Jay Little - Software Obsessionist
The War Against Code Red
8/8/01 7:00:15 PM

Okay guys - I attempted to create deploy a code red counter virus yesterday. To save some of you some time - let me just say that it was NOT successful outside my test environment.

The counter virus, as I call it, isnt actually a virus at all (in that it does not spread unprovoked as Code Red does). Based my solution was to design a set of ASP scripts that sat on my IIS server and intercepted requests for the /default.ida (the request used to execute code red attacks).

Upon receiving the request - the script would immediately track the attacker back to his home IP. It would then attempt to upload (tftp) a few files including the patch to the attackers box using the security holes left behind by the latest version of code red. The biggest part of the project was figuring out how to reboot the machine remotely using just the HTTP connection. Using another script called system.asp, I was able to execute a few commands in a local context including Microsofts venerable shutdown.exe command.

Unforunately - that only worked on my test boxes. During use of this antivirus - I developed a secondary technique that would create a VBScript file from one of the batch files I had uploaded. It would then attempt to execute this file. This of course was able to shutdown machines in my test environment (with only guest access) - but it was unable to do so in the real world.

At the end of the virus - the final script would open a web browser window pointing the user towards a page on my site detailing that I had in fact gotten rid of the virus for them. Needless to say, they werent meant to read this page - as the script would "attempt" to reboot the machine within only a few seconds of this after applying the Microsoft patch. (This was so I could keep track of how many people I fixed)

How many did I fix? Not a damn one. In fact the rate of infection just continues to grow. This is absurd. There is simply NO excuse at this point to be infected with this thing. @Home doesnt seem to care as they havent even sent out any kind of warning to their users.

The saddest part about this is that we are getting to the point where situations similar to Code Red are becoming acceptable. Nobody seems to really care all that much at this point. Im of the personal opinion that the ONLY way this will be stopped is for somebody to actually write an Anti Virus that uses the original .ida buffer overflow to apply the patch with full privileges.

The saddest part is that whoever wrote the antivirus would probably be sued by the hundreds of people whose computers were fixed by it.... truly sick huh? What a wonderful world we live in.

  [Rss]   [Email]