Feeds

Son of Code Red is born

And Junior's a little scary

  • alert
  • submit to reddit

High performance access to file storage

A new IIS worm similar to the dreaded Code Red worm (which was supposed to break the Internet last week and didn't -- damn) has emerged over the weekend.

This one's a little scary. Not a lot, just a little. It's not going to break the Internet. It's not going to cause a run on the banks and crash the stock market. It won't be necessary to stockpile groceries and ammunition or purchase a gas-powered electric generator.

It will, however, be a fabulous idea to patch your IIS machine(s) if you haven't already, because sonny-boy installs a command shell (\inetpub\scripts\root.exe) which will enable even the most clueless intruder to Telnet in effortlessly and make your system his own.

The new worm also installs virtual roots such that clearing root.exe from \scripts will leave the system still vulnerable, security outfit eEye claims.

So what?
One of the most under-reported aspects of the Code Red worm was the fact that the IIS Indexing Service ISAPI filter vulnerability, which it exploits to do its dirty work, can yield system-level access to an intruder.

While the mainstream press was hopping and hooting about the DDoS potential (probably because it's all they can understand), few bothered to mention that all Code-Red-infected machines are easy pickings for any journeyman cracker using a handy-dandy attack script graciously provided by Japanese computer enthusiast HighSpeed Junkie, which was released more than a week before Code Red made its debut.

Now things have in fact got a bit worse. The door gets propped open and milk and cookies laid out so that even a complete imbecile can wander in and play hell with an IIS machine infected by the latest worm.

All we need now is something like a Telnet client with Socks support so that even the totally clueless can skate in anonymously.

Ooops.

Cyberwar with China (yawn)
The new IIS worm spawns its propagation threads in a most intriguing fashion. It spawns 300 on systems where the default language is not Chinese; but 600 where the default language is Chinese, thus:

bool is_Chinese = (GetSystemDefaultLangID() matches CHINESE)

nthreads = is_Chinese ? 600 : 300;
sleeptime = is_Chinese ? 2 Days : 1 Day;

while ( nthreads-- > 0 )
spawn_thread;

Sleep(sleeptime);

ExitWindowsEx(EWX_FORCEIFHUNG | EWX_REBOOT | EWX_FORCE, 0 );

It looks like someone wants to cause a bit more trouble in China than elsewhere. Let's have a guess, shall we? Some moronic twit in the USA or Europe has persuaded himself that the 'hacked by Chinese' defacement red herring in the original Code Red was proof that that a Chinese hacker created it, and this is payback.

We're reminded of Wired News' little self-fullfilling cyberwar with China. Their Michele Delio announced, on ludicrously shaky evidence, that Chinese hackers were poised to mass-deface US sites over the spy-plane incident. Unfortunately, a heap of American kiddiots actually took her seriously, and began patriotically 'retaliating' against the non-outrage. Naturally, it wouldn't take long for the Chinese kiddiots to begin 'retaliating' in turn, and thus was cyberwar history made -- until an embarrassed Delio denied the entire incident.

As you may recall, Code Red The First defaced default Web pages on infected systems where the language was not Chinese, with the ludicrous motto "Hacked by Chinese!" It would seem to us that the author meant to give a heads-up to non-Chinese admins. It's pretty hard to ignore the fact that your Web site is spouting nonsense slogans, after all. As for Chinese-language servers, these would not receive the benefit of this obvious warning, leading us to the inference that the original author meant to cause more trouble in China than elsewhere.

Sure, a Chinese worm scripter might be that stupid; but then again not. We'll never know if the original author was a retarded Chinese hacker or a slick Westerner trying to lay the blame elsewhere. But the original worm was well-written, we have to admit, and the likelihood of its author being a retard is reciprocally diminished. ®

Related Stories

Code Red hysteria - $8.7bn in damage estimated
Code Red Tribulation is nigh, Steve Gibson warns
Washington mobilises against Code Red resurgence
Internet survives Code Red
IIS worm made to packet Whitehouse.gov

Related Links

The relevant MS security bulletin
The Win-NT 4.0 patch
The Win-2K Pro and Advanced Server patch

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.