|
CodeRed.C was discovered on
Aug 4, 2001. It has been called a variant of the original
CodeRed Worm because it uses the same "buffer overflow"
exploit to propagate to other web servers.
The original CodeRed had a payload
that will cause a denial of service attack on the white house
web server. The variant called CodeRed.C has a different payload
that allows the hacker to have full access of the web server
remotely.
When a web server becomes infected,
the worm will first call its initialization routine that identifies
the base address of kernel32.dll in the process address space
of the ISS server service. Next it looks for the address of
GetProcAddress. Then it starts to call GetProcAddress to get
access to a set of API addresses:
LoadLibraryA
CreateThread
..
..
GetSystemTime
It will loads WS2_32.DLL to
access functions such as socket, closesocket and WSAGetLastError.
From USER32.DLL, it will get ExitWindowsEx that is used by
the worm to reboot the system.
The main thread will check for
two different markers. The first marker '29A' controls the
installation of a trojan called Trojan.VirtualRoot. The other
marker is a semaphor called 'CodeRedII'. If the semaphor exists,
the worm goes into an infinite sleep. Next, the main thread
checks the default language. If the default language is Chinese
(either Taiwan or PRC), it creates 600 new threads, otherwise
300. These threads generate random IP addresses used to search
for new web server to infect. While these threads are working,
the main thread copies cmd.exe from the Windows NT System
directory to the following directories if they exist.
c:\inetpub\scripts\root.exe
d:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
If the trojan is dropped by the
worm has modified the following registry (adding a few different
keys and also setting the user group to 217), it will allow
a hacker to take full control of the web server by sending an
HTTP GET request to run scripts/root.exe on the infected web
server.
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual
Roots
The main thread sleeps for 48
hours for Chinese systems and 24 hours otherwise. The other
300 or 600 threads will still work and attempt to infect other
systems. When the threads wake up from its sleep, it will
cause the machine to be rebooted. In addition, all threads
check if the date is October or if it is 2002. If so, the
machine is rebooted.
The worm copies the command
shell (cmd.exe) to the default execution-enabled directory
of the IIS web server allowing remote control. It will also
drop a hidden, system and read-only attribute file into the
root drive as either or both C:\EXPLORER.EXE or D:\EXPLORER.EXE.
These trojan files are identified by Norton AntiVirus as Trojan.VirtualRoot.
The worm carries this files inside itself in a packed format
and unpacks it when its dropped.
The infection will last 24 or
48 hours and then the machine will be rebooted. However, the
same machine can get infected again until it is patched with
the latest update from Microsoft. If the date is October or
if it is 2002, the machine will also be rebooted. When the
machine is rebooted, Trojan.VirtualRoot will be executed when
the system attempts to execute explorer.exe due to how Windows
NT resolved or searches program path when executing a program.
The trojan (c:\explorer.exe) will sleeps for a few minutes
and reset these keys to assure the registry keys are modified.
It will alter the registry key of WinLogon to disable SFC
(system file checker).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable key to 0xFFFFFF9
|
