Code Red and its descendants are worms that infect systems that have Microsoft's Internet Information Server installed. This is mostly machines that are running server editions of Windows NT and Windows 2000, although some CISCO system may also be vulnerable.
Once infected, a server then attempts to infect other servers. The worm uses a clever algorithm to determine the addresses to be tried, preferentially selecting "nearby" addresses in the same IP block as the server.
That produces two kinds of traffic. Any competent "firewall" such as Zone alarm will show you the first kind of traffic, which consists of the transmission of a single packet containing the worm to port 80 (ZA calls this the 'http' port) at your IP. I am seeing these at the rate of one every 5 minutes.
The second kind of traffic is ARP broadcasts. These occur when the worm's algorithm generates an address that is not present in the ARP table of the infected machine. The infected machine's TCP/IP stack generates an ARP broadcast, and the router at the headend forwards it over the infected machine's subnet. Moreover, if there is no host at that address, the broadcast may be repeated.
These are hitting my machine at the rate of nearly one per second. They are not visible to ZA or the like because they are not processed by the TCP/IP stack, but they do produce a flashing data light on the modem that catches everyone's attention.
What to do about it? If you are not running a server, absolutely nothing.
If you are running a server, I'd recommend that you shut it down. This is not going away, and I expect to see the ISP's coming after users running servers big time.
Kip
Code Red - Please Read!
-
Kip Patterson
- Senior Member
- Posts: 4438
- Joined: Wed Jun 07, 2000 12:00 pm
- Location: Columbus, Ohio
I have a constantly flashing light
on my modem. I'm not running a server and am using win98se. I've scanned my system several times with different antivirus stuff, and I'm sure I'm not infected. When I run a packet sniffer it says that the packets are from the ip of the default gateway. What's up with that?
Great.. I guess I ought to resort to Apache for now while this whole fiasco dissipates. But then again, what the heck.. I wouldn't mind seeing Microsoft products being put through the test, especially when I do run IIS behind my firewall. Does it matter if UDP traffic is not being transferred past my firewall on port 80? Also, I don't think my firewall allows ARP requests past the LAN link, unless there's an option that needs to get unchecked. We'll soon find out.
OMARNYC.COM - My place on the web
*** In response to drakken ***
Packet sniffers often could only monitor traffic within your subnet, and within your physical WAN/LAN link. This is why you see your sniffer reporting activity coming from your gateway, or the interface that allows your particular IP to get past your ISP's router, and wherever else it needs to go. Packet sniffer's primary, and for it's own purpose, sole usefulness is to detect any network load discrepancies, and to show you statistically how traffic aggregates along your segment, and any other routed segments within your VLAN, if present. Think of a sniffer as an Internet gauge, likely SNMP based, that serves as a line speedometer. It could only see the kinds of data that travels past any link that's allowed to see and could tell you at what rate it's doing so, but it doesn't actually know what's contained in that data. That would get anyone spooked out, particularly if there are any unusual spikes in traffic load. I sometimes also wonder what's going on when I see the LED's on my Ethernet hubs flash, and I know no one in my house is using the Internet.
Packet sniffers often could only monitor traffic within your subnet, and within your physical WAN/LAN link. This is why you see your sniffer reporting activity coming from your gateway, or the interface that allows your particular IP to get past your ISP's router, and wherever else it needs to go. Packet sniffer's primary, and for it's own purpose, sole usefulness is to detect any network load discrepancies, and to show you statistically how traffic aggregates along your segment, and any other routed segments within your VLAN, if present. Think of a sniffer as an Internet gauge, likely SNMP based, that serves as a line speedometer. It could only see the kinds of data that travels past any link that's allowed to see and could tell you at what rate it's doing so, but it doesn't actually know what's contained in that data. That would get anyone spooked out, particularly if there are any unusual spikes in traffic load. I sometimes also wonder what's going on when I see the LED's on my Ethernet hubs flash, and I know no one in my house is using the Internet.
OMARNYC.COM - My place on the web
-
SkullE
The same modem flashing thing happened to me yesterday. I've had DSL for over a year and this is the first time it's done this. I shut down the computer's and turned off the D-Link router and my DSL (westell) modem was still blinking like crazy. My incoming light on the router was flashing before i shut it off and the outgoing light was off so i know it wasn't me. Even after i shut down the modem and turned it back on, the "activity" light went back to flashing for a few seconds before it stopped. I'm not quite sure if this is a result of someone else having the virus and trying to get to me or not.
Windows XP
Windows XP
All of you with flashing data lights,Please read this thread.
-
martialcomp
- Regular Member
- Posts: 338
- Joined: Sun Jan 23, 2000 12:00 am
Code red
Thanks for the info Kip...I heard yesterday that Road Runner might actually be shutting down customers running Windows 2000? I also heard that this issue was much more serious than previously reported and that eswitches and routers are actually going down, in some areas, because of this virus. I would even be concerned that this could cause Motorola routers to reboot which could knock people offline for a short time. Not sure on all of this, but, I am sure of one thing...These viruses are becoming a major pain in the behind. Sircam last week, now code red.
-
Kip Patterson
- Senior Member
- Posts: 4438
- Joined: Wed Jun 07, 2000 12:00 pm
- Location: Columbus, Ohio
Whenever we get a mess like this the rumors come out of the woodwork. Not to say that what you heard is wrong, but It seems like staying as close as possible to what is known is important. One claim is that there is a new version that does a denial of service attach by sending repeated ARP queries. I don't see how the math works out - a cable modem is going to send enough 64 bit packets upstream to bring down a PC? Another claim is that folks are seeing ARP queries from across the nation - it would be nice to know how this is possible.
Attacks at my location are running 20/hour. (I'm onTW RR, 65.24.72.x) and the ARPs are running 30 a minute. That's only about 16 kbits of downstream traffic for the ARPs.
I don't know if RR is shutting down folks running Win 2000. They only need to be concerned about the server edition of 2000 and NT, and perhaps not about NT, if rumors are correct. Allegedly the latest version of the worm does not attack NT4 successfully.
It's pretty amusing that RR bans servers in the TOS but has never dealt with the issue, and now we have this mess. The offending machines are easy to find, they're pinging us continually. Why RR and other ISP's don't shut them down is beyond my comprehension.
Kip
Attacks at my location are running 20/hour. (I'm onTW RR, 65.24.72.x) and the ARPs are running 30 a minute. That's only about 16 kbits of downstream traffic for the ARPs.
I don't know if RR is shutting down folks running Win 2000. They only need to be concerned about the server edition of 2000 and NT, and perhaps not about NT, if rumors are correct. Allegedly the latest version of the worm does not attack NT4 successfully.
It's pretty amusing that RR bans servers in the TOS but has never dealt with the issue, and now we have this mess. The offending machines are easy to find, they're pinging us continually. Why RR and other ISP's don't shut them down is beyond my comprehension.
Kip
-
martialcomp
- Regular Member
- Posts: 338
- Joined: Sun Jan 23, 2000 12:00 am
...
I am getting what looks like 2-3 blinks on my RD light per second. This is way more than I usually see...I am on @Home on the west coast and am still on a Motorola system (proprietary). I have not bothered to evaluate what the request contain because I do not run any servers anyway. Never have, probably never will.
-
martialcomp
- Regular Member
- Posts: 338
- Joined: Sun Jan 23, 2000 12:00 am
One more important thing...
I do not know if this could be a problem or not, but, Windows 2000 Pro and Windows XP both come with File and Printer Sharing binded and activated. Not that this would be open for the code red virus, but, it is prudent to disable File and Printer Sharing anyway.
Hell, I've been getting the constant cable light activity since Friday evening. Now today, I get a system generated email from RoadRunner security (TampaBay) stating if I run Win2K or NT (I run Win2K Pro w/SP2 but NO IIS) I need to go to MS and download their patch and reboot. No mention that if I'm not running IIS then I'm in the clear and it's unnecessary. Either RR is scared ****less and trying to panic everyone to download a possibly unnecessary patch or they don't know the details of how Code Red I or II truly work.
-
Kip Patterson
- Senior Member
- Posts: 4438
- Joined: Wed Jun 07, 2000 12:00 pm
- Location: Columbus, Ohio
In defense of RR, (Yes, I sent them a proctological email myself) the code that needs to be correected is not part of IIS, and is present in installations of Windows 2000 that do not have IIS installed.
On the other hand, you're absolutely correct. No IIS, no vulnerability.
@Home has apparently started filtering port 80. All that does is prevent the infection of any further servers, leaving the present infectees still banging around the net.
I'm an old fart, and just about every facet of this mess bothers me. The wheels seem to be falling off all of technology. The Columbus Western Electric plant, now Lucent, about to become god knows what, is a shell of its former self. The phone company can't even deliver books on time, and is about to be sued because they shrank the typeface 20%, and these cable ISP's can't seem to find their buttocks with both hands.
Kip (I think I better go to bed)
On the other hand, you're absolutely correct. No IIS, no vulnerability.
@Home has apparently started filtering port 80. All that does is prevent the infection of any further servers, leaving the present infectees still banging around the net.
I'm an old fart, and just about every facet of this mess bothers me. The wheels seem to be falling off all of technology. The Columbus Western Electric plant, now Lucent, about to become god knows what, is a shell of its former self. The phone company can't even deliver books on time, and is about to be sued because they shrank the typeface 20%, and these cable ISP's can't seem to find their buttocks with both hands.
Kip (I think I better go to bed)
CaptureNet
A good program I found called "SpyNet" has a progam on it called
CaptureNet v3.121. It monitors internet activity in real time so can see why the little flasfing
What is CaptureNet
CaptureNet is a network sniffer for Windows 95/98/NT.
CaptureNet captures all network packets while PeepNet interprets them and tries to reconstruct the original sessions the packets belonged to, showing you, for example, the web page a user was watching.
CaptureNet:
· Can be used to store ALL network activity in timestamped files as evidence of possible criminal activities.
· It can capture all packets with or without software filters.
· It is able to save captured data to a file for later analyses.
· Recognizes main protocols used in an Ethernet network.
· Works with dial-up adapters too.
· It was designed to maintain its settings between uses.
· Offers the possibility to search through thousands of packets those matching a user-defined filter.
:2cool:
CaptureNet v3.121. It monitors internet activity in real time so can see why the little flasfing
What is CaptureNet
CaptureNet is a network sniffer for Windows 95/98/NT.
CaptureNet captures all network packets while PeepNet interprets them and tries to reconstruct the original sessions the packets belonged to, showing you, for example, the web page a user was watching.
CaptureNet:
· Can be used to store ALL network activity in timestamped files as evidence of possible criminal activities.
· It can capture all packets with or without software filters.
· It is able to save captured data to a file for later analyses.
· Recognizes main protocols used in an Ethernet network.
· Works with dial-up adapters too.
· It was designed to maintain its settings between uses.
· Offers the possibility to search through thousands of packets those matching a user-defined filter.
:2cool:
THE FIREMAN
Kip,
You are 100% correct, we started getting hit hard Thurday the 3rd of August. Cable modems flashing constant RF and Ip traffic. Monitored it over the weekend logging all information, first thing monday we got on the phone with Cisco and worked with them on resolving the problem. What happens within the CMTS network is exactly like you stated, we was averaging 7 ARP requests per second due the the Code Red Worm. Working with Cisco we shut down all most all of the ARP requests.
Warning to all MSO's cisco is getting swamped with calls due to this and i would advise that you call them if you are using a UBR72xx before it causes your CMTS to crash, which they told me could very easily happen. After we got through with Cisco our speeds returned to normal.
If any MSO's need any info feel free to email me and i will let you know what we did to stop it on the CMTS and our main router.
Here is a program that will help dramatically stop the Code Red Worm. The more people that run it on there computers, the Worm will be stopped quicker.
http://www.dynwebdev.com/codered/
What it does is sends out a email to the owner of the comptuer that is scanning your computer to notify him or her that the computer is infected with the Code Red Worm.
I would have to agree with Mr. Gibson "GRC" that this worm will never end.
You are 100% correct, we started getting hit hard Thurday the 3rd of August. Cable modems flashing constant RF and Ip traffic. Monitored it over the weekend logging all information, first thing monday we got on the phone with Cisco and worked with them on resolving the problem. What happens within the CMTS network is exactly like you stated, we was averaging 7 ARP requests per second due the the Code Red Worm. Working with Cisco we shut down all most all of the ARP requests.
Warning to all MSO's cisco is getting swamped with calls due to this and i would advise that you call them if you are using a UBR72xx before it causes your CMTS to crash, which they told me could very easily happen. After we got through with Cisco our speeds returned to normal.
If any MSO's need any info feel free to email me and i will let you know what we did to stop it on the CMTS and our main router.
Here is a program that will help dramatically stop the Code Red Worm. The more people that run it on there computers, the Worm will be stopped quicker.
http://www.dynwebdev.com/codered/
What it does is sends out a email to the owner of the comptuer that is scanning your computer to notify him or her that the computer is infected with the Code Red Worm.
I would have to agree with Mr. Gibson "GRC" that this worm will never end.
-
Kip Patterson
- Senior Member
- Posts: 4438
- Joined: Wed Jun 07, 2000 12:00 pm
- Location: Columbus, Ohio
For the folks that are considering Code Red Vigilante:
This is a program that takes advantage of the fact that machines infected by Code Red II are vulnerable to additional attack and open to the world.
While a lot of us may think that the approach of Vigilante, placing a message on the infected machine, is appropriate and positive, you may wish to consider that others, including the owner of the infected machine, may not agree. Imagine this message coming up on a business server, being found by the boss. Who knows what the IS guy might say to cover his butt.
It could have unintended consequences, including complaints to your ISP and law enforcement.
It also apparently will not work with machines infected with the original Code Red worm.
Kip
This is a program that takes advantage of the fact that machines infected by Code Red II are vulnerable to additional attack and open to the world.
While a lot of us may think that the approach of Vigilante, placing a message on the infected machine, is appropriate and positive, you may wish to consider that others, including the owner of the infected machine, may not agree. Imagine this message coming up on a business server, being found by the boss. Who knows what the IS guy might say to cover his butt.
It could have unintended consequences, including complaints to your ISP and law enforcement.
It also apparently will not work with machines infected with the original Code Red worm.
Kip
Re: I have a constantly flashing light
no worries m8.. Code Red runs on NTs such as windows 2000 pro/server, NT, windows XP.. if you're running win98se don worry ur're safe.Originally posted by drakken
on my modem. I'm not running a server and am using win98se. I've scanned my system several times with different antivirus stuff, and I'm sure I'm not infected. When I run a packet sniffer it says that the packets are from the ip of the default gateway. What's up with that?
Share What You Know, Learn What You Don't.
RapSource.Com
RapSource.Com
Call me crazy.. but..
Im on @Home with a com21 cable modem and my link lights blink all the time. Even before the dawn of code red my lights blink. Whats up with that?
All this blinking light business amounts to slower performance from your ISP. Mine SUX since this data/activity led started this blinking thing last week. How long does it take to innoculate all effected servers? When will this bug wear-out?
Failure is not an option, it comes bundled with the software.