TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Internet Security Systems Security Alert July 30, 2001 X-Force Response to Concern About the "Code Red" Worm Synopsis: The Internet has recently been faced with the threat of a worm, dubbed "Code Red". The worm exploits a vulnerability in unpatched versions of Microsoft IIS (Internet Information Server). This vulnerability was previously discussed in an ISS Security Alert dated June 19, 2001 (http://xforce.iss.net/alerts/advise79.php). IIS Web servers without the patch for the Index Server ISAPI Extension buffer overflow can be compromised by the worm, and then used to attack other vulnerable Web servers. The worm may pose a threat as a denial of service attack against the Internet as a whole, caused by the extra traffic generated as the worm spreads. The worm has already been cleared from a large number of infected Web servers, and the vulnerability has been patched. On servers that are still infected, the worm is in a pre-programmed "sleep" mode. There are concerns that these infected servers will awake from this sleep mode and begin propagating again on August 1, 2001. While these reports are largely inaccurate, there is a definite threat that the Code Red worm, or a variant of the worm, will be launched and begin spreading on or after August 1st. Description: The Code Red worm is a malicious worm that attacks Microsoft IIS Web servers that are missing an important security patch. The worm was first discovered on July 13, 2001, although the full impact of the worm was not felt until July 19th, when it spread to thousands of computer systems in a period of several hours. The outbreak of the Code Red worm in the last two weeks was initiated by the original version of the worm. Since then, two variants have been discovered, which were likely responsible for the rapid spread of the worm on July 19th. The new variants include changes to the code that make them more efficient at propagating, and therefore, they pose a much greater threat to the Internet. The two variants, versions 2a and 2b, include many changes from the original version, although the variants are very similar to each other. All three versions of the Code Red worm reside only in memory -- there is no file associated with the worm. As a result, the worm can be removed from a Web server simply by rebooting the system. To protect the server against future infection, however, the IIS vulnerability must be patched on the server. The three known versions of the worm also share a characteristic schedule. Based on the system clock on the infected computer, the worm behaves differently according to the day of the month (as described below). 1st - 19th: Scanning/Propagating Phase The worm propagates by scanning IP addresses on the Internet and attempting to connect to the HTTP port (TCP port 80). When the IP address of a vulnerable IIS Web server is found, the worm infects the system. The newly infected system begins to scan IP addresses, and the other system continues searching for additional servers to infect. 20th - 27th: Flooding (DDoS) Phase The worm initiates a distributed denial of service attack by flooding a pre-configured IP address with large amounts of traffic. The IP address configured in the all known versions of the worm is an IP address that previously belonged to www.whitehouse.gov. To counteract the attack, the White House Web site was moved to a different IP address, so the flooding portion of the first wave of the Code Red worm was unsuccessful. Future variants of the worm, however, could be configured with different addresses or Web sites to flood. Beginning on the 28th: "Sleep" Phase The worm goes into an infinite sleep phase. While the worm will remain in the computer's memory until the system is rebooted, the worm will not attempt to propagate or initiate any packet flooding attacks once it enters the sleep phase. In the initial version of the worm, infected Web sites would appear to be defaced for a period of ten (10) hours after infection. The worm would cause IIS to respond to requests with a Web page that displayed the following message: Welcome to http://www.worm.com! Hacked by Chinese! At the same time, the worm used up all the remaining threads on the system, scanning for other vulnerable IIS Web severs. It would start by scanning a pseudo-random list of IP addresses in the same order. This allowed individuals with IP addresses in the beginning of that list to track how many systems were infected. It also prevented the first version of the worm from spreading very quickly, because the newly infected systems were scanning addresses that had already been scanned by previously infected servers. The new variants of the Code Red worm include updated propagation methods that could potentially make them far more dangerous than the initial version. Each infected system chooses random IP addresses to scan, instead of initially scanning a predictable set of systems as the initial version did. The traffic caused by the increased propagation of the newer variants could be enough to degrade Internet speeds to home users, businesses, and government agencies. Some users may experience very slow connections to the Internet, and others may experience intermittent outages during the propagation and flooding phase of the worm. The newer variants also do not deface the infected Web servers, as the initial version did. As a result, system administrators may not notice infected servers immediately, because the Web site will not be defaced. This allows the worm to propagate for longer periods before the infected system is detected and the worm is removed. For these reasons, the propagation of the new variants may spread more quickly and affect more servers in a short period of time. Frequently Asked Questions: Q: How many systems has the worm already infected? A: Several published reports indicate that over 300,000 systems were infected in a very short time since it was first discovered on July 13, 2001. Many reports indicate that over 250,000 systems were infected in less than 24 hours at its peak level of propagation. However, it is extremely difficult to determine the exact number of infected systems, because the worm is designed only to scan and reinfect systems, and not to report which systems were infected to any outside source. The changes that were made in the new variants make it even more difficult to estimate the total number of infected systems. Q: What is the significance of August 1st? Will the currently infected systems begin propagating the worm again? A: Various teams of security and virus experts, including the ISS X-Force, have independently captured and disassembled the Code Red worm to analyze the worm's functionality. The worm goes through three phases: propagation, flooding, and finally sleep. The sleep phase is infinite. Once the worm has entered this phase on a system, it sleeps forever and does not "wake up" to scan and infect new targets. However, the worm can be re-initiated between the 1st and 20th of any month by any malicious attacker who has a copy of the initial worm or any of its variants. Even if the worm is launched again on August 1st, it is unknown at what point it will reach critical mass and begin affecting Internet speeds. As system administrators apply the patch to more and more IIS Web servers, the threat of the Code Red worm or any future variants of it will be reduced, because there will be fewer and fewer vulnerable targets. Q: What is the concern about systems with their dates set incorrectly? How does this affect the behavior of the Code Red worm? A: The worm is triggered by the date on the system clock of the infected computer, not from any external source. For systems that have their clocks set incorrectly, the worm may be in a different phase than the actual date would indicate. As a result, the worm could continue propagating by systems outside what should be the normal propagating period. For example, after the 28th of the month, when the worm should be in the sleep phase, a worm on a system that had the date set as the 15th would still be in the propagating phase. However, most Web servers have the system clock set to the correct date, so only a small percentage of systems should continue propagating outside the normal scanning phase. The impact caused by a limited number of infected systems attempting to propagate is much less than during the normal propagation phase, when a large number of infected hosts are scanning for other vulnerable servers. Q: How fast does this worm spread? A: The worm's strength is that it is small, and it can infect vulnerable servers very easily. However, the scanning logic is not the most efficient for maximum propagation, even in the new variants of the worm, which include improved scanning logic. The updated code allows the new variants to scan almost the entire Internet address space, which includes around 4 billion IP addresses, but there is still a delay in the scanning portion of the code that limits the worm's propagation speed. The scanning engine within the worm will attempt to query a random address to see if it is vulnerable. If that address is not valid, or inaccessible, there is a 21 second timeout before the worm attempts to scan another IP address. In worm's worst-case scenario, each infected system can scan 17,100 IP addresses hour, or 411,408 IP addresses per day. (This is based on calculations if every attempt times out.) Many of the attempts will time out, because they will be made to invalid IP addresses. Of those attempts that reach valid IP addresses, only a small number of will have IIS installed on the server, and even fewer will be vulnerable to the ISAPI Extension buffer overflow. When the worm is launched, propagation begins very slowly at first, as only a few systems are scanning for other vulnerable servers. As more and more systems are infected, the worm begins to spread more and more quickly, because the scanning power is increased exponentially as the worm propagates. Q: Can a malicious attacker manually restart the worm at any time? A: The Code Red worm will remain a threat to vulnerable machines across the Internet until all vulnerable IIS Web servers are patched, although the cycle will be stopped on the 20th of every month, when the worm stops propagating. However, future variants of the worm could be written that do not include this sleep phase. As fewer and fewer vulnerable systems exist, there will be fewer targets for the worm to infect, and thus fewer infected machines to continue scanning for new systems. As a result, the threat from the Code Red worm will be reduced as more systems are patched. Q: What is the threat to Web servers on my internal network? A: It is possible that the Code Red worm could infect Web servers on internal, corporate networks, even if the Web server was not connected to the Internet. This risk can be minimized if certain security precautions have been taken. First, ensure that all externally facing IIS Web servers on the network have been patched. In addition, verify that network traffic from externally facing Web servers are prevented from reaching any internal address. Q: What will the worm look like if it attempts to attack my server? A: The Code Red worm will send the following GET request to scanned Web servers: GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0 003%u8b00%u531b%u53ff%u0078%u0000%u00=a Affected Versions: Microsoft Internet Information Server 4.0 and 5.0 without the patch for the "Unchecked Buffer in Index Server ISAPI Extension" vulnerability Cisco products that run affected versions of Microsoft IIS Recommendations: Due to the continued threat of this worm, ISS X-Force strongly urges all administrators to download and apply the following patches made available by Microsoft. For Microsoft Windows NT version 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 For Microsoft Windows 2000 Professional, Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 For Microsoft Windows 2000 Datacenter Server: Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer. For information on the IIS ISAPI Extension buffer overflow, please refer to the Microsoft Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp For information on how Cisco products are affected by the Code Red worm, please refer to the Cisco Security Advisory at: http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml ISS Internet Scanner X-Press Update version 4.10 provides assessment capability for the ISAPI extension vulnerability. The check included in XPU 4.10 requires the user running Internet Scanner to have administrative rights on the systems being scanned to properly detect this vulnerability. To supplement the existing check, Internet Scanner users who do not have administrator rights may use the following Flex Check to detect vulnerable IIS installations. The Flex Check will be available at the following URL: https://www.iss.net/cgi-bin/download/customer/download_product.cgi ISS RealSecure intrusion detection customers may use the following user-defined signature to detect access attempts by the Code Red worm. Follow the instructions below to apply the user-defined signature to your policy. >From the Sensor window: 1. Right-click on the sensor and select 'Properties'. 2. Choose a policy you want to use, and click 'Customize'. 3. Select the 'User Defined Events' tab. 4. Click 'Add' on the right hand side of the dialog box. 5. Create a User Defined Event. 6. Type in a name of the event, such as 'Code Red access attempt'. 7. In the 'Context' field for each event, select 'URL_Data'. In the 'String' field, type the following string: default\.ida$ 8. Click 'Save', and then 'Close'. 9. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version of RealSecure you are using. The next X-Press Update for ISS RealSecure Network Sensor will contain a signature to detect this vulnerability. NetworkICE provides an update for BlackICE products to detect the ISAPI Extension Overflow vulnerability (issue ID 2002608). Refer to the following URL for information regarding the detection and auto-blocking capabilities for this attack: http://www.networkice.com/downloads/agent_detection_update.html ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc.
