Red code virus analysis

zhaozj2021-02-08  282

Code Red uses the IIS web server. IDA buffer overflow vulnerability propagation. If it is infected with a host, it will work as follows on the affected machine: 1, establish the initial worm environment 2, build 100 worm threads 3, the first 99 threads will spread infected other hosts 4, 100th thread If you are running on whether it is running on an English version, if it is, it will replace the host page Welcome to http://www.min.com!, Hacked by Chinese! This information will automatically disappear after 10 hours. Unless it is again being infected again. If it is not an English version, it will also be used as other hosts. 5, each thread checks the local time if the time is between 20:00 UTC and 23:59 UTC, the thread sends 100K byte data to www.whitehouse.gov. If less than 20:00 UTC, it will continue to propagate other hosts in the following detailed analysis, it will be used to use IDA (Interactive Disassembler), which comes from www.datarescue.com. MS VC debugging environment I divide the worm into three parts to study: core function module, Hack web page module, attack www.whitehouse.gov module. First, the core function module 1, the start infection container (hosting that has been infected) is infected, the system memory will present the following information when infected.

4e 00 4e 00 4e 00 4e 00

4e 00 4e 00 4e 00 4e 00

4e 00 4e 00 4e 00 4e 00

92 90 58 68 4e 00 4e 00

4e 00 4e 00 4e 00 4e 00

Fa 00 00 00 90 90 58 68

D3 CB 01 78 90 90 58 68

D3 CB 01 78 90 90 58 68

D3 CB 01 78 90 90 90 90

90 81 C3 00 03 00 00 8B

1B 53 FF 53 78

EIP will be overwritten by 0x7801cbd3. The code at 0x7801CBD3 will be broken down into Call EBX, when EIP is rewritten by Call EBX, the arcs, Jia Lu, 蛄 囟ㄏ蚧囟 囟ㄏ蚧囟 囟ㄏ蚧囟 6 簧 系  涑娲  朐谄 鹗? HTTP request body.

2, establish the starting stack variable

Coderef: seg000: 000001d6 Worm

First, the worm builds a 218H byte stack filled with CCH, then it will turn to activate the jump function.

All variables are referenced as EBP-X values.

3, load function (establish a jump table "jump table")

Coderef: seg000: 00000203 DataSetup

First, the worm refers to the data part of the Exploit code in EBP-198H. Then it needs to create its own internal function jump table.

The worm uses a RVA (Relative Virtual Addresses) query technology, in a nutshell, RAV is used to get the address of getProcAddress. GetProcaddress is then used to get the LoadLibrarya address. It uses these two functions to load the following functions:

> From kernel32.dll:

GetSystemTime

CreateThread

Createfilea

Sleep

Getsystemdefaultlangid

VirtualProtect

> From infocomm.dll:

TCPSOCKSEND

> From ws2_32.dll:

Socket

Connect

Send

RECV

CloseSocket

Finally, the worm stores the base address of W3SVC.DLL, which will be used to change the page. 4. Check the thread that has been created:

Coderef: seg000: 00000512 func_load_done

It runs the WriteClient (part of the Isapi Extension API) to send "GET" back to the attacking machine. This should be telling the attack that it has successfully infected the machine.

Then, it will calculate the cormofworm thread

If the thread is equal to 100, the control will turn to the HACK web page function item.

If the thread is less than 100, it creates a new thread. Each new thread is a simple copy of the worm.

5, check the existing C: / NotWorm

It has a "Lysine Deficiency" feature to keep malicious code further propagate.

If the file exists, it will not make another action; if it does not exist, it will perform the next step.

6, check the affected system time:

Coderef: seg000: 00000803 NotWorm_no

Coderef: seg000: 0000079d do_the_work

If the time is between 20:00 UTC and 23:59 UTC, the thread will send 100K byte data to www.whitehouse.gov.

If less than 20:00 UTC, it will continue to spread other hosts

7, infecting a new host

If you can create an 80-port connection, it will send your own copy to that IP, if the send is successful, it will turn off the socket and go to step 5 to start a new loop.

Second, HACK WebPage module

If 100 threads are generated, the module will be called

1. Check if the system language is English, then go to the core module. Step 5

Coderef: seg000: 000005fe TOO_MANY_THREADS

2, sleep for 2 hours

Coderef: seg000: 00000636 IS_AMERICAN

This should be as possible before changing the page.

3, try to change the web page of the affected system

Coderef: seg000: 0000064f HACK_PAGE

Third, attack www.whitehouse.gov module

Create a socket connection to www.whitehouse.gov 80 port Send 100K byte data:

Coderef: seg000: 000008ad Whitehouse_socket_setup

First, it creates a socket and connects to 198.137.240.91 (www.whitehouse.gov/www1.whitehouse.gov) 80 port,

Coderef: seg000: 0000092f Whitehouse_socket_send

If the connection is successful, it creates a loop: send 18000h single-byte send () 's to the site

CodeRef: seg000: 00000972 Whitehouse_sleep_loop

After 18000H Send () '', it will sleep for 4 and a half, then repeat this attack.

From: marc maiffret

BY NTBUGTRAQ Maillist

CNNS compilation

solution:

1. If the system has been infected, please download the installation patch at Microsoft, and restart the machine, relevant information

http://www.cnns.net/article/db/1720.htm

2. If it is not sure, you can use it in the MS-DOS prompt to see the NetStat -an view, if there are too many external arbitrary IP 80 ports, it may be infected.

Worm, Like The Original Code Red Worm, Will Only Exploit Windows 2000Web Servers Because It Overwrites Eip with a jmp this iS Only Correct Under

Windows 2000. Under NT 4.0 That Offset Is Different, So The Process Will Simply

Crash INSTEAD OF ALOWING The WORM to Infect The System and Spread.

This Analysis is of the newly spreading coderedii.

To See More Information About The Previous Version of Code Red Please See Our

Previous Advisory:

Continued Threat of The "Code Red" WORM

Details

This Analysis is Broken Up Into 3 Sections: Infection, Propagation, Trojan

To check if your system has been infected, look for the existence of the files:

C: /explorer.exe

D: /explorer.exe

Also Check Your Iis S Folder and Msadc Folder To See If The File Root.exe

EXISTS. if it does life you have motone. Note:

An Older Sadmin Unicode Worm Also Would Rename Cmd.exe To Root.exe So you Could

Have a bit of cross over there.

To Download this Analysis and all disassembly files the go to:

http://www.eeye.com/html/advisories/coderedii.zip

Infection:

1st infection:

A. The First Thing the Worm Does Is Setup a Jump Table So That It Can Get To All

OF ITS Needed Functions.

SEG000: 000001D0

B. The Worm The Proceeds To Get Its Local IP Address. This is later used to deal

WITH SUBNET MASKS (PROPAGATION) AND to Make Sure That The Worm Does Not Re-Infect

The Local System.

SEG000: 000001D5

C. Next, THE WORM GETS The Local System Language To See iF The Local System Is Running

Chinese (taiwanese) or Chinese.

SEG000: 000001F9

D. At this Point The Worm Checks IF WE Have Executed Before, Andiff Executed Before, Andiff So, THEN THE

Worm Will Proceed to The Propagation Section. (See The PropAgation Section)

SEG000: 0000021AE. Next, The Worm Will Check To See if a Coderedii Atom Has Been Placed

(GlobalFindatoma). This functionality allows the Worm to make Sure Not to Re-Infect

The local machine. if it sees what atom exissrs the it. ..

Seg000: 00000240

F. The Worm Will Add a Coderedii Atom. This is to allow the Worm The FunctionAlity

To check to see letter a system has already been infread with the Worm.

SEG000: 0000027D

G. The Worm Now Sets ITS Number of Threads to 300 for non-Chinese systems. If The

System is chinese kiln it sets it to 600.seg000: 00000286

H. At this Point The Worm Spawns a Thread Starting Back At Step A. The Worm Will

Spawn Threads According to the Number Set from G. Each New Thread Will Be a Propagation

Thread.

SEG000: 000002BA

I. this is where the Worm Calls the Trojan Functionality. You can Find an Analysis of

The Trojan Mechanism Down Below In The Trojan System Seg000: 000002C4

K. The Worm The Local System Is Not Chinese, 2 Days if IT IS.

SEG000: 000002DA

L. Reboot Windows.

SEG000: 000002E1

Propagation:

This is used to spread the Worm Further.

SEG000: 000002EB

A. Setup local ip_storage variable. This is buy for Wormation functionality and

To make Sure Not to Re-Infect The Local System.

SEG000: 000002EB

B. Sleep for 64h MilliseConds

SEG000: 000002F1

C. Get Local System Time. The Worm Checks To See iF It The Year Is Less Than 2002 OR

If The Month Is Less Than 10. if The date is beyond Either of Those, THEN THE WORM

Reboots The Local System. That Limits The Worm To 10/01 for ITS SPREADING (in a Perfect

World.)

SEG000: 000002FD

D. Setup SockAddr_in. This will reason the get_ip section.

SEG000: 0000031A

E. Setup Socket: This Performs a socket (), Stores The Handle, Then Makes It Anon-Blocking Socket (This Is Important for Speed ​​Dealing with Connect () Calls

Seg000: 00000337

F. Connect To The Remote Host, IF It Returns A Connect Right Away, Go To H.

seg000: 00000357

The Following Is How The Worm Generates The IP Address for The next Host To Connect TO:

Get_ip:; code Xref: SUB_1C4 168 P

Call get_octet; load 4th actet (this is in reverse order Due to byte order)

MOV BH, Al

Call get_octet; get 3rd octet

MOV BL, Al

SHL EBX, 10H; Shift Bx To The Top of EBX

Call get_octet; get 2nd octet

MOV BH, Al

Call get_octet; 1st

MOV BL, Al

Call Gen_OCTET; GET first OCTET

And Eax, 7; And IT by 7

Call Check_addr_mask; ECX HAS EIP

For Each Oclet, Generate A Pseudo Random Byte Between 1 and 254, Next Get A Random

OcTet Between 1 and 254 and mask it by 7 finally, use this last byte to gen a 1st octet.

MOST Pertden Bit Is Check_addr_mask

This specifies the folload:

DD 0FFFFFFFH; 0 - Addr Masks

DD 0FFFFFFFFF00H; 1

DD 0fffffff00h; 2

DD 0FFFFFFFFFFFF00h; 3

DD 0fffffff00h; 4

DD 0FFFF0000H; 5

DD 0FFFF0000H; 6

DD 0FFFFFFFFFFFFFFFFFFFffffFFFFFFFFFFFFFF0000h; 7

THIS Mask is Applied To The Local Systems IP Address, And Matched to The Generated IP

Adject. This Makes a new ip with 0,1 or 2 bytes of data with the local ip.

For Instance, The Worm Will 1 / 8th of The Time Generate A Random IP NOT WITHIN Any

Ranges of the Local IP Address.

1 / 2TH of the Time, IT Will Stay Within The Same Class A Range of The Local IP Address

3 / 8th of the Time, IT Will Stay Wtem, Class B Range of the Local IP Address

Also, Note That if The ip The Worm Generates IS 127.x.x.x, 224.x.x.x, or the Same AS

The Local Systems IP Address THE WORM WILL SKIP That IP Address and Generate Anew IP Address To try to infect.

The Way The Worm Generates IP Addresses Allows It To Find More Possible IIS Web Servers

Quicker the the Other Codeled Worms That Have Previously Been Released. This New Worm

Is Also Going to Cause Cause A Lot More Data To Be Zig Zaged Across NetWorks.

G. Do a select to get the handle. If no handle is return, the go to k.

SEG000: 000003B6

H. Set Socket to Blocking. This is so select is not required after the connection.

SEG000: 000003C5

I. Send a Copy of The Worm.

SEG000: 000003E4

J. DO a RECV (), this is not actually useful anywhere.

SEG000: 000003FC

K. Close the socket and loop to A.

Trojan System:

This Portion of the Worm Is Designed to Dump Root.exe (root.exe is cmd.exe) INTO MSADC

And S, AND Create a Trojan on the local drive.

Seg000: 00000804

A. Get System Directory, This Gets The Native System Directory (i.e., c: / winnt / system32)

SEG000: 00000810

B. append cmd to the system directory string (c: /winnt/system32/cmd.exe)

Seg000: 00000828

C. SET Drive Modifier to C:

SEG000: 0000082D

D. COPY cmd.exe to / s / root.exe (actual path: drivemodifier: / inetpub / s / root.exe)

Seg000: 00000831

E. Copy cmd.exe to /msadc/root.exe (actual path: drivemodifier: /progra ~1/common ~1/system/msadc/root.exe)

Seg000: 00000863

F. Initialize Area for Explorer.exe

SEG000: 000008A2

G. Create Drive / Explorer.exe (Drive is C, Then D)

SEG000: 00000E83

H. The Worm Now Writes Out Explorer.exe. There Is An Embedded Binary Withnin The Worm

That Will Be Written Out To Explorer.exe. It has the property That if an embedded Byte

IS 0xFC, IT Replaced by 20h 0x00 Bytes instead of the regular byte. for more on what

The Trojan Explorer.exe Binary Does Trojan Section. Alsothe Way Nt Works Is That WHEN A User Logs Into The Local System It Has To Load

Explorer.exe (Desktop, Task Bar, ETC.) HOWEVER NT Looks for Explorer.exe First in The

Main Drive Path C: / Which Means The Trojan Explorer.exe Is Going to Be loading the next

Time a user logs in - Therefore the system Trojaned over and reviewly.

SEG000: 00000EC8

I. Close Explorer.exe

SEG000: 00000ED5

J. Change Drive Modifier To D, THE WORM GoES back to the code in step d. after IT

IS DONE THEN IT GoES BACK to Step K of The Infection Process.

SEG000: 00000EDD

Explorer.exe Trojan:

Explorer.exe Quick Overview:

Get Local Systems Windows Directory.

2. Execute Explorer.exe from help The local systems Windows Directory.

3. The Worm Now Goes Into The Following Loop:

While (1)

{

Set Software / Microsoft / Windows NT / CurrentVersion / Winlogon / SFCDISABLE TO

0FFFFFFFF9DH, Which Basical Disables System File Protection.

SET SYSTEM / CURRENTCONTROLSET / Services / W3SVC / Parameters / Virtual Roots / Scripts To, 217

Set System / CurrentControlSet / Services / W3SVC / Parameters / Virtual Roots / Msadc To, 217

SET SYSTEM / CURRENTCONTROLSET / Services / W3SVC / PARAMES / VIRTUAL ROOTS / C to C: /,, 217

Set System / CurrentControlSet / Services / W3SVC / Parameters / Virtual Roots / D to D: / ,, 217

Sleep for 10 minutes

}

The Above Code Creates A Virtual Web Path (/ C and / D) Which Maps / C To C: / And / D

TO D: /. The Writer of this Worm Has Put in this functionality to allow for a Backdoor

To Be Placed on The System So Even if You Remove the root.exe (cmd.exe promot) from Your

/ S Folder An Attacker Can Still Use The / C and / D Virtual Roots To Comze Your

System. The attcks would look like: http: // ipaddress / c / inetpub / s / root.exe? / c dir (if root.exe was still there) OR:

http://ipaddress/c/winnt/system32/cmd.exe? / c Dir Where Dir Could Be Any Command AN

Attacker Want To EXECUTE.

As long as the Trojan Explorer.exe Is Running The An Attacker Will Be Able To Remotely

Access Your Server.

AdditionAl Information

The Information Has Been Provided by Ryan Permeh and Marc MAIFFRET OF EEYE DIGITAL Security

转载请注明原文地址:https://www.9cbs.com/read-1655.html

New Post(0)