Return-Path: <sentto-279987-1450-995855118-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 22 Jul 2001 19:26:07 -0700 (PDT) Received: (qmail 17472 invoked by uid 510); 23 Jul 2001 01:27:58 -0000 Received: from n2.groups.yahoo.com (216.115.96.52) by 204.181.12.215 with SMTP; 23 Jul 2001 01:27:58 -0000 X-eGroups-Return: sentto-279987-1450-995855118-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by hi.egroups.com with NNFMP; 23 Jul 2001 02:25:18 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_2_0); 23 Jul 2001 02:25:17 -0000 Received: (qmail 63448 invoked from network); 23 Jul 2001 02:25:12 -0000 Received: from unknown (10.1.10.27) by l7.egroups.com with QMQP; 23 Jul 2001 02:25:12 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 23 Jul 2001 02:25:12 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA25555 for iwar@onelist.com; Sun, 22 Jul 2001 19:25:11 -0700 Message-Id: <200107230225.TAA25555@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 22 Jul 2001 19:25:11 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] Code Red and Chinese IW (long and winding) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit It appears that the Chinese 'Code Red' virus may also be in use as cover for other attacks: Date: Thu, 19 Jul 2001 21:03:06 -0700 Subject: Other China Hack Attempts Concurrent With Code Red I've seen 58 hosts attempt to access default.ida with an overflow string on my box. I've had several other attempts, though, that seem to be hand-done, including several FTP logins and an attempt to send the GET strings "^D^A" and "^E^A^B" to my webserver (Apache). Any ideas what the latter might be? And of course the figures on Code Red vary somewhat... Date: Thu, 19 Jul 2001 21:50:53 -0600 (MDT) As several people have pointed out, the person who made the 1.17M claim later revised it to "only" about 200K or so. And that's just him. I have no real difficulty believing that we've in the 100's of thousands neighborhood at this point. This is the most "successful" worm I've ever seen. Parts of the code are damn clever as well (take a real close look at how it "hacks" the web pages.) The worm would also be dead simply to modify, as well. All that you would need for simple mods is a hex editor. I'm pretty sure we'll see copycats in the next few days. Things could get pretty bad in the short term. Of course the major media... Friday July 20 12:18 AM ET Computer Virus Targets White House By DAVID HO, Associated Press Writer WASHINGTON (AP) - The White House Web site dodged an Internet bullet Thursday, using some technical sleight of hand to sidestep a computer virus dubbed ``Code Red,'' security experts said. The virus has infected more than 225,000 computer systems around the world, defacing many Web sites with the message ``Hacked By Chinese,'' experts said. Despite the message, the origin of the virus is unknown. The ultimate goal of the virus, known as a ``worm,'' is to gather strength by infecting more computers and then have them all attack a numerical Internet address that represents the White House Web site. The assault, which was set to go off Thursday at 8 p.m. EDT, is a denial of service attack, designed to hamper or shut down a computer system by flooding it with huge amounts of data. The White House apparently shifted its Web site to a different numerical address to avoid the attack, said Stephen Trilling, director of research at Symantec Corp. (NasdaqNM:SYMC - news) of Cupertino, Calif., a computer security company. ... Of course China is not just playing Internet: Washington PostJuly 20, 2001 China Signs $2 Billion Deal For Russian Fighter Jets Aircraft to Strengthen Beijing's Ability to Attack TaiwanBy John Pomfret, Washington Post Foreign Service BEIJING, July 19 -- China has signed a contract with a Russian aircraft manufacturer for another batch of ground-attack jets, Russian press reports and diplomats said, in a move that would allow China's modernizing armed forces to improve their ability to launch an assault on Taiwan.Russian press reports and diplomats said Chinese officials signed the contract with the Komsomolsk-on-Amur Aviation Production Association to supply upward of $2 billion worth of Su-30 MKK ground-attack planes. One report, by the Russian Tass news agency, put the number of jets at 38.Another report, by Russia's Military News Agency, said the factory's 5,000 workers would be working overtime until 2003 to fulfill the terms of a foreign contract. In 1999, China concluded a $1.8 billion deal for 40 Su-30s. So far, 10 are believed to have been delivered. And of course the CERT comes in late as usual... more than a week after large-scale response was udnerway in other fora. CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL Original release date: July 19, 2001 And then we have some US thinking on the issue: China is planning on a major war with the U.S. in the next two years. That is the conclusion of Admiral Thomas H. Moorer. Moorer is the former chairman of the Joint Chiefs of Staff, the nation's highest-ranking military officer. He has advised no fewer than seven U.S. presidents. Moorer was chairman in the early 1970s when President Nixon "opened up" China. He has dealt with China in three wars and commanded the Pacific Fleet. Moorer claims China's hostage-taking fits with its strategy of defeating the U.S. and he believes a conflict with China over Taiwan is inevitable. A major war with China could erupt in two short years and such a war would likely lead to the use of atomic weapons by both sides. Moorer warns that a new nexus between Russia and China now threatens the balance of world power, and he fears that one or more conflicts may face America in the next few years. Source: Newsmax, Admiral Thomas Moorer Meanwhile, China and Russia have agreed that they do not want a dominant US: China's Leader in Moscow to Sign Pact Treaty Reflects Two Nations' Opposition to U.S. Supremacy By Peter Baker and John Pomfret Washington Post Foreign Service Monday, July 16, 2001; Page A09 MOSCOW, July 15 -- Chinese President Jiang Zemin arrived here today to meet with his Russian counterpart and sign a treaty reflecting their shared opposition to U.S. supremacy and a mutual desire to secure border regions that have been the source of instability for centuries. The accord, officially called the Sino-Russian Treaty of Good-Neighborly and Friendly Cooperation, is scheduled to be signed Monday by Jiang and Russian President Vladimir Putin during the Chinese leader's four-day visit to Russia -- the second of four planned summits between the two this year. Then - once we knew that the Code Red has an error in its Random Number Generator (those in the right security fora), we had this interesting change: Fri, 20 Jul 2001 00:48:30 -0700 Subject: Code-Red: An analytic model of its spread I have worked up a tentative quantitative theory of what happened with the spread of the Code-Red worm on Thursday July 17th (yesterday, for purposes of this email). Although I can't prove it, my theory seems to explain the limited data I have fairly well, and to support a slightly novel conclusion. I'd really appreciate getting more complete data from anyone who has it. This is not exactly peer-reviewed science at this point, but rather late night, hasty math which hopefully won't turn out to be too wrong in the morning. What I believe happened is that sometime yesterday morning (US time), someone released a new version of Code-Red. At a minimum, the new version had a corrected random number generator and seeding algorithm. The new version spread very rapidly until almost all vulnerable IIS servers on the Internet were compromised. It stopped trying to spread at midnight UTC (5pm in California where I am). I do not know in what other ways the new version might have been different from the earlier one. Background. Code-Red was first seen in the wild on July 13th, according to Ryan Permeh and Marc Maiffret of Eeye Digital Security who analyzed it at http://www.eeye.com/html/Research/Advisories/AL20010717.html and http://www.eeye.com/html/advisories/codered.zip According to Eeye, Code-Red spreads by compromising Microsoft IIS web servers using the .ida vulnerability discovered also by Eeye and published June 18th: http://www.eeye.com/html/Research/Advisories/AD20010618.html Once it has infected a host, Code-Red spreads by launching 99 threads which generate random IP addresses, and then try to compromise that IP address using the same vulnerability. A hundredth thread defaces the web server in some cases. ... http://www.silicondefense.com/cr/ has the full paper... 550,000 systems involved in one way or another... Meanwhile... who says China cannot control what happens with its Internet users? They are indeed in control of what goes on - but for how long? Nobody knows... Subject: China Shuts Down 2,000 Internet Cafes Date: Fri, 20 Jul 2001 19:36:34 -0400 http://www.siliconvalley.com/docs/news/reuters_wire/1348140l.htm Ah well... so much for this week's rank speculation. FC -- Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171 Fred Cohen - Practitioner in Residence - The University of New Haven This communication is confidential to the parties it is intended to serve. PGP keys: https://all.net/pgpkeys.html - Have a great day!!! ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:37 PDT