FYI...

>Delivered-To: alert-out-linkiss.net
>Delivered-To: alertphoenix.iss.net
>Date: Mon, 30 Jul 2001 15:16:36 -0400
>To: alertiss.net
>From: X-Force <xforceiss.net>
>Subject: ISSalert: ISS Alert: X-Force Response to Concern About the "Code
Red" Worm
>Sender: owner-alertiss.net
>Reply-To: X-Force <xforceiss.net>
>X-Loop: alert
>
>
>TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
>majordomoiss.net Contact alert-owneriss.net for help with any problems!
>---------------------------------------------------------------------------
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Internet Security Systems Security Alert
>July 30, 2001
>
>X-Force Response to Concern About the "Code Red" Worm
>
>Synopsis:
>
>The Internet has recently been faced with the threat of a worm, dubbed
>"Code Red". The worm exploits a vulnerability in unpatched versions of
>Microsoft IIS (Internet Information Server). This vulnerability was
>previously discussed in an ISS Security Alert dated June 19, 2001
>(http://xforce.iss.net/alerts/advise79.php). IIS Web servers without
>the patch for the Index Server ISAPI Extension buffer overflow can be
>compromised by the worm, and then used to attack other vulnerable Web
>servers. The worm may pose a threat as a denial of service attack
>against the Internet as a whole, caused by the extra traffic generated
>as the worm spreads.
>
>The worm has already been cleared from a large number of infected Web
>servers, and the vulnerability has been patched. On servers that are
>still infected, the worm is in a pre-programmed "sleep" mode. There are
>concerns that these infected servers will awake from this sleep mode
>and begin propagating again on August 1, 2001. While these reports are
>largely inaccurate, there is a definite threat that the Code Red worm,
>or a variant of the worm, will be launched and begin spreading on or
>after August 1st.
>
>Description:
>
>The Code Red worm is a malicious worm that attacks Microsoft IIS Web
>servers that are missing an important security patch. The worm was first
>discovered on July 13, 2001, although the full impact of the worm was
>not felt until July 19th, when it spread to thousands of computer
>systems in a period of several hours. The outbreak of the Code Red worm
>in the last two weeks was initiated by the original version of the
>worm. Since then, two variants have been discovered, which were likely
>responsible for the rapid spread of the worm on July 19th. The new
>variants include changes to the code that make them more efficient at
>propagating, and therefore, they pose a much greater threat to the
>Internet. The two variants, versions 2a and 2b, include many changes
>from the original version, although the variants are very similar to
>each other.
>
>All three versions of the Code Red worm reside only in memory -- there
>is no file associated with the worm. As a result, the worm can be
>removed from a Web server simply by rebooting the system. To protect
>the server against future infection, however, the IIS vulnerability
>must be patched on the server. The three known versions of the worm
>also share a characteristic schedule. Based on the system clock on the
>infected computer, the worm behaves differently according to the day of
>the month (as described below).
>
>1st - 19th: Scanning/Propagating Phase
>The worm propagates by scanning IP addresses on the Internet and
>attempting to connect to the HTTP port (TCP port 80). When the IP
>address of a vulnerable IIS Web server is found, the worm infects the
>system. The newly infected system begins to scan IP addresses, and the
>other system continues searching for additional servers to infect.
>
>20th - 27th: Flooding (DDoS) Phase
>The worm initiates a distributed denial of service attack by flooding a
>pre-configured IP address with large amounts of traffic. The IP address
>configured in the all known versions of the worm is an IP address that
>previously belonged to www.whitehouse.gov. To counteract the attack,
>the White House Web site was moved to a different IP address, so the
>flooding portion of the first wave of the Code Red worm was
>unsuccessful. Future variants of the worm, however, could be configured
>with different addresses or Web sites to flood.
>
>Beginning on the 28th: "Sleep" Phase
>The worm goes into an infinite sleep phase. While the worm will remain
>in the computer's memory until the system is rebooted, the worm will not
>attempt to propagate or initiate any packet flooding attacks once it
>enters the sleep phase.
>
>
>In the initial version of the worm, infected Web sites would appear to
>be defaced for a period of ten (10) hours after infection. The worm
>would cause IIS to respond to requests with a Web page that displayed
>the following message:
> Welcome to http://www.worm.com!
> Hacked by Chinese!
>At the same time, the worm used up all the remaining threads on the
>system, scanning for other vulnerable IIS Web severs. It would start by
>scanning a pseudo-random list of IP addresses in the same order. This
>allowed individuals with IP addresses in the beginning of that list to
>track how many systems were infected. It also prevented the first
>version of the worm from spreading very quickly, because the newly
>infected systems were scanning addresses that had already been scanned
>by previously infected servers.
>
>The new variants of the Code Red worm include updated propagation
>methods that could potentially make them far more dangerous than the
>initial version. Each infected system chooses random IP addresses to
>scan, instead of initially scanning a predictable set of systems as the
>initial version did. The traffic caused by the increased propagation of
>the newer variants could be enough to degrade Internet speeds to home
>users, businesses, and government agencies. Some users may experience
>very slow connections to the Internet, and others may experience
>intermittent outages during the propagation and flooding phase of the
>worm.
>
>The newer variants also do not deface the infected Web servers, as the
>initial version did. As a result, system administrators may not notice
>infected servers immediately, because the Web site will not be defaced.
>This allows the worm to propagate for longer periods before the infected
>system is detected and the worm is removed. For these reasons, the
>propagation of the new variants may spread more quickly and affect more
>servers in a short period of time.
>
>Frequently Asked Questions:
>
>Q: How many systems has the worm already infected?
>A: Several published reports indicate that over 300,000 systems were
> infected in a very short time since it was first discovered on
> July 13, 2001. Many reports indicate that over 250,000 systems were
> infected in less than 24 hours at its peak level of propagation.
> However, it is extremely difficult to determine the exact number of
> infected systems, because the worm is designed only to scan and
> reinfect systems, and not to report which systems were infected to
> any outside source. The changes that were made in the new variants
> make it even more difficult to estimate the total number of
> infected systems.
>
>
>Q: What is the significance of August 1st? Will the currently infected
> systems begin propagating the worm again?
>A: Various teams of security and virus experts, including the ISS
> X-Force, have independently captured and disassembled the Code Red
> worm to analyze the worm's functionality. The worm goes through
> three phases: propagation, flooding, and finally sleep. The sleep
> phase is infinite. Once the worm has entered this phase on a system,
> it sleeps forever and does not "wake up" to scan and infect new
> targets.
>
> However, the worm can be re-initiated between the 1st and 20th of
> any month by any malicious attacker who has a copy of the initial
> worm or any of its variants. Even if the worm is launched again on
> August 1st, it is unknown at what point it will reach critical mass
> and begin affecting Internet speeds. As system administrators apply
> the patch to more and more IIS Web servers, the threat of the Code
> Red worm or any future variants of it will be reduced, because there
> will be fewer and fewer vulnerable targets.
>
>
>Q: What is the concern about systems with their dates set incorrectly?
> How does this affect the behavior of the Code Red worm?
>A: The worm is triggered by the date on the system clock of the
> infected computer, not from any external source. For systems that
> have their clocks set incorrectly, the worm may be in a different
> phase than the actual date would indicate. As a result, the worm
> could continue propagating by systems outside what should be the
> normal propagating period. For example, after the 28th of the month,
> when the worm should be in the sleep phase, a worm on a system that
> had the date set as the 15th would still be in the propagating phase.
>
> However, most Web servers have the system clock set to the correct
> date, so only a small percentage of systems should continue
> propagating outside the normal scanning phase. The impact caused by
> a limited number of infected systems attempting to propagate is much
> less than during the normal propagation phase, when a large number of
> infected hosts are scanning for other vulnerable servers.
>
>
>Q: How fast does this worm spread?
>A: The worm's strength is that it is small, and it can infect vulnerable
> servers very easily. However, the scanning logic is not the most
> efficient for maximum propagation, even in the new variants of the
> worm, which include improved scanning logic. The updated code allows
> the new variants to scan almost the entire Internet address space,
> which includes around 4 billion IP addresses, but there is still a
> delay in the scanning portion of the code that limits the worm's
> propagation speed. The scanning engine within the worm will attempt
> to query a random address to see if it is vulnerable. If that
> address is not valid, or inaccessible, there is a 21 second timeout
> before the worm attempts to scan another IP address. In worm's
> worst-case scenario, each infected system can scan 17,100 IP
> addresses hour, or 411,408 IP addresses per day. (This is based on
> calculations if every attempt times out.)
>
> Many of the attempts will time out, because they will be made to
> invalid IP addresses. Of those attempts that reach valid IP addresses,
> only a small number of will have IIS installed on the server, and
> even fewer will be vulnerable to the ISAPI Extension buffer overflow.
> When the worm is launched, propagation begins very slowly at first,
> as only a few systems are scanning for other vulnerable servers. As
> more and more systems are infected, the worm begins to spread more
> and more quickly, because the scanning power is increased
> exponentially as the worm propagates.
>
>
>Q: Can a malicious attacker manually restart the worm at any time?
>A: The Code Red worm will remain a threat to vulnerable machines across
> the Internet until all vulnerable IIS Web servers are patched,
> although the cycle will be stopped on the 20th of every month, when
> the worm stops propagating. However, future variants of the worm
> could be written that do not include this sleep phase. As fewer and
> fewer vulnerable systems exist, there will be fewer targets for the
> worm to infect, and thus fewer infected machines to continue scanning
> for new systems. As a result, the threat from the Code Red worm will
> be reduced as more systems are patched.
>
>
>Q: What is the threat to Web servers on my internal network?
>A: It is possible that the Code Red worm could infect Web servers on
> internal, corporate networks, even if the Web server was not
> connected to the Internet. This risk can be minimized if certain
> security precautions have been taken. First, ensure that all
> externally facing IIS Web servers on the network have been patched.
> In addition, verify that network traffic from externally facing Web
> servers are prevented from reaching any internal address.
>
>
>Q: What will the worm look like if it attempts to attack my server?
>A: The Code Red worm will send the following GET request to scanned Web
> servers:
> GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
> u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0
> 003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>
>Affected Versions:
>
>Microsoft Internet Information Server 4.0 and 5.0 without the patch for
>the "Unchecked Buffer in Index Server ISAPI Extension" vulnerability
>
>Cisco products that run affected versions of Microsoft IIS
>
>Recommendations:
>
>Due to the continued threat of this worm, ISS X-Force strongly urges all
>administrators to download and apply the following patches made
>available by Microsoft.
>
>For Microsoft Windows NT version 4.0:
>http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
>
>For Microsoft Windows 2000 Professional, Server and Advanced Server:
>http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
>
>For Microsoft Windows 2000 Datacenter Server:
>Patches for Windows 2000 Datacenter Server are hardware-specific and
>available from the original equipment manufacturer.
>
>For information on the IIS ISAPI Extension buffer overflow, please refer
>to the Microsoft Security Bulletin at:
>http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
>
>For information on how Cisco products are affected by the Code Red worm,
>please refer to the Cisco Security Advisory at:
>http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
>
>ISS Internet Scanner X-Press Update version 4.10 provides assessment
>capability for the ISAPI extension vulnerability. The check included
>in XPU 4.10 requires the user running Internet Scanner to have
>administrative rights on the systems being scanned to properly detect
>this vulnerability. To supplement the existing check, Internet Scanner
>users who do not have administrator rights may use the following Flex
>Check to detect vulnerable IIS installations. The Flex Check will be
>available at the following URL:
>
>https://www.iss.net/cgi-bin/download/customer/download_product.cgi
>
>ISS RealSecure intrusion detection customers may use the following
>user-defined signature to detect access attempts by the Code Red worm.
>Follow the instructions below to apply the user-defined signature to
>your policy.
>
>- From the Sensor window:
>1. Right-click on the sensor and select 'Properties'.
>2. Choose a policy you want to use, and click 'Customize'.
>3. Select the 'User Defined Events' tab.
>4. Click 'Add' on the right hand side of the dialog box.
>5. Create a User Defined Event.
>6. Type in a name of the event, such as 'Code Red access attempt'.
>7. In the 'Context' field for each event, select 'URL_Data'.
> In the 'String' field, type the following string:
> default\.ida$
>8. Click 'Save', and then 'Close'.
>9. Click 'Apply to Sensor' or 'Apply to Engine', depending on the
> version of RealSecure you are using.
>
>The next X-Press Update for ISS RealSecure Network Sensor will contain a
>signature to detect this vulnerability.
>
>NetworkICE provides an update for BlackICE products to detect the ISAPI
>Extension Overflow vulnerability (issue ID 2002608). Refer to the
>following URL for information regarding the detection and auto-blocking
>capabilities for this attack:
>http://www.networkice.com/downloads/agent_detection_update.html
>
>
>______
>
>About Internet Security Systems (ISS)
>Internet Security Systems is a leading global provider of security
>management solutions for the Internet, protecting digital assets and
>ensuring safe and uninterrupted e-business. With its industry-leading
>intrusion detection and vulnerability assessment, remote managed
>security services, and strategic consulting and education offerings, ISS
>is a trusted security provider to more than 8,000 customers worldwide
>including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.
>telecommunications companies. Founded in 1994, ISS is headquartered in
>Atlanta, GA, with additional offices throughout North America and
>international operations in Asia, Australia, Europe, Latin America and
>the Middle East. For more information, visit the Internet Security
>Systems web site at www.iss.net or call 888-901-7477.
>
>
>Copyright (c) 2001 Internet Security Systems, Inc.
>
>Permission is hereby granted for the redistribution of this Alert
>electronically. It is not to be edited in any way without express
>consent of the X-Force. If you wish to reprint the whole or any part of
>this Alert in any other medium excluding electronic medium, please
>e-mail xforceiss.net for permission.
>
>Disclaimer
>
>The information within this paper may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There
>are NO warranties with regard to this information. In no event shall the
>author be liable for any damages whatsoever arising out of or in
>connection with the use or spread of this information. Any use of this
>information is at the user's own risk.
>
>X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
>as well as on MIT's PGP key server and PGP.com's key server.
>
>Please send suggestions, updates, and comments to: X-Force
>xforceiss.net of Internet Security Systems, Inc.
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3a
>Charset: noconv
>
>iQCVAwUBO2WxrTRfJiV99eG9AQHmQQQAgxJcWQWDAe2CYaK89oaFD8eBPrFmExNM
>u6ADSjicAvyaAbwDqTwAW1qGlQSWgnDuM1v6N+6oxDWMtJD9xA/Y5E0isFtc4+xI
>U/K0CGLXIQJ0jLxis00etLMSCu0FCf8EQ4EvLAh5cP5p+nQVUmdUopHq9yeUg/yg
>QSI4GDFQ7ZA=
>=BbSD
>-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]