Code Red II

Update, 20010909
If you're running Microsoft IIS and want to be secured quickly, check out Microsoft's IIS Lockdown tool.

Code Red Vigilante detects incoming probes and uses the worm in the probing machine to display a warning message on that machine.

Security Focus accepts IP address/date reports of infected machines and says they will attempt to inform the machine's administrator.

There are scripts which work with Apache to automatically send reports to Security Focus: Apache::[[Code Red].pm] and a shell script (use wget or the like to retrieve it): code-red-ii-mail.

Dshield is collecting web server log files containing Code Red probes, in order to backtrack the infection.

-- Peter Kaminski, 20010909

Code Red II is a nasty little thing.

First, if you've got Windows and a Linksys BEFSR41 firewall/router or one of its siblings, let me make a (qualified) recommendation for Wall Watcher, a freeware logging and analysis tool that works with the Linksys to let you review what your firewall's been doing. The qualification is that it's written in Visual Basic; if you've got a prejudice about that, don't use it.

Anyway, it's nice software, the author is incredibly responsive to comments, and it's an interesting toy for an afternoon or two.

Which brings me back to Code Red II. WallWatcher was logging a good deal of incoming HTTP probes to my @Home connection. I figured it would be interesting to let the requests through to my Linux box to log them to see what different things people were groping for. It turns out they're all CR2; 135 requests from 74 unique hosts over the 27 hours I've been logging. Remember, this isn't to an advertised web server IP address, just a random @Home address.

If you know someone who's running Windows NT4/2000 and IIS (which they may or may not realize is running), you'll do them and the rest of the Internet a favor by confirming they've applied the appropriate patches:

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

CR2 jumps into the same hole as CR1, but carries a different payload: a back door with full Administrator privileges. Once installed, it's fairly sneaky about hiding itself, and its propagation algorithms are *much* more effective than CR1 at pseudorandom-walking the IP address space to find new victims. (Because of the way CR2 propagates, most of the hosts trying to infect me are at IP addresses related to mine, which for me are other random cable modem users across North America.)

Consider then that CR2 announces that its victim is compromised to a whole random slew of sites by doing propagation probes, and pretty soon you've got the scenario described in "How to anonymously get root access on a quarter million machines overnight". That's a lot of root access.

Other CR articles:


 * Symantec Anti-virus Center summary:: http://www.symantec.com/avcenter/venc/data/codered.ii.html


 * Steve Gibson's "Code Red Advisory":: http://grc.com/codered/codered.htm


 * A LinuxPlanet editorial on Microsoft software as "the weakest link" in Internet security:: http://www.linuxplanet.com/linuxplanet/opinions/3647/1/

More about home firewall/routers:


 * Hardware reviews at Practically Networked:: http://www.practicallynetworked.com/pg/router_guide_index.asp?Rvw=1


 * Hardware discussion at Gibson Research (you can use NNTP also):: http://grc.com/x/talk.exe?cmd=xover&group=grc.security.hardware

A list of home firewall log tools, including WallWatcher :


 * http://www.gpick.net/lists/Firewall_Log_Tools.htm

-- Peter Kaminski, 20010804