[prev in list] [next in list] [prev in thread] [next in thread] 

List:       saint-users
Subject:    Re: code red
From:       Sam Kline <kline () wwdsi ! com>
Date:       2001-08-13 19:21:10
[Download RAW message or body]

On Mon, 13 Aug 2001, Fred wrote:

> Can SAINT differentiate between the two types of
> of worms?

Yes. Although both of the Code Red worms
exploit the same vulnerability in IIS, their payloads
are unrelated and therefore distinguishable.

> What is saint looking for on the system when it
> checks for the worm?

To detect the first variant of the Code Red worm,
SAINT checks for the defaced web page: the
string "Hacked by Chinese" to be specific. Note that
this will only detect the worm in English versions of
IIS. We are not aware of any way to detect the worm
remotely and actively in non-English versions.

To detect Code Red II, SAINT looks for a number of
backdoors which the worm creates on the target, such as
/scripts/root.exe and /c/winnt/system32/cmd.exe.

> Does it use the unicode exploit to break into the server?

No. SAINT is designed to be a non-intrusive vulnerability
scanner, so it does not attempt any penetration testing.
In it's standard configuration, SAINT will issue a warning
(brown vulnerability) informing you to make sure any
server running IIS is patched. If "dangerous tests" mode
is selected, SAINT will attempt to crash the service using
an ordinary buffer overflow. This test verifies whether
or not the system is vulnerable and does not execute any
code on the target.

By the way, the Code Red checks and the IIS vulnerability
check are two separate things. The former checks
for systems which have been infected, and the
latter checks for systems which are vulnerable to infection.

Be aware that the checks discussed above were introduced
in the following SAINT versions. If you are running an
earlier version, the worm won't be detected:
IIS .ida vulnerability - 3.3.3
Code Red worm - 3.3.5
Code Red II worm - 3.3.7

Sam Kline
Information Security Specialist
World Wide Digital Security, Inc.

[prev in list] [next in list] [prev in thread] [next in thread]