Feeds

Son of Code Red is born

And Junior's a little scary

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

A new IIS worm similar to the dreaded Code Red worm (which was supposed to break the Internet last week and didn't -- damn) has emerged over the weekend.

This one's a little scary. Not a lot, just a little. It's not going to break the Internet. It's not going to cause a run on the banks and crash the stock market. It won't be necessary to stockpile groceries and ammunition or purchase a gas-powered electric generator.

It will, however, be a fabulous idea to patch your IIS machine(s) if you haven't already, because sonny-boy installs a command shell (\inetpub\scripts\root.exe) which will enable even the most clueless intruder to Telnet in effortlessly and make your system his own.

The new worm also installs virtual roots such that clearing root.exe from \scripts will leave the system still vulnerable, security outfit eEye claims.

So what?
One of the most under-reported aspects of the Code Red worm was the fact that the IIS Indexing Service ISAPI filter vulnerability, which it exploits to do its dirty work, can yield system-level access to an intruder.

While the mainstream press was hopping and hooting about the DDoS potential (probably because it's all they can understand), few bothered to mention that all Code-Red-infected machines are easy pickings for any journeyman cracker using a handy-dandy attack script graciously provided by Japanese computer enthusiast HighSpeed Junkie, which was released more than a week before Code Red made its debut.

Now things have in fact got a bit worse. The door gets propped open and milk and cookies laid out so that even a complete imbecile can wander in and play hell with an IIS machine infected by the latest worm.

All we need now is something like a Telnet client with Socks support so that even the totally clueless can skate in anonymously.

Ooops.

Cyberwar with China (yawn)
The new IIS worm spawns its propagation threads in a most intriguing fashion. It spawns 300 on systems where the default language is not Chinese; but 600 where the default language is Chinese, thus:

bool is_Chinese = (GetSystemDefaultLangID() matches CHINESE)

nthreads = is_Chinese ? 600 : 300;
sleeptime = is_Chinese ? 2 Days : 1 Day;

while ( nthreads-- > 0 )
spawn_thread;

Sleep(sleeptime);

ExitWindowsEx(EWX_FORCEIFHUNG | EWX_REBOOT | EWX_FORCE, 0 );

It looks like someone wants to cause a bit more trouble in China than elsewhere. Let's have a guess, shall we? Some moronic twit in the USA or Europe has persuaded himself that the 'hacked by Chinese' defacement red herring in the original Code Red was proof that that a Chinese hacker created it, and this is payback.

We're reminded of Wired News' little self-fullfilling cyberwar with China. Their Michele Delio announced, on ludicrously shaky evidence, that Chinese hackers were poised to mass-deface US sites over the spy-plane incident. Unfortunately, a heap of American kiddiots actually took her seriously, and began patriotically 'retaliating' against the non-outrage. Naturally, it wouldn't take long for the Chinese kiddiots to begin 'retaliating' in turn, and thus was cyberwar history made -- until an embarrassed Delio denied the entire incident.

As you may recall, Code Red The First defaced default Web pages on infected systems where the language was not Chinese, with the ludicrous motto "Hacked by Chinese!" It would seem to us that the author meant to give a heads-up to non-Chinese admins. It's pretty hard to ignore the fact that your Web site is spouting nonsense slogans, after all. As for Chinese-language servers, these would not receive the benefit of this obvious warning, leading us to the inference that the original author meant to cause more trouble in China than elsewhere.

Sure, a Chinese worm scripter might be that stupid; but then again not. We'll never know if the original author was a retarded Chinese hacker or a slick Westerner trying to lay the blame elsewhere. But the original worm was well-written, we have to admit, and the likelihood of its author being a retard is reciprocally diminished. ®

Related Stories

Code Red hysteria - $8.7bn in damage estimated
Code Red Tribulation is nigh, Steve Gibson warns
Washington mobilises against Code Red resurgence
Internet survives Code Red
IIS worm made to packet Whitehouse.gov

Related Links

The relevant MS security bulletin
The Win-NT 4.0 patch
The Win-2K Pro and Advanced Server patch

Beginner's guide to SSL certificates

More from The Register

next story
ONE MILLION people already running Windows 10
A third of them are doing it in VMs, but early feedback focuses on frippery
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Ploppr: The #VultureTRENDING App of the Now
This organic crowd sourced viro- social fertiliser just got REAL
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.