[21730] in bugtraq
Re: 'Code Red' does not seem to be scanning for IIS
daemon@ATHENA.MIT.EDU (George William Herbert)
Fri Jul 20 14:05:12 2001
Message-Id: <200107201813.LAA25977@gw.retro.com>
To: Ryan Russell <ryan@securityfocus.com>, bugtraq@securityfocus.com
Cc: gherbert@gw.retro.com
Date: Fri, 20 Jul 2001 11:13:10 -0700
From: George William Herbert <gherbert@retro.com>
Ryan wrote:
>Mike Brockman wrote:
>> >From what i read about the 'Code Red'-worm, it was supposed to be scanning
>> for IIS-servers. It obviously is'nt, i believe it tries to infect
>> everything they find on port 80, or something as simple as that.
>
>Run nc -l -p 80 > worm, and you'll get a copy. It's not scanning
>in any sense, it just tries a connect, and sends the string.
An anonymous chat room contact yesterday told me they'd had
success linking default.ida to their kernel; the worm always
seemed to abort its attack after something like 32k of stuff
was shoved down the pipe from thier Linux/Apache server.
They hypothesized it was causing a buffer overrun in the
worm code.
After hearing that, I dropped a copy of Shakespeare's
"Much Ado About Nothing" into htdocs/default.ida on
my system and snooped the net a while. I got one more
connect attempt from the worm and it seemed to have dropped
its connection after something like 30k of data flowed back,
but I was unable to tell what happened at the far end.
I only was able to watch one event happen.
I've reviewed the eEye analysis and concluded I don't know
enough assembly to tell whether it appears to work that way,
and I don't have an IIS system to use as a testbed. Can someone
who's got a better handle on how the virus' internals are
behaving take a look and confirm or deny that this is an
effective prophylactic measure?
-george william herbert
gherbert@retro.com
