From: Sherry M. Rogers (smrogers@socrates.berkeley.edu)
Date: Mon Aug 06 2001 - 15:17:36 PDT
A new worm is infecting vulnerable machines running IIS servers on
the internet and has already infected many hosts on the campus.
It is called the Code Red II worm, though it has little in common with the
original Code Red worm other than using the buffer overflow vulnerability
in Microsoft's IIS Indexing Service DLL (ida.dll) to infect the victim.
Code Red II can infect unpatched Windows 2000 servers running IIS 4.0 or
5.0 with Indexing Service installed. It can cause unpatched Windows NT
servers to crash.
The Code Red II worm is far more malicious than its predecessor:
1) It spreads more quickly by targeting hosts on the local network, making
it difficult to catch by monitoring network traffic at the border of
campus.
2) It makes the system it infects vulnerable to *any* kind of attack by
copying the CMD.EXE to root.exe in a publicly accessible directory.
This allows any intruder to execute arbitrary commands on the
compromised machine.
3) It creates a Trojan horse copy of explorer.exe which makes
registry changes allowing for the placement of "backdoors" for future
access to the system. These changes create a virtual web path with
read and write access to all files on the c: and d: drives.
Note: deleting the registry settings, removing the copies of root.exe, and
removing the trojan explorer.exe is NOT sufficient to clean the system.
During the time the system was backdoored any attacker could have
installed code not associated with this worm.
Any system infected with Code Red II will need to be rebuilt from secure
media, such as CD, to ensure that is clean and that no backdoors have been
left on the system. Applying all maintenance, in particular all IIS
maintenance, will also be essential.
This worm spreads so fast that it is also essential to not connect any new
system to the network unless you are sure IIS is disabled. Immediately
apply the IIS patches once the system is on the network, whether or not
you plan to run the service. Often IIS can be turned on by software
packages at a later time.
References:
http://www.cert.org/incident_notes/IN-2001-09.html
http://www.incidents.org/react/code_redII.php
Resources:
Securing IIS:
http://securityfocus.com/focus/microsoft/iis/iissecure.html
Free Code Red scanner from eEye:
http://www.eeye.com/html/Research/Tools/
------------------------------------------------------------------------
Sherry M. Rogers University of California, Berkeley
System & Network Security phone (510)642-7157
-------------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Mon Aug 06 2001 - 15:21:56 PDT