The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>"Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL </h2>

Release Date: August 6, 2001<br/>
<a name="affected">
<h3>Systems Affected</h3>
<ul>
<li>Windows 2000 with IIS 4.0 or IIS 5.0 enabled and Indexing
services installed

<li>Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index
Server 2.0 installed

<li>Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager (these systems run IIS)

<li>Cisco 600 series DSL routers
</li></li></li></li></ul>
<a name="overview">
<h2>I. Overview</h2>
<p>The CERT/CC has received reports of new self-propagating malicious
code exploiting the vulnerability described in <a href="http://www.cert.org/advisories/CA-2001-13.html">CA-2001-13
Buffer Overflow In IIS Indexing Service DLL</a>.  These reports
indicate that the worm has already affected thousands of systems. This
new worm is being called "Code Red II," however, except for using
the same buffer overflow mechanism, it is different from the
original "Code Red" worm described in <a href="http://www.cert.org/advisories/CA-2001-19.html">CA-2001-19 "Code
Red" Worm Exploiting Buffer Overflow In IIS Indexing Service
DLL</a>.</p>
<p>The "Code Red II" worm causes system level compromise and leaves a
backdoor on certain machines running Windows 2000.  Vulnerable Windows
NT 4.0 systems could experience a disruption of the IIS service.</p>
<h2>II. Description</h2>
<p>The "Code Red II" worm is self-propagating malicious code that exploits a known
vulnerability in Microsoft IIS servers (<a href="http://www.cert.org/advisories/CA-2001-13.html">CA-2001-13</a>).</p>
<h4>Attack Cycle</h4>
<p>The "Code Red II" worm attacks as follows:</p>
<ol>
<li>The "Code Red II" worm attempts to connect to TCP port 80 on a
randomly chosen host assuming that a web server will be found.  Upon a
successful connection to port 80, the attacking host sends a crafted
HTTP GET request to the victim, attempting to exploit the buffer
overflow in the Indexing Service described in <a href="http://www.cert.org/advisories/CA-2001-13.html">CA-2001-13</a></li>
<p>
<li>The same exploit is sent to each of the randomly chosen hosts due
to the self-propagating nature of the worm.  However, there are varied
consequences depending on the configuration of the host which receives
this request.

<ul>
<p>
<li><b>Unpatched Windows 2000 servers running IIS 4.0 or 5.0 with Indexing Service installed</b>
  are likely to be compromised by the "Code Red II" worm.</li>
<p>
<li><b>Unpatched Windows NT servers running IIS 4.0 or 5.0 with Indexing Server 2.0 installed</b>
  could experience crashes of the IIS server.</li>
<p>
<li><b>Unpatched Cisco 600-series DSL routers</b> will process the HTTP request
      thereby exploiting an unrelated vulnerability which causes
      the router to stop forwarding packets. 
      [<a href="http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml">http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml</a>]</li>
<p>
<li><b>Patched systems, or systems not running IIS with an HTTP
      server listening on TCP port 80</b> will probably accept the
      HTTP request, return with an "HTTP 4xx" error message, and
      potentially log this request in an access log. </li>
</p></p></p></p></ul>
<p>
</p></li>
<li>If the exploit is successful, the worm begins executing on the
victim host.  

</li></p></ol>
<h4>Payload</h4>
<p>Upon successful compromise of a system, the worm</p>
<ol>
<p>
<li>Checks to see if it has already infected this system by verifying
the existence of the <font face="Courier">CodeRedII</font> atom. If
the worm finds this atom it sleeps forever.  Otherwise it creates this
atom and continues the infection process. Reference information
regarding atoms may be found at
<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/hh/winbase/atoms_0p83.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/hh/winbase/atoms_0p83.asp</a>
</li>
<p>
<li>Checks the default system language, and spawns threads for
propagation.  If the default system language is "Chinese (Taiwanese)" or
"Chinese (PRC)", 600 threads will be spawned to scan for 48 hours.  
Otherwise, 300 threads will be created which will scan for 24 hours.</li>
<p>
<li>Copies <font face="Courier">%SYSTEM%\CMD.EXE</font> to <font face="Courier">root.exe</font> in the IIS <font face="Courier">scripts</font> and <font face="Courier">MSADC</font>
folders.  Placing <font face="Courier">CMD.EXE</font> in a publicly
accessible directory may allow an intruder to execute arbitrary
commands on the compromised machine with the privileges of the IIS
server process.

<p>
<li>Creates a Trojan horse copy of <font face="Courier">explorer.exe</font> and copies it to <font face="Courier">C:\</font> and <font face="Courier">D:\</font>.  The
Trojan horse <font face="Courier">explorer.exe</font> calls the
real <font face="Courier">explorer.exe</font> to mask its existence, and creates a virtual mapping
which exposes the <font face="Courier">C:</font> and <font face="Courier">D:</font> drives.

<p>
On systems not patched against the "Relative Shell Path"
vulnerability (<a href="http://www.microsoft.com/technet/security/bulletin/MS00-052.asp">http://www.microsoft.com/technet/security/bulletin/MS00-052.asp</a>),
this Trojan horse copy of <font face="Courier">explorer.exe</font> will run every time a user logs in.
In this fashion, certain pieces of the worm's payload have persistence
even after a reboot of the compromised machine.</p>
</li></p></li></p></p></p></ol>
<h4>System Footprint</h4>
<p>The "Code Red II" worm can be identified on victim machines by
the presence of the following string in IIS log files:</p>
<blockquote><font face="Courier">
<pre>
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
0%u531b%u53ff%u0078%u0000%u00=a</pre></font></blockquote>
<p>The presence of this string in a log file does not neccessarily
indicate compromise, it only implies that a "Code Red II" worm
attempted to infect the machine.</p>
<p>The worm will create several files on the compromised machines.
These files include <font face="Courier">c:\explorer.exe</font> or
<font face="Courier">d:\explorer.exe</font>, as well as <font face="Courier">root.exe</font> in the IIS <font face="Courier">scripts</font> or <font face="Courier">MSADC</font>
folder.  While the existence of the file <font face="Courier">root.exe</font> could indicate
compromise, it does not necessarily imply the presence of the "Code
Red II" worm.  This file name has been used for artifacts of other
exploits, including the sadmind/IIS worm (see <a href="http://www.cert.org/advisories/CA-2001-11.html">CA-2001-11</a>).</p>

<h4>Network Footprint</h4>
<p>A host running an active instance of the "Code Red II" worm will
scan random IP addresses on port 80/TCP looking for other hosts to
infect.  The IP addresses scanned by the "Code Red II" worm are
determined in a probabilistic manner:
<ul>
<p>
<li>There is a <b>one in two</b> chance that a given thread will scan
random IP addresses with the same first byte as the infected host.</li>
<p>
<li>There is a <b>three in eight</b> chance that a given thread will
scan random IP addresses with the same first two bytes as the infected host.</li>
<p>
<li>There is a <b>one in eight</b> chance that a given thread will scan random IP
addresses.</li>
</p></p></p></ul>
</p>
<p>Additional detailed analysis of this worm has been published by
eEye Digital Security at <a href="http://www.eeye.com">http://www.eeye.com</a>.</p>
<h2>III. Impact</h2>
<p>Intruders can execute arbitrary commands within the <font face="Courier">LocalSystem</font> security context on Windows 2000
systems infected with the "Code Red II" worm.  Compromised systems may
be subject to files being altered or destroyed. Denial-of-service
conditions may be created for services relying on altered or destroyed
files. Hosts that have been compromised are also at high risk for
being party to attacks on other Internet sites.
</p>
<p>
The widespread, automated attack and propagation characteristics of
the "Code Red II"  may cause bandwidth denial-of-service conditions in isolated
portions of the network, particularly near groups of compromised hosts
where "Code Red II" is running.</p>
<p>Windows NT 4.0 systems and Cisco 600-series DSL routers may
experience denial-of-service as a result of the scanning activity of
the worm.</p>
<h2>IV. Solutions</h2>
<p>Infection by the "Code Red II" worm constitutes a system level
compromise.  If you believe a host under your control has been
compromised, please refer to</p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps
for Recovering from a UNIX or NT System Compromise</a>
</dd>
</dl>
<p>Consistent with the security best-practice of denying all network
traffic and only selectively allowing that which is required, ingress
and egress filtering should be implemented at the network edge.
Likewise, controls must be in place to ensure that all software used
on a network is properly maintained.  See <a href="http://www.cert.org/advisories/CA-2001-23.html">CA-2001-23
Continued Threat of the "Code Red" Worm</a> for more information on
these topics.</p>
<h2>V. Reporting</h2>
<p>The CERT/CC is interested in receiving reports of this activity.
If machines under your administrative control are compromised, please
send mail to <a href="mailto:cert@cert.org">cert@cert.org</a>.</p>
<p>
<hr noshade="" width="100%"/>
<b>Author(s)</b>: Roman Danyliw, Allen Householder, and Marty Lindner<br/>
<hr noshade="" width="100%"/>
<h2>CERT/CC Contact Information</h2>
<dl>
<b>Email:</b> <a href="mailto:cert@cert.org">cert@cert.org</a><br/>
<b>Phone:</b> +1 412-268-7090 (24-hour hotline)<br/>
<b>Fax:</b> +1 412-268-6989<br/>
<b>Postal address:</b><br/>
<dd>
CERT Coordination Center<br/>
Software Engineering Institute<br/>
Carnegie Mellon University<br/>
Pittsburgh PA 15213-3890<br/>
U.S.A.<br/>
</dd></dl>

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
<p>
<h4>Using encryption</h4>
<p>We strongly urge you to encrypt sensitive information sent by
email.  Our public PGP key is available from<p>
<ul>
<a href="http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</a>
</ul>

If you prefer to use DES, please call the CERT hotline for more
information.<p>
<h4>Getting security information</h4>

CERT publications and other security information are available from
our web site<p>
<ul>
<a href="http://www.cert.org/">http://www.cert.org/</a>
</ul>

To subscribe to the CERT mailing list for advisories and bulletins, send email to
<a href="mailto:majordomo@cert.org">majordomo@cert.org</a>. Please include in the body of your
message<br/>
<p><tt>subscribe cert-advisory</tt>
<p>

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.<p>
<hr noshade="" width="100%"/>
<b><u>NO WARRANTY</u></b><br/>
<b>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</b>
<hr/>
<a href="http://www.cert.org/legal_stuff.html">Conditions for use, disclaimers, and sponsorship information</a><p>
<p>Copyright 2001 Carnegie Mellon University.</p>
<p>Revision History
<pre>
August 6, 2001: Initial Release
January 17, 2002: Updated Reporting section
</pre>
<!-- This completes the table started in *_titlebar.html -->



<!--#include virtual="/cert/include/footer.html"--></p></p></p></p></p></p></p></p></p></p></p></a></a>