Feeds

Son of Code Red is born

And Junior's a little scary

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

A new IIS worm similar to the dreaded Code Red worm (which was supposed to break the Internet last week and didn't -- damn) has emerged over the weekend.

This one's a little scary. Not a lot, just a little. It's not going to break the Internet. It's not going to cause a run on the banks and crash the stock market. It won't be necessary to stockpile groceries and ammunition or purchase a gas-powered electric generator.

It will, however, be a fabulous idea to patch your IIS machine(s) if you haven't already, because sonny-boy installs a command shell (\inetpub\scripts\root.exe) which will enable even the most clueless intruder to Telnet in effortlessly and make your system his own.

The new worm also installs virtual roots such that clearing root.exe from \scripts will leave the system still vulnerable, security outfit eEye claims.

So what?
One of the most under-reported aspects of the Code Red worm was the fact that the IIS Indexing Service ISAPI filter vulnerability, which it exploits to do its dirty work, can yield system-level access to an intruder.

While the mainstream press was hopping and hooting about the DDoS potential (probably because it's all they can understand), few bothered to mention that all Code-Red-infected machines are easy pickings for any journeyman cracker using a handy-dandy attack script graciously provided by Japanese computer enthusiast HighSpeed Junkie, which was released more than a week before Code Red made its debut.

Now things have in fact got a bit worse. The door gets propped open and milk and cookies laid out so that even a complete imbecile can wander in and play hell with an IIS machine infected by the latest worm.

All we need now is something like a Telnet client with Socks support so that even the totally clueless can skate in anonymously.

Ooops.

Cyberwar with China (yawn)
The new IIS worm spawns its propagation threads in a most intriguing fashion. It spawns 300 on systems where the default language is not Chinese; but 600 where the default language is Chinese, thus:

bool is_Chinese = (GetSystemDefaultLangID() matches CHINESE)

nthreads = is_Chinese ? 600 : 300;
sleeptime = is_Chinese ? 2 Days : 1 Day;

while ( nthreads-- > 0 )
spawn_thread;

Sleep(sleeptime);

ExitWindowsEx(EWX_FORCEIFHUNG | EWX_REBOOT | EWX_FORCE, 0 );

It looks like someone wants to cause a bit more trouble in China than elsewhere. Let's have a guess, shall we? Some moronic twit in the USA or Europe has persuaded himself that the 'hacked by Chinese' defacement red herring in the original Code Red was proof that that a Chinese hacker created it, and this is payback.

We're reminded of Wired News' little self-fullfilling cyberwar with China. Their Michele Delio announced, on ludicrously shaky evidence, that Chinese hackers were poised to mass-deface US sites over the spy-plane incident. Unfortunately, a heap of American kiddiots actually took her seriously, and began patriotically 'retaliating' against the non-outrage. Naturally, it wouldn't take long for the Chinese kiddiots to begin 'retaliating' in turn, and thus was cyberwar history made -- until an embarrassed Delio denied the entire incident.

As you may recall, Code Red The First defaced default Web pages on infected systems where the language was not Chinese, with the ludicrous motto "Hacked by Chinese!" It would seem to us that the author meant to give a heads-up to non-Chinese admins. It's pretty hard to ignore the fact that your Web site is spouting nonsense slogans, after all. As for Chinese-language servers, these would not receive the benefit of this obvious warning, leading us to the inference that the original author meant to cause more trouble in China than elsewhere.

Sure, a Chinese worm scripter might be that stupid; but then again not. We'll never know if the original author was a retarded Chinese hacker or a slick Westerner trying to lay the blame elsewhere. But the original worm was well-written, we have to admit, and the likelihood of its author being a retard is reciprocally diminished. ®

Related Stories

Code Red hysteria - $8.7bn in damage estimated
Code Red Tribulation is nigh, Steve Gibson warns
Washington mobilises against Code Red resurgence
Internet survives Code Red
IIS worm made to packet Whitehouse.gov

Related Links

The relevant MS security bulletin
The Win-NT 4.0 patch
The Win-2K Pro and Advanced Server patch

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?