[iwar] Code Red and Chinese IW (long and winding)

From: Fred Cohen (fc@all.net)
Date: 2001-07-22 19:25:11


Return-Path: <sentto-279987-1450-995855118-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 22 Jul 2001 19:26:07 -0700 (PDT)
Received: (qmail 17472 invoked by uid 510); 23 Jul 2001 01:27:58 -0000
Received: from n2.groups.yahoo.com (216.115.96.52) by 204.181.12.215 with SMTP; 23 Jul 2001 01:27:58 -0000
X-eGroups-Return: sentto-279987-1450-995855118-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by hi.egroups.com with NNFMP; 23 Jul 2001 02:25:18 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_2_0); 23 Jul 2001 02:25:17 -0000
Received: (qmail 63448 invoked from network); 23 Jul 2001 02:25:12 -0000
Received: from unknown (10.1.10.27) by l7.egroups.com with QMQP; 23 Jul 2001 02:25:12 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 23 Jul 2001 02:25:12 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA25555 for iwar@onelist.com; Sun, 22 Jul 2001 19:25:11 -0700
Message-Id: <200107230225.TAA25555@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sun, 22 Jul 2001 19:25:11 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] Code Red and Chinese IW (long and winding)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit



It appears that the Chinese 'Code Red' virus may also be in use as cover
for other attacks:

	Date: Thu, 19 Jul 2001 21:03:06 -0700
	Subject: Other China Hack Attempts Concurrent With Code Red

	I've seen 58 hosts attempt to access default.ida with an overflow string
	on my box.  I've had several other attempts, though, that seem to be
	hand-done, including several FTP logins and an attempt to send the GET
	strings "^D^A" and "^E^A^B" to my webserver (Apache).  Any ideas what
	the latter might be?

And of course the figures on Code Red vary somewhat...


	Date: Thu, 19 Jul 2001 21:50:53 -0600 (MDT)

	As several people have pointed out, the person who made the 1.17M claim
	later revised it to "only" about 200K or so.  And that's just him.  I have
	no real difficulty believing that we've in the 100's of thousands
	neighborhood at this point.

	This is the most "successful" worm I've ever seen.  Parts of the code are
	damn clever as well (take a real close look at how it "hacks" the web
	pages.)

	The worm would also be dead simply to modify, as well.  All that you would
	need for simple mods is a hex editor.  I'm pretty sure we'll see copycats
	in the next few days.

	Things could get pretty bad in the short term.

Of course the major media...

	Friday July 20 12:18 AM ET
	Computer Virus Targets White House
	By DAVID HO, Associated Press Writer

	WASHINGTON (AP) - The White House Web site dodged an Internet bullet
	Thursday, using some technical sleight of hand to sidestep a computer virus
	dubbed ``Code Red,'' security experts said.

	The virus has infected more than 225,000 computer systems around the world,
	defacing many Web sites with the message ``Hacked By Chinese,'' experts
	said. Despite the message, the origin of the virus is unknown.

	The ultimate goal of the virus, known as a ``worm,'' is to gather strength
	by infecting more computers and then have them all attack a numerical
	Internet address that represents the White House Web site. The assault,
	which was set to go off Thursday at 8 p.m. EDT, is a denial of service
	attack, designed to hamper or shut down a computer system by flooding it
	with huge amounts of data.

	The White House apparently shifted its Web site to a different numerical
	address to avoid the attack, said Stephen Trilling, director of research at
	Symantec Corp. (NasdaqNM:SYMC - news) of Cupertino, Calif., a computer
	security company.
...

Of course China is not just playing Internet:

	Washington PostJuly 20, 2001 China Signs $2 Billion Deal For Russian
	Fighter Jets Aircraft to Strengthen Beijing's Ability to Attack TaiwanBy
	John Pomfret, Washington Post Foreign Service BEIJING, July 19 -- China
	has signed a contract with a Russian aircraft manufacturer for another
	batch of ground-attack jets, Russian press reports and diplomats said,
	in a move that would allow China's modernizing armed forces to improve
	their ability to launch an assault on Taiwan.Russian press reports and
	diplomats said Chinese officials signed the contract with the
	Komsomolsk-on-Amur Aviation Production Association to supply upward of
	$2 billion worth of Su-30 MKK ground-attack planes.  One report, by the
	Russian Tass news agency, put the number of jets at 38.Another report,
	by Russia's Military News Agency, said the factory's 5,000 workers would
	be working overtime until 2003 to fulfill the terms of a foreign
	contract.  In 1999, China concluded a $1.8 billion deal for 40 Su-30s. 
	So far, 10 are believed to have been delivered. 

And of course the CERT comes in late as usual...  more than a week after
large-scale response was udnerway in other fora. 

	CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer
	Overflow In IIS Indexing Service DLL
	Original release date: July 19, 2001

And then we have some US thinking on the issue:


	China is planning on a major war with the U.S. in the next two years.
	That is the conclusion of Admiral Thomas H. Moorer. Moorer is the former
	chairman of the Joint Chiefs of Staff, the nation's highest-ranking
	military officer. He has advised no fewer than seven U.S. presidents.
	Moorer was chairman in the early 1970s when President Nixon "opened up"
	China. He has dealt with China in three wars and commanded the Pacific
	Fleet. Moorer claims China's hostage-taking fits with its strategy of
	defeating the U.S. and he believes a conflict with China over Taiwan is
	inevitable. A major war with China could erupt in two short years and
	such a war would likely lead to the use of atomic weapons by both sides.
	Moorer warns that a new nexus between Russia and China now threatens the
	balance of world power, and he fears that one or more conflicts may face
	America in the next few years. 
	
	Source: Newsmax, Admiral Thomas Moorer

Meanwhile, China and Russia have agreed that they do not want a dominant US:

	China's Leader in Moscow to Sign Pact Treaty Reflects Two Nations'
	Opposition to U.S. Supremacy

	By Peter Baker and John Pomfret
	Washington Post Foreign Service
	Monday, July 16, 2001; Page A09

	MOSCOW, July 15 -- Chinese President Jiang Zemin arrived here today to meet
	with his Russian counterpart and sign a treaty reflecting their shared
	opposition to U.S. supremacy and a mutual desire to secure border regions
	that have been the source of instability for centuries.

	The accord, officially called the Sino-Russian Treaty of Good-Neighborly and
	Friendly Cooperation, is scheduled to be signed Monday by Jiang and Russian
	President Vladimir Putin during the Chinese leader's four-day visit to
	Russia -- the second of four planned summits between the two this year.

Then - once we knew that the Code Red has an error in its Random Number
Generator (those in the right security fora), we had this interesting change:

	Fri, 20 Jul 2001 00:48:30 -0700
	Subject: Code-Red: An analytic model of its spread

	I have worked up a tentative quantitative theory of what happened with the
	spread of the Code-Red worm on Thursday July 17th (yesterday, for purposes of
	this email).  Although I can't prove it, my theory seems to explain the limited
	data I have fairly well, and to support a slightly novel conclusion.  I'd really
	appreciate getting more complete data from anyone who has it.  This is not
	exactly peer-reviewed science at this point, but rather late night, hasty math
	which hopefully won't turn out to be too wrong in the morning.

	What I believe happened is that sometime yesterday morning (US time), someone
	released a new version of Code-Red.  At a minimum, the new version had a
	corrected random number generator and seeding algorithm.  The new version spread
	very rapidly until almost all vulnerable IIS servers on the Internet were
	compromised.  It stopped trying to spread at midnight UTC (5pm in California
	where I am).  I do not know in what other ways the new version might have been
	different from the earlier one.

	Background.  

	Code-Red was first seen in the wild on July 13th, according to Ryan Permeh and
	Marc Maiffret of Eeye Digital Security who analyzed it at

	http://www.eeye.com/html/Research/Advisories/AL20010717.html and 
	http://www.eeye.com/html/advisories/codered.zip

	According to Eeye, Code-Red spreads by compromising Microsoft IIS web servers
	using the .ida vulnerability discovered also by Eeye and published June 18th:

	http://www.eeye.com/html/Research/Advisories/AD20010618.html

	Once it has infected a host, Code-Red spreads by launching 99 threads which
	generate random IP addresses, and then try to compromise that IP address using
	the same vulnerability.  A hundredth thread defaces the web server in some
	cases.
...
	http://www.silicondefense.com/cr/ has the full paper...
	550,000 systems involved in one way or another...

Meanwhile... who says China cannot control what happens with its Internet users?
They are indeed in control of what goes on - but for how long?  Nobody knows...

	Subject: China Shuts Down 2,000 Internet Cafes
	Date: Fri, 20 Jul 2001 19:36:34 -0400
	http://www.siliconvalley.com/docs/news/reuters_wire/1348140l.htm

Ah well... so much for this week's rank speculation.

FC
--
Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
  Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to serve.
	PGP keys: https://all.net/pgpkeys.html - Have a great day!!!

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:37 PDT