This article is more than 1 year old

Son of Code Red is born

And Junior's a little scary

A new IIS worm similar to the dreaded Code Red worm (which was supposed to break the Internet last week and didn't -- damn) has emerged over the weekend.

This one's a little scary. Not a lot, just a little. It's not going to break the Internet. It's not going to cause a run on the banks and crash the stock market. It won't be necessary to stockpile groceries and ammunition or purchase a gas-powered electric generator.

It will, however, be a fabulous idea to patch your IIS machine(s) if you haven't already, because sonny-boy installs a command shell (\inetpub\scripts\root.exe) which will enable even the most clueless intruder to Telnet in effortlessly and make your system his own.

The new worm also installs virtual roots such that clearing root.exe from \scripts will leave the system still vulnerable, security outfit eEye claims.

So what?
One of the most under-reported aspects of the Code Red worm was the fact that the IIS Indexing Service ISAPI filter vulnerability, which it exploits to do its dirty work, can yield system-level access to an intruder.

While the mainstream press was hopping and hooting about the DDoS potential (probably because it's all they can understand), few bothered to mention that all Code-Red-infected machines are easy pickings for any journeyman cracker using a handy-dandy attack script graciously provided by Japanese computer enthusiast HighSpeed Junkie, which was released more than a week before Code Red made its debut.

Now things have in fact got a bit worse. The door gets propped open and milk and cookies laid out so that even a complete imbecile can wander in and play hell with an IIS machine infected by the latest worm.

All we need now is something like a Telnet client with Socks support so that even the totally clueless can skate in anonymously.

Ooops.

Cyberwar with China (yawn)
The new IIS worm spawns its propagation threads in a most intriguing fashion. It spawns 300 on systems where the default language is not Chinese; but 600 where the default language is Chinese, thus:

bool is_Chinese = (GetSystemDefaultLangID() matches CHINESE)

nthreads = is_Chinese ? 600 : 300;
sleeptime = is_Chinese ? 2 Days : 1 Day;

while ( nthreads-- > 0 )
spawn_thread;

Sleep(sleeptime);

ExitWindowsEx(EWX_FORCEIFHUNG | EWX_REBOOT | EWX_FORCE, 0 );

It looks like someone wants to cause a bit more trouble in China than elsewhere. Let's have a guess, shall we? Some moronic twit in the USA or Europe has persuaded himself that the 'hacked by Chinese' defacement red herring in the original Code Red was proof that that a Chinese hacker created it, and this is payback.

We're reminded of Wired News' little self-fullfilling cyberwar with China. Their Michele Delio announced, on ludicrously shaky evidence, that Chinese hackers were poised to mass-deface US sites over the spy-plane incident. Unfortunately, a heap of American kiddiots actually took her seriously, and began patriotically 'retaliating' against the non-outrage. Naturally, it wouldn't take long for the Chinese kiddiots to begin 'retaliating' in turn, and thus was cyberwar history made -- until an embarrassed Delio denied the entire incident.

As you may recall, Code Red The First defaced default Web pages on infected systems where the language was not Chinese, with the ludicrous motto "Hacked by Chinese!" It would seem to us that the author meant to give a heads-up to non-Chinese admins. It's pretty hard to ignore the fact that your Web site is spouting nonsense slogans, after all. As for Chinese-language servers, these would not receive the benefit of this obvious warning, leading us to the inference that the original author meant to cause more trouble in China than elsewhere.

Sure, a Chinese worm scripter might be that stupid; but then again not. We'll never know if the original author was a retarded Chinese hacker or a slick Westerner trying to lay the blame elsewhere. But the original worm was well-written, we have to admit, and the likelihood of its author being a retard is reciprocally diminished. ®

Related Stories

Code Red hysteria - $8.7bn in damage estimated
Code Red Tribulation is nigh, Steve Gibson warns
Washington mobilises against Code Red resurgence
Internet survives Code Red
IIS worm made to packet Whitehouse.gov

Related Links

The relevant MS security bulletin
The Win-NT 4.0 patch
The Win-2K Pro and Advanced Server patch

More about

TIP US OFF

Send us news


Other stories you might like