Most folks have probably seen this, but this analysis is very good and should help to alleviate ambiguities. ---------- Date: Thu, 19 Jul 2001 00:17:51 -0600 From: aleph1@securityfocus.com To: incidents@securityfocus.com, focus-virus@securityfocus.com Subject: Full analysis of the .ida "Code Red" worm. Message-ID: <20010719001751.N2190@securityfocus.com> ----- Forwarded message from Marc Maiffret <marc@eeye.com> ----- From: "Marc Maiffret" <marc@eeye.com> To: "BUGTRAQ" <BUGTRAQ@SECURITYFOCUS.COM> Subject: Full analysis of the .ida "Code Red" worm. Date: Wed, 18 Jul 2001 22:40:11 -0700 Message-ID: <EIEOJCKGEPCLJHGCNNOPGEFGEAAA.marc@eeye.com> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) The following is a detailed analysis of the "Code Red" .ida worm that we reported on July 17th 2001. This analysis was performed by Ryan Permeh and Marc Maiffret of eEye Digital Security. The disassembly (complete with comments) was done by Ryan "Shellcode Ninja" Permeh. Table of Contents ================= 1. Introduction 2. Explanation 3. Commentary 4. Deep Analysis 5. Conclusion 6. Appendix 7. Credits You can get a copy of this analysis, commented disassembly, full IDA database, and binary of worm from http://www.eeye.com/html/advisories/codered.zip Introduction ============ On Friday July 13th we received packet logs and information from 2 network administrators that were experiencing large amounts of attacks targeting the recent .ida vulnerability that eEye Digital Security discovered (http://www.eeye.com/html/Research/Advisories/AD20010618.html) on June 18, 2001. After reviewing the logs sent to us we determined that in fact someone had released a worm into the Internet that was spreading rapidly through IIS web servers. The full analysis of the .ida "Code Red" worm has provided numerous new details as to the functionality and method of propagation of this worm. For instance this worms purpose ultimately seems to be to perform a denial of service attack against www.whitehouse.gov. Also it has been found that only US English Windows NT/2000 systems will show the defaced ("Hacked by Chinese !") web page. We've designated this the .ida "Code Red" worm, because part of the worm is designed to deface web pages with the text "Hacked by Chinese" and also because code red mountain dew was the only thing that kept us awake all last night to be able to disassemble this exploit even further. Explanation =========== As stated earlier the .ida "Code Red" worm is spreading throughout IIS web servers on the Internet via the .ida buffer overflow attack that was published weeks ago. The following are the steps that the worm takes once it has infected a vulnerable web server. 1. Setup initial worm environment on infected system. 2. Setup a 100 threads of the worm 3. The first 99 threads are used to spread the worm (infect other web servers). -The worm spreads itself by creating a sequence of random IP addresses. However, the worm's randomization of IP addresses to attack is not all together random. In fact there seems to be a static seed that the worm uses when generating new IP addresses to try to attack. Therefore every computer infected by this worm is going to go through the same list of random IP addresses to try to infect. The "problem" with that is that the worm is going to end up reinfecting systems and also end up crossing traffic back and forth between hosts to end up creating a denial of service type affect because of the amount of data that will be transferred between all the IP addresses in the sequence of random IP addresses. The worm could have done truly random IP generation and that would have allowed it to infect a lot more systems a lot faster. We are not sure why that was not done but a friend of ours did pose an interesting idea... If the person who wrote this worm owned an IP address that was one of the first hundred or thousand etc... to be scanned then they could setup a sniffer and anytime and IP address tried to connect to port 80 on their IP address they would know that the IP address that connected to them was infected with the worm and they would therefore be able to create a list of the majority of systems that were infected by this worm. 4. The 100th thread checks to see if it is running on a English (US) Windows NT/2000 system. -If the infected system is found to be a English (US) system then the worm will proceed to deface the infected systems website. That means... the local web servers web page will be changed to a message that says Welcome to http://www.worm.com !, Hacked By Chinese!. This hacked web page message will stay "live" on the web server for 10 hours and then disappear and never appear again unless the infected system is re-infected by another host. -If the system is not a English (US) Windows NT/2000 system then the 100th worm thread is also used to infect other systems. 5. Each worm thread checks for c:\notworm -If the file c:\notworm is found, the worm goes dormant. -If the file is not found then each thread will continue to attempt to infect more systems. 6. Each worm thread will now check the infected computers time. -If the time is between 20:00 UTC and 23:59 UTC then the worm will proceed to use this thread to attack www.whitehouse.gov. The attack consists of the infected system sending 100k bytes of data to port 80 of www.whitehouse.gov therefore potentially performing a denial of service attack against www.whitehouse.gov. -If the time is below 20:00 UTC then this worm thread will try to find and infect new web servers. In testing we have calculated that the worm can attempt to infect roughly half a million IP addresses a day and that was a ruff estimate made from using a very slow network. As of writing this document (July 18 6:49pm) we have had reports from administrators that have been probed by over 12 thousand unique hosts. That basically means at least 12 thousand hosts have been infected by this worm. In testing we have seen that sometimes the worm does not execute correctly and will continue to spawn new threads until the infected machine crashes and has to be rebooted. We have not been able to isolate the cause of this behavior. Commentary ========== As we sat and watched this worm spread itself through the Internet we were somewhat dumbfounded as to the number of reported systems being infected. The main reason for that is that this worm is using a, what we thought to be, very well known vulnerability. A patch for this vulnerability has been available for over a month now and at the time of the release of the vulnerability many news agencies ran stories about it therefore trying to spread awareness. Even with all of that though there have still been, at the very least, 12 thousand web servers infected by this worm. So we once again encourage administrators to pay attention to security issues and patch their systems as soon as patches are available for holes. All of this research would not be available if we were not a Full Disclosure company and if the many people who helped us research this worm were against full disclosure. Although we did not release any exploit code for the .ida vulnerability, the computer underground still had no problem creating a devastating worm. In the past we have seen a much higher percentage of patched systems when example exploit code was provided. System administrators do not believe vulnerabilities exist without a public exploit, or until something like this worm happens forcing them to patch their systems. We feel that if the security community moves away from Full Disclosure more incidents like this will happen and everyone will be left in the dark as to what is going on. An example of why full disclosure is so important would be this worm itself. Chances are this worm would have not been discovered if we had not fully disclosed details about the .ida vulnerability, allowing Intrusion Detection System vendors to create signatures for the .ida buffer overflow attack. Because of the way that IIS performs logging (logging a request after processing it), servers hit with this worm will actually have no traces of information left in the IIS log files making tracking this worm (via IIS logs) virtually impossible. The first instances of _anyone_ learning anything useful about this worm was via Intrusion Detection Systems that had signatures based on our .ida vulnerability research which would not have been there if not for full disclosure. The computer underground continues to find vulnerabilities everyday. If full disclosure goes away, then the general security community is left in the dark, and therefore so are administrators. More and more we are seeing an increase in worms attacking the Internet. There have been about 2 or 3 worms in as many months. Worms force computer security to become a global issue. With the rise of the Internet, not only do you have to worry about securing your own systems, you must also be careful of your "neighbors" systems. For instance with this worm even if you have done everything right (installed the .ida patch etc...) your network connection could still be taken down because of the amount of data flooding you from all of the "other guys" who hadn't applied patches and were infected by this worm. It is important to not only maintain your own security but make sure that other people you come in contact with secure their sites. Only with global cooperation to maintain security will the threat of worms start disappear. We received information from "friends" that leads us to believe that this worm is actually a derivative of another worm which was written to exploit the first ever remote IIS buffer overflow (also discovered by eEye Digital Security), the .htr buffer overflow. From reports, the .htr worm had a much smaller infection base and seemed to go under the radar probably because the .htr vulnerability was/is very old. Deep Analysis ============= The following is a very detailed analysis of what the worm is doing at each step of its infection. Full disassembled and commented worm code is available at our website at http://www.eeye.com/html/advisories/codered.zip. It will be provided as both a assembly text dump and as a IDA (Interactive Disassembler) database file. We have chosen not distribute the worm code in this eMail as to not clog up your bandwidth anymore then we already are >:-] Note: We will use CODEREF comments in the analysis to reference where we are in the disassembled code so you can "follow along" with us. The tools that we used to perform this detailed analysis were: IDA (Interactive Disassembler) from www.datarescue.com. IDA is an advanced disassembler that made this analysis possible. MS VC++ debugging environment. We used this to monitor modified pieces of the worm as they interacted with IIS. Ryan's brain + Marc's brain + private eEye tools. No... you cant have any of those. We will be heavily referencing the disassembled worm code in the following analysis. In an attempt to make this easier to understand we have broken the functionality of the worm into 3 parts. The core worm functionality, the worm hack web page functionality and the attack www.whitehouse.gov functionality. Core worm functionality ----------------------- 1. Initial infection vector (i.e. host is vulnerable to the .ida attack and gets hit with this worm). The initial infection starts to take place when a web server, vulnerable to the .ida attack, is hit with a HTTP get request that contains the necessary code to exploit the .ida attack and uses this worm as its payload. At the time of the .ida overflow a systems stack memory will look like the following: <MORE 4E 00> 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 92 90 58 68 4E 00 4E 00 4E 00 4E 00 4E 00 4E 00 FA 00 00 00 90 90 58 68 D3 CB 01 78 90 90 58 68 D3 CB 01 78 90 90 58 68 D3 CB 01 78 90 90 90 90 90 81 C3 00 03 00 00 8B 1B 53 FF 53 78 EIP is overwritten with 0x7801CBD3 which an address within msvcrt.dll. The code at 0x7801CBD3 disassembles to: call ebx When EIP is overwritten with call ebx it then causes program flow to divert back to the stack. The code on the stack jumps into the worm code that's held in the body of the initial HTTP request. 2. Sets up some initial stack variables CODEREF: seg000:000001D6 WORM At this point we are executing the initial code of the worm. The first thing to happen is that the worm sets up a new stack for its own use. The new stack is 218h bytes, filled with CCh. The worm code then moves on to initialize its function jump table. The entire worm heavily uses an EBP stack based memory offset system. This means that all variables are referenced as EBP-X values. On our website we have a document called worm-ebp.txt that attempts to track stack usage throughout the course of the worm code. 3. Load functions (create the "jump table") CODEREF: seg000:00000203 DataSetup The first thing the worm code does is reference the data portion of the exploit code at EBP-198h. The worm then needs to setup its internal function jump table. A function jump table is a stack based table used to store function addresses. It allows the worm to generate the function addresses at run time (This makes the worm have a better chance of executing cleanly on more systems). The technique used by this worm is what is called an RVA (Relative Virtual Addresses) lookup. Basically this means that all functions, or specifically GetProcAddress, are found within IIS itself. For more details on RVA please consult any good PE (Portable Executable, the executable file format for Microsoft platforms) documentation, or read through the assembly code of this worm. In a nutshell, RVA techniques are used to get the address of GetProcAddress. GetProcAddress is then used to get the address of LoadLibraryA. Between these two functions all other functions that the worm may need can be easily found. The worm uses these two functions to load the following functions:

From kernel32.dll: GetSystemTime CreateThread CreateFileA Sleep GetSystemDefaultLangID VirtualProtect

From infocomm.dll: TcpSockSend

From WS2_32.dll: socket connect send recv closesocket

Finally the worm stores the base address of w3svc.dll which it will later use to potentially deface the infected website. 4. Check the number of threads the worm has created. CODEREF: seg000:00000512 FUNC_LOAD_DONE Here the worm seems to perform a WriteClient (Part of the ISAPI Extension API), sending "GET" back to the attacking worm. This possibly could be a way of telling attacking worms that they have successfully infected a new host. Next the worm code will count the number of worm threads already in action. If the number of threads is 100 then control is shifted to the Worm hack web page functionality. If the number of threads is below 100 then the worm creates a new thread. Each new thread is an exact replica of the worm (Using the same code base). The worm now continues its path of execution. 6. Checks for the existence of c:\notworm CODEREF: seg000:0000079D DO_THE_WORK There seems to be a to be built in "lysine deficiency" (See Jurassic Park, or Caesar's paper on this at www.rootkit.com). A "lysine deficiency" is a built in check to keep malicious code from spreading further. In this case the "lysine deficiency" is a check for the existence of the file c:\notworm. If this file exists then the worm will become dormant. This means it will not attempt to make connections out to other IP addresses to try to infect. If this file does not exist then the worm continues onto the next step. 7. Check the infected systems time (computer clock) CODEREF: seg000:00000803 NOTWORM_NO The worm will now check the infected systems local time (in UTC). If the hour is greater then 20:00 UTC then the worm will proceed to goto the first step of the attack www.whitehouse.gov functionality. If the time is less than 20:00 UTC then the worm will attempt to continue to try to infect new systems. 8. Infect a new host (send .ida worm to a "random" IP address on port 80). At this point the worm will resend itself to any IP addresses which it can connect to port 80 on. It uses multiple send()'s so packet traffic may be broken up. On a successful completion of send, it closes the socket and goes to step 6... therefore repeating this loop infinitely. Worm hack webpage functionality ------------------------------- This functionality is called after a hundred threads are spawned within the worm. 1. Check if local system default language is English us then goto step 6 of core worm functionality. CODEREF: seg000:000005FE TOO_MANY_THREADS The first thing the worm does is get the local codepage. A codepage specifies the local operating system language (I.E. English (US), Chinese, German etc...). It then compares the local codepage against 0x409. 0x409 is the codepage for English (US) systems. If the infected system is an English (US) system then the worm will proceed to deface the local systems webpage. If the local codepage is not English (US) then this worm thread will goto step 6 of core worm functionality. 2. Sleep for 2 hours. CODEREF: seg000:00000636 IS_AMERICAN This worm thread now sleeps for 2 hours. We anticipate that this is to allow the other worm threads to attempt to spread the infection before making a presence known via defacing the infected systems webpage. 3. Attempt to modify infected systems webpages in memory. CODEREF: seg000:0000064F HACK_PAGE This worm uses an interesting technique called "hooking" to effectively deface (alter) an infected systems webpages. Hooking is modifying code in memory to point to code that the worm provides. In this case the worm is modifying w3svc.dll to change the normal operation of a function called TcpSockSend. TcpSockSend is what w3svc.dll (IIS core engine) uses to send information back to the client. By modifying this, the worm is able to change data being written back to clients who request web pages of an infected server. To perform hooking, first the worm makes the first 4000h bytes of w3svc.dll's memory writable. In a normal situation the memory for w3svc.dll (and basically all mapped dll's) is read-only. It uses the function VirtualProtect to change the memory of w3svc.dll to be writable, saving the old state to a stack variable. It then uses the saved codebase of w3svc.dll (from step 3 of core worm functionality) as a start point to search the import table (again see PE header documentation) for the address of TcpSockSend. Once the address for TcpSockSend is located the worm then replaces TcpSockSend's actual address with an address within the worm. The address that TcpSockSend now points to is a function within the worm that will return the "Hacked by Chinese !" webpage. The CODEREF for this function is seg000:00000C9A FAKE_TCPSOCKSEND. This thread of the worm now sleeps for 10 hours. During this 10 hours all web requests to the infected server will return the "Hacked by chinese !" webpage. After the 10 hours is up this thread will return w3svc.dll to its original state, including re-protecting memory. Execution after this proceeds to step 6 of the core worm functionality. Attack www.whitehouse.gov functionality --------------------------------------- Sooner or later every thread within the worm seems to shift its attacking focus to www.whitehouse.gov. 1. create socket and connect to www.whitehouse.gov on port 80 and send 100k byes of data CODEREF: seg000:000008AD WHITEHOUSE_SOCKET_SETUP Initially the worm will create a socket and connect to 198.137.240.91 (www.whitehouse.gov/www1.whitehouse.gov) on port 80. CODEREF: seg000:0000092F WHITEHOUSE_SOCKET_SEND If this connection is made then the worm will create a loop that performs 18000h single byte send()'s to www.whitehouse.gov. CODEREF: seg000:00000972 WHITEHOUSE_SLEEP_LOOP After 18000h send()'s the worm will sleep for about 4 and a half hours. It will then repeat the attack against www.whitehouse.gov (goto step one of Attack www.whitehouse.gov functionality). Appendix ======== This is associated information about the "Code Red" worm including how to stop the worm, commentary on the worm, and dispelling common misconceptions about this worm. How to secure your system from this .ida "Code Red" worm? --------------------------------------------------------- Microsoft patch for this .ida vulnerability http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp The worm spreads itself to new vulnerable systems via the .ida vulnerability. Applying this patch will keep your server from being infected. However, as stated earlier, because of the way the worm creates its list of "random" IP addresses to attack, you could still be affected by a high traffic overload denial of service. eEye Digital Security Advisory for .ida vulnerability http://www.eeye.com/html/Research/Advisories/AD20010618.html We initially discovered the .ida vulnerability which is being used by this worm as its infection vector. The above advisory details our research of that specific vulnerability. We worked with Microsoft to help them create a patch for the .ida vulnerability. SecureIIS - Application firewall, stops known and unknown IIS vulnerabilities. http://wwww.eeye.com/secureiis We do produce a product that protects IIS web servers from attack which is one of the reasons that we were so quick to research this worm. Funny enough in our initial testing we couldn't get the worm to work because we forgot we had SecureIIS enabled on the lab web server. heh. I have been infected by this worm what can I do? ------------------------------------------------ The first thing you must do is goto the Microsoft security site, as referenced above, and install the .ida patch ASAP. The worm will remain in memory until you reboot your server so make sure to reboot after installing the .ida patch. I think I am infected, how can I tell? -------------------------------------- An infected system will show an increase in load (processor/network). It will also show a number of external connections (or attempts) to port 80 of random IP addresses. You can see this by doing a "netstat -an" from a MS-DOS prompt. Either way do not take any chances... if your system is missing the .ida patch then install it ASAP and reboot. How to setup your IDS to detect this specific worm? --------------------------------------------------- The following is part of the packet data that is sent for this .ida "Code Red" worm attack: GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Just add that to your IDS signature database. What are some common misconceptions about the "Code Red" worm? -------------------------------------------------------------- 1. It connects to worm.com. This worm only specifies www.worm.com in the initial HTTP GET request HOST: header and in the defaced page show on English (US) systems. This worm does _not_ connect to www.worm.com. This worm operates completely independent and can spread and infect systems without having a single point of failure. What that means is that this worm will be wild on the Internet until there is a _VERY_ high degree of systems that go and install the .ida patch. 2. This worm is based off of hsj's "proof of concept" .ida exploit. This worm is _NOT_ based off of hsj's "proof of concept" .ida exploit. His exploit code had no worm functionality. It was a simple exploit shell that had little to no implicit functionality. It was designed to prove to administrators the seriousness of this vulnerability so that they would install patches ASAP. Credits ======= Ken Eichman of Chemical Abstracts Service Matthew Asham of Left Coast Systems Corp and a large handful of administrators who gave us much needed data to piece this together. Signed, eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities "Its not a virus! Its a worm!" - z3r0 c00l "Whats this one eat?" - l0rd n1k0n "th1s 0n3 34ts 11S s3rv3rs!" - ch4m3l30n h4ck3rs ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Thus spake Mike Najarian (miken@fast.net) on or about Fri, Jul 20, 2001 at 10:04:04AM -0400:

Has anyone gutted an infected box to determine whether it's going to go for whitehouse.gov www.whitehouse.gov or a hardcoded IP?

mnaj

Best regards,

Mike Najarian - FASTNET Corporation miken@fast.net (610)266-6700 http://www.fast.net FASTNET(r) - Business and Personal Internet Solutions

...

Knowing that some of the colocated boxes in our network *might* be infected; I have placed a nullroute for 198.137.240.92 (the IP www.whitehouse.gov resolves to).