could just be apache being weird(why was the old a 400 anyway?)

[ Parent ]
A virus _and_ bad HTTP (3.50 / 2) (#13)
by finite automaton on Sun Aug 05, 2001 at 02:53:43 AM EST

The old (NNNN) version generated malformed HTTP headers in the request. Apache rejects on this (with error code 400) before it rejects on file not found (404).

The new version seems to generate correct HTTP headers, or more preciesly, does not generate a host header at all.

[ Parent ]

Code Red Hits (4.00 / 3) (#8)
by spinfire on Sat Aug 04, 2001 at 06:09:52 PM EST

Yeah, i've noticed in the past day or so i've been getting both NNNNNN and XXXXXX code red hits. This XXXXX hits are mostly from my local speakeasy subnet, however, i just looked and saw one from a speakeasy customer in seatle and one from a southwest bell DSL customer.

I've additionally gotten repeated hits from single IPs. See a dynamically updated list of hosts i've compiled.

Freelance Hacker. spinfire on FooNET.

IP ranges (4.00 / 1) (#10)
by J'raxis on Sun Aug 05, 2001 at 01:55:29 AM EST

It appears to just target IPs within the same class A -- not necessarily the same "ISP" or local network. For example, my IP starts with 66.* -- I'm getting a huge amount of hits from MediaOne.net (my ISP, which owns much of 66.*) but also other 66s (including Speakeasy.net amusingly enough).

-- The 66.* Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

From a comment on /.: (4.50 / 2) (#11)
by ubernostrum on Sun Aug 05, 2001 at 02:25:23 AM EST

Quick and dirty analysis of the "it's hitting its own network" phenomenon:
OK, I know how the scanning works now. The worm starts with the user's IP address, and then changes adds a variable number of random octets. Let's say that our web server is on
  • One time out of eight, and entirely random IP address is generated
  • Four times out of eight, the lower octet of the IP address is randomized (192.168.1.X)
  • Three times out of eight, the lower two octets are randomized (192.168.X.Y)
This is entirely consistent with the patterns we've been seeing, so if somebody on your local network gets infected, you're gonna get pounded until they fix it.
Another point: if the web server in question is behind a NAT firewall, it will go nuts scanning the internal network. For a large company that has many NT systems internally, they will spend all day trying to infect each other.

Meanwhile, my cable modem is lighting up like a Christmas tree...I just posted a diary about changing the "Activity" light to a "Code Red Attack" light. And if my firewall's logs are any indication, tomorrow morning a lot of other Charter cable users are going to wake up and find they've been own3d...3/4 of the http hits are coming from other people in Charter's swath of IPs...all in that dreaded 24.x.x.x block that is the coaxially-cabled bullseye on the target of script kiddies everywhere.

You cooin' with my bird?
[ Parent ]

ARPs (4.50 / 2) (#14)
by J'raxis on Sun Aug 05, 2001 at 03:45:16 AM EST

If your modem is blinking constantly, it's not just HTTP requests from the worm -- it's also a flood of ARP requests:
arp broadcasts of routers trying to figure out who the f*ck the machine that code red 2 is trying to probe is. if the server doesn't exist, it's broadcasting to your subnet to find out who that IP belongs to..
A.C. on Slashdot

-- The DHCP Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

Agreed (4.00 / 2) (#17)
by marimba on Sun Aug 05, 2001 at 09:31:09 AM EST

I took my linksys out of the loop (does anyone know how to get raw logs off a linksys cable-router?) and ran tcpdump on my linux box. At least ninety-nine percent of the traffic is Arp 'who-has'. My cable modem activity light has been on nearly constantly for the last day and a half.

[ Parent ]
ARP Requests (4.66 / 3) (#19)
by spinfire on Sun Aug 05, 2001 at 03:15:00 PM EST

Since isomerica.net is on a DSL connection, I only see ARP traffic between myself and the gateway. I presume their routing/switching gear (which I know to be a RedBack SMS) caches these requests to avoid broadcast floods.

On a slightly heavier note, all of these compromised boxen in the 2nd generation have a back door in them. Simple telnet to port 80 on an infected machine, and you can enter NT rootshell commands in an url. Wow, thats gotta suck.

Read more about the 2nd generation, and the backdoor.

Freelance Hacker. spinfire on FooNET.
[ Parent ]

Dial-up? (3.50 / 2) (#16)
by John Milton on Sun Aug 05, 2001 at 06:39:27 AM EST

I'm using Windows with ZoneAlarm and my logs show 19 http requests and 2 ftp requests. The old version of ZoneAlarm used to show extra hits all the time, but they fixed that in this version, so I assume these are all actual requests. I don't have a server on my computer anyways.

"When we consider that woman are treated as property, it is degrading to women that we should Treat our children as property to be disposed of as we see fit." -Elizabeth Cady Stanton

[ Parent ]
Just checked my logs (4.00 / 3) (#9)
by infraoctarine on Sat Aug 04, 2001 at 09:06:26 PM EST

I'm on a DSL line, and started getting the X strain requests about 12 hours ago, the first few from foreign subnets, but shortly after, the vast majority from my own subnet.

During these 12 last hours, I got 72 X strain requests and only 14 of the N kind. Seems like this new strain has taken over rapidly...

Serious Problem (4.50 / 4) (#12)
by CheSera on Sun Aug 05, 2001 at 02:42:34 AM EST

So I work for a big cable-modem ISP, and boy, this thing is eating us alive. Already a considerable portion of our customer network is infected and is beating the crap out of every other user in their subnet. Most of the calls today were either "Hey, my bandwidth is crap today", or from the technically knowledgeable, "I'm seeing a ton of hits to port 80 on my firewall". A lot of our customers run web servers (even though it is technically against the TOS) and unfortunately, since they aren't businesses, they don't keep up with the patches as regularly.

So a small minority (those with web servers) are seriously hurting a majority of our users. Of course its not only internal traffic, a lot of the infected systems are outside our net, but just share a similar IP (IE, 24.*.*.*). I shudder to think how bad this will get over the next couple of days.


Code Red II (4.40 / 5) (#15)
by Elendur on Sun Aug 05, 2001 at 04:38:44 AM EST

Yes, it's a completely different worm. There is actually the test Code Red II inside it, and it appears that it's much more malicious than the previous Code Red worm. It seems to leave an infected system wide open with a cmd shell available to anybody with a telnet client.

Detailed Analysis (4.66 / 3) (#18)
by epsilon0 on Sun Aug 05, 2001 at 02:42:36 PM EST

The best analyses of it are from SecurityFocus and eEye. The SecurityFocus ARIS system has some nice graphs of the worm growth. Discussion about the worm is ongoing in the incidents mailing list.

Log analysis, infection size and growth characteri (5.00 / 2) (#20)
by kmself on Sun Aug 05, 2001 at 04:51:54 PM EST

Some analysis of my own logs, swiped in part from another conversation with someone who's somewhat nonplussed by the attack.

Note that only WinNT/Win2K IIS systems are susceptible. GNU/Linux, *BSD, Unix, and non-IIS platforms cannot be infected. However anyone may feel network impacts.

GNU/Linux bash reporting recipie:

grep -h 'default\.ida?NNN' /var/log/apache/access.log* | sed -e '/"GET.*/s///' -e '/^.* - - \[/s///' -e '/\/2001.*/s///' | sort | uniq -c | awk '{print $2 ": " $1}'
Log counts, by attack cycle:

19/Jul: 20
20/Jul: 1

01/Aug: 20
02/Aug: 22
03/Aug: 17
04/Aug: 37
05/Aug: 51

Note that each wave has been building.

I'm dialup, but persistant, connection. Scans are essentially random (though the current algorithm targets the local subnet or netblock), meaning I've got about as much a chance as anyone of getting hit. So I'd think my data are going to be more-or-less representative.

As has been pointed out, the longer the infection period of the cycle, the stronger the infection. That seems to be the case for cycle 2. In cycle three, the attack is, as stated, targeted to the proximate netblock, in which the probability of finding a susceptible target is increased. Looking at attacks by type: Code Red Type I:

01/Aug: 20
02/Aug: 22
03/Aug: 17
04/Aug: 15
05/Aug: 8
Code Red type II:

04/Aug: 22
05/Aug: 43

The initial ramp-up is more-or less the same in all three instances: 20, 20, and 22 hits in the first 24 hour period. It's the subsequent period that differs: 1, 22, and 43 hits. Statistically, it's an interesting application of sampling without replacement. The difference is in replacing a random sampling algorithm with a nonrandom one, increasing the *rate* of infection. The black hats are getting smarter, and the story's getting interesting. Note too that a Type-II attack results in a broadcast to arbitrary hosts that the attacking node is administrator-accessible. Any data-sharing among attacked (but non-susceptible) sites will lead to a large database of universally accessible hosts.

Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

Script fixes (5.00 / 1) (#21)
by kmself on Sun Aug 05, 2001 at 05:30:14 PM EST

That script's a bit bungled. It grabs only the newer CRV hits. It also wraps horribly.

To summarize all CRV hits, by worm type:

zgrep -h 'default\.ida' /var/log/apache/access.log* |
sed -e '/^.* - \[\(.*\)\/2001:.*"GET \/default.ida?\(...\).*/s//\2 \1/' |
sort | uniq -c
This generates a report similar to:

20 NNN 01/Aug
22 NNN 02/Aug
17 NNN 03/Aug
15 NNN 04/Aug
 9 NNN 05/Aug
20 NNN 19/Jul
 1 NNN 20/Jul
22 XXX 04/Aug
45 XXX 05/Aug

You may have to adapt above to your logfile location and/or format. It's based on Debian and vanilla Apache log format.

Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

Microsoft liablity... (none / 0) (#22)
by banstyle on Thu Aug 09, 2001 at 05:52:11 AM EST

Hey, I got a good poser for the K5 crowd.

Think about this: Code Red and it's variant (and any subsequent variants) are going to cost mucho bucks for everyone hooked to the net in terms of bandwidth. Everyone has to pay for their bandwidth, somehow.

Is it possible that the whole of the Internet could sue Microsoft class-action style for their bandwidth costs? Think about it: If Microsoft had properly QA'd their server, this never would have happened. Exploits like this simply should not fall through the cracks, and damn-it, Microsoft should be held liable for this.

Though I am curious whether their EULA might have some clause against this type of thing, but... what if?

Internet traffic has gone up approximately 20-30% when Code Red was unleashed, and that's all because Microsoft left a gaping hole in their software.
"Everything done in weakness fails. Moral: do nothing." -Nietzsche

YACRV (Yet Another Code Red Variant) | 22 comments (19 topical, 3 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!