More CodeRed, dangerous PDFs, more wireless network flaws, ColdFusion and Apache

CodeRed, CodeRed, wherefore art thou CodeRed?; PDFs all peaches and cream?; Tips for avoiding the net's dangers

Has any other computer malware been in the media so much in the last couple of years? I am, of course, pondering the CodeRed worm. What is perhaps most odd about the attention it has garnered is that, unlike the so-called 'e-mail worms' such as 'AnnaKournikova', VBS/LoveLetter and W97M/Melissa, before it CodeRed affects what is traditionally server software -- specifically Microsoft's web server, IIS -- rather than end-user systems. Further, CodeRed is self-instantiating, causing its code to be loaded directly into memory and run as a result of an IIS buffer overflow while processing a web page request. Together, these have made for rapid and extensive distribution of the worm.

Aside from CodeRed and Microsoft releasing a 'clean-up' tool for it, there was no Microsoft security news this last week. Perhaps just to prove that IIS is not the only web server that can have problems, a directory disclosure bug was found in the Apache web server. And the old (and increasingly inexcusable) issue of not installing sample web server applications (or other unwanted or 'unnecessary' functionality and features) reared its head again in the discovery of a couple of security flaws introduced to a ColdFusion web site if the optional sample applications have been installed and left on a production machine.

Other than that, the only other security or virus story of great consequence this week was the release of a VBS e-mail worm that sends itself embedded in a PDF file. Fortunately VBS/PeachyPDF can only spread if the victim has the full (authoring) version of Adobe Acrobat and does not work in the simpler Acrobat Reader version which is what most people have installed.

Virus News

CodeRed, CodeRed, wherefore art thou CodeRed?

Last weekend saw the release of the third variant of CodeRed, variously named CodeRed.C, CodeRedII and (just to confuse things) CodeRed v3.

Unlike the two previous worms based on exploiting the .ida/.idq buffer overflow in IIS servers not patched to MS01-033, CodeRed.C was not intent on running a denial of service attack against a target. In fact, after it had spread for 24 hours (or 48 if the compromised machine was configured to use a Chinese language) it forced the host to reboot, killing that instance of the worm. The reason for the reboot is to enable a remote access security breach against the target machine, because, as well spreading like wildfire, CodeRed.C drops a Trojan named 'EXPLORER.EXE' in the root of the C: and D: drive of the compromised machine.

Another 'old' Microsoft security patch (MS00-052 from 28 July 2000) fixes a bug in Windows whereby a file named thus will be run instead of the 'real' Explorer, should it file be located in the root directory of

the boot drive. Assuming the relevant security patch for that problem was not installed, the Trojan would run and in the process it set a number of registry entries to add wide open web server virtual roots to the C:\ and D:\ directories of the compromised machine. This action leaves the machine open to an enormous range of remote security exploits via specially crafted URL requests sent to the copy of IIS on that machine. The scale of this compromise and the likelihood that anyone whose machine was able to be compromised by the worm would have no way of telling what else had subsequently been added, removed or otherwise altered means that 'cleaning up" such a compromised machine is really best done by reformat, reinstall and restore your data from the last backup prior to CodeRed.C hitting.

Of course, the attraction of running a simple script or 'fix it' application is strong, but note this is not just your newsletter compiler being 'alarmist'. Microsoft has released a CodeRed.C elimination tool (see link below) and on the download page the last two warnings Microsoft makes about not doing it this way and doing it 'properly' are (this was originally in all-caps but is easier to read formatted in sentence capitalization):

If the worm has infected your system, your system has been opened to additional forms of attack. This tool only eliminates the direct effects of the worm - it does not eliminate any additional damage that other attacks may have caused while your server was infected.

While this tool is useful in eliminating the effects of the code red ii worm on internal servers that are protected from the internet by a router or firewall, Microsoft recommends that infected internet-facing servers be rebuilt according to the guidelines published on the cert web site. In addition, any other servers that are judged to have been put at risk by their proximity to infected servers should also be rebuilt rather than being placed back into service.

So, why did CodeRed.C take off so much more quickly than the previous variants? CodeRed.C is really a new worm, or at least a near-complete rewrite of one of the earlier variants. One of its 'tricks' is that it biases its network address selection for the next target to the same network range (Class-A and -B for the technically inclined) as the current machine 50% of the time. Add to this the surprising number of Windows 2000 Professional machines apparently installed on cable and DSL networks, together with their default IIS installation and we have a large population of active, always-on but essentially 'unintended' IIS web servers available for repeated compromise. CodeRed.C's strategy of largely staying within a network where it has already 'succeeded' (at least in as far as it is running on one machine there) means it rapidly spreads through large-ish networks of like machines.

Microsoft CodeRed.C elimination tool

Various antivirus vendor descriptions: ca.com, f-secure.com, viruslist.com, vil.nai.com, sophos.com, sarc.com

PDFs all peaches and cream?

Earlier this week a South American virus writer released yet another VBS mass-mailing e-mail worm. Unlike its many, many forebears, this one had a real twist -- the VBS script code is embedded within a PDF file and it is the PDF file, not the bare script, that is attached to the virus' malicious messages. The PDF file purports to be a 'game', featuring a large number of small images of naked buttocks and one close-up photograph of a peach. The objective is to find and click on the peach within a one minute time limit. Clicking the peach causes the script to be activated, but fortunately (for now) this only works in the full, PDF-authoring version of Adobe Acrobat. Users of the standard (and much more common) Acrobat Reader application are not vulnerable to this worm or others like it.

Last week it was a warning about a parrot screensaver, this week a warning about a game with peaches. What have to look forward to next week?

Various antivirus vendor descriptions: f-secure.com, vil.nai.com, sophos.com, sarc.com

Tips for avoiding the net's dangers

The linked article is good user-level introduction to the things one should consider if new to the Internet or a longer-term user who has not previously paid much attention to security issues. This may be a good article to refer your staff to for consideration of what to do with their home machines.

- News article

Security News

Even more serious wireless networking flaws

We have previously reported several flaws in, or concerns with, the design and/or implementation of the wired equivalent-privacy (WEP) protocol and other aspects of 802.11 wireless LAN (WLAN) products. Further to that existing bad news, top cryptographers have landed an even more devastating blow on WEP. The newly discovered attack depends on weaknesses in the RC4 key-scheduling algorithm and means that with current CPUs, a high-end laptop with a WLAN card can passively sniff WLAN network traffic and recover the key in about 15 minutes.

This attack scales linearly with the bit-strength of the cypher, so current moves to 'strengthen' WEP by defining standards for a 128-bit key version will not greatly complicate an attacker intent on cracking a victim's WLAN. Further, any 'improvement' due to redefining such core parts of the WEP protocol as the encryption algorithms it uses would not be backwards compatible, meaning anything that 'fixes' this problem will not work with existing WLAN products unless they are upgraded or replaced.

This latest weakness, and the previous ones, suggests that the best way to use WLANs (if at all) is to treat them as being outside your firewall and only run traffic across them that is already subject to strong, well-implemented end-to-end encryption such as typical VPNs.

- News article

ColdFusion sample applications introduce security holes

As a general rule, it is a good idea on production systems to only install or enable the products, options and features that are needed on that system. For example, the traditional Microsoft approach of installing (almost) everything and enabling (nearly) all possible features could readily be argued to be the reason the CodeRed variants we have seen over the last few weeks have been successful. Rafts of users running default installs of Windows 2000 on their home or small business machines and connected to always-on cable or DSL have not even been aware they were running IIS, so should we really have expected them to know this required them to check for IIS security updates and install them with a fair degree of alacrity?

There have been many such examples in the past, and most versions of Allaire's ColdFusion have been found to contain sample applications that can be used to spoof e-mail and post executables (or any other type of file) to the web server. To be fair to Allaire (who recently bought MacroMedia) they do recommend removing sample applications, documentation and other features that are unused by your site's actual implementation (see the security practice guideline linked below).

Allaire security bulletin and best practice guideline:

Apache web server open to directory indexing attack

Specially crafted URLs containing large numbers of slash characters can escape the error checking and reporting in the Apache web server and return information about the directory structure of parts of a web server that should remain 'hidden' to the outside world. Although this attack is not inherently dangerous itself, the information obtained may be crucial to someone planning a directed attack in that it can help them ascertain the operating system the server runs and other information that can be important in determining how to attack any given machine. Apache users should update to v1.3.19 as soon a practicable.

- Bugtraq vulnerability entry

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsAllaireApacheLANMicrosoft

Show Comments
[]