红色代码病毒分析

原创 2001年08月07日 14:14:00

CODE RED 利用 IIS WEB 服务器 .IDA 缓冲区溢出漏洞传播。 如果它感染了一个主机,将会在受影响机器上作如下活动:

1、建立起初始蠕虫环境
2、建立起100个蠕虫线程
3、前99个线程会传播感染其它主机
4、第100个线程会检查自身是否运行于一个英文版本的 Windows NT/2000

如果是,它将会替换该主机页面

Welcome to http://www.worm.com !, Hacked By Chinese!

该信息会在10小时后自动消失,除非再次受到感染。

如果不是英文版本,它也会被用作感染其它主机。

5、每个线程会检查当地时间
如果时间位于 20:00 UTC 和 23:59 UTC 间,该线程会往 www.whitehouse.gov 发送 100K 字节数据。
如果小于 20:00 UTC,它会继续传播感染其它主机


在下面的详细分析中,将要用到

IDA(Interactive Disassembler) ,它来自www.datarescue.com。
MS VC++ 调试环境

我将该蠕虫分为三个部分以便研究:核心功能模块,hack web 页面模块,攻击 www.whitehouse.gov 模块。

一、核心功能模块

1、起始感染容器(已被感染并将传播蠕虫的主机)

当被感染时,系统内存将会呈现如下信息:


4E 00 4E 00 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
92 90 58 68 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
FA 00 00 00 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 90 90
90 81 C3 00 03 00 00 8B
1B 53 FF 53 78

EIP 会被 0x7801CBD3 重写。在 0x7801CBD3 处的代码将会被分解成 call ebx ,当 EIP 被 call ebx 重写保岬贾鲁绦蛄髦囟ㄏ蚧囟颜弧6颜簧系拇虢崽饺涑娲耄萌涑娲朐谄鹗?HTTP 请求体中。

2、建立起始堆栈变量

CODEREF: seg000:000001D6 WORM

首先,蠕虫建立一个充满 CCh 的 218h 字节堆栈,然后它将转而激活跳转函数。
所有的变量会被引用为 EBP-X 值。

3、装载函数(建立跳转表"jump table")
CODEREF: seg000:00000203 DataSetup

首先,蠕虫会引用 exploit 代码在 EBP-198h 中的数据部分。然后,它需要创建自己内部函数跳转表。
该蠕虫用到了一项 RVA (Relative Virtual Addresses) 查询技术,在一个 nutshell 中,RAV 被用来得到 GetProcAddress 的地址。GetProcAddress 然后被用来得到 LoadLibraryA 地址。它会用到这两个函数装载下面的函数:

>From kernel32.dll:
GetSystemTime
CreateThread
CreateFileA
Sleep
GetSystemDefaultLangID
VirtualProtect

>From infocomm.dll:
TcpSockSend

>From WS2_32.dll:
socket
connect
send
recv
closesocket

最后,蠕虫会存储 w3svc.dll 的基地址,该地址将被用来更改页面。


4、检查已经创建的线程:
CODEREF: seg000:00000512 FUNC_LOAD_DONE

它会运行 WriteClient (ISAPI Extension API 的一部分),发送"GET" 回进攻机。这应该是告诉告诉攻击机它已成功感染该机。

然后,它会计算活动的蠕虫线程
如果线程等于100,控制会转向 hack web 页面功能项。
如果线程小于100,它会创建新的线程。每一个新线程都是蠕虫的简单复制。

5、检查已存在的 c:/notworm
它有一个"lysine deficiency" 功能,用来保持恶意代码进一步传播。
如果该文件存在,它不会作其它动作;如果不存在,它会进行下一步。

6、检查受影响系统时间:
CODEREF: seg000:00000803 NOTWORM_NO
CODEREF: seg000:0000079D DO_THE_WORK

如果时间位于 20:00 UTC 和 23:59 UTC 间,该线程会往 www.whitehouse.gov 发送 100K 字节数据。
如果小于 20:00 UTC,它会继续传播感染其它主机

7、感染一个新的主机
如果能建立一个80端口连接,它将会发送自己的一个复制到那个 IP,如果发送成功,它会关闭 socket 并转到第5步,从而开始一个新的循环。

二、hack webpage 模块

如果100个线程产生,该模块会被调用

1、检查系统语言是否为英文,然后转到核心模块第5步
CODEREF: seg000:000005FE TOO_MANY_THREADS

2、休眠2小时
CODEREF: seg000:00000636 IS_AMERICAN
这应该是在更改页面之前作尽可能的传播。

3、试图改变受影响系统的 WEB 页面
CODEREF: seg000:0000064F HACK_PAGE

三、攻击www.whitehouse.gov 模块

创建 socket 连接到 www.whitehouse.gov 80 端口发送 100K 字节数据:
CODEREF: seg000:000008AD WHITEHOUSE_SOCKET_SETUP

首先,它会创建一个 socket 并连接到 198.137.240.91 (www.whitehouse.gov/www1.whitehouse.gov) 80 端口,
CODEREF: seg000:0000092F WHITEHOUSE_SOCKET_SEND

如果连接成功,它会创建一个循环:发送18000h 单字节send()''s 到该站点

CODEREF: seg000:00000972 WHITEHOUSE_SLEEP_LOOP

在 18000h send()''s 后,它会休眠4个半小时,然后重复此攻击。

From: Marc Maiffret by ntbugtraq maillist
CNNS 编译

解决方案:
1、如果系统已被感染,请到微软处下载安装补丁,并重启机器,相关信息参考
http://www.cnns.net/article/db/1720.htm

2、如果不能确定,可以通过在 MS-DOS 提示符中键入 netstat -an 查看,如果有过多的外部任意 IP 80 端口的连接,则可能是已受感染

worm, like the original Code Red worm, will only exploit Windows 2000
web servers because it overwrites EIP with a jmp that is only correct under
Windows 2000. Under NT 4.0 that offset is different, so the process will simply
crash instead of allowing the worm to infect the system and spread.
This analysis is of the newly spreading CodeRedII.
To see more information about the previous version of Code Red please see our
previous advisory:
Continued Threat of the "Code Red" Worm


Details
This analysis is broken up into 3 sections: infection, propagation, Trojan

To check if your system has been infected, look for the existence of the files:
c:/explorer.exe
d:/explorer.exe

Also check your IIS s folder and msadc folder to see if the file root.exe
exists. If it does then you have most likely been infected with this worm. Note:
An older sadmin Unicode worm also would rename cmd.exe to root.exe so you could
have a bit of cross over there.

To download this analysis and all disassembly files then go to:
http://www.eeye.com/html/advisories/coderedII.zip

Infection:
1st infection:

A. The first thing the worm does is setup a jump table so that it can get to all
of its needed functions.
seg000:000001D0

B. The worm then proceeds to get its local IP address. This is later used to deal
with subnet masks (propagation) and to make sure that the worm does not re-infect
the local system.
seg000:000001D5

C. Next, the worm gets the local System Language to see if the local system is running
Chinese (Taiwanese) or Chinese (PRC).
seg000:000001F9

D. At this point the worm checks if we have executed before, and if so, then the
worm will proceed to the propagation section. (See the propagation section)
seg000:0000021A

E. Next, the worm will check to see if a CodeRedII atom has been placed
(GlobalFindAtomA). This functionality allows the worm to make sure not to re-infect
the local machine. If it sees that the atom exists then it sleeps forever.
seg000:00000240

F. The worm will add a CodeRedII atom. This is to allow the worm the functionality
to check to see if a system has already been infected with the worm.
seg000:0000027D

G. The worm now sets its number of threads to 300 for non-Chinese systems. If the
system is Chinese then it sets it to 600.seg000:00000286

H. At this point the worm spawns a thread starting back at step A. The worm will
spawn threads according to the number set from G. Each new thread will be a propagation
thread.
seg000:000002BA

I. This is where the worm calls the Trojan functionality. You can find an analysis of
the Trojan mechanism down below in the Trojan System section. seg000:000002C4

K. The worm then sleeps for 1 day if the local system is not Chinese, 2 days if it is.
seg000:000002DA

L. Reboot Windows.
seg000:000002E1

Propagation:
This is used to spread the worm further.
seg000:000002EB

A. Setup local IP_STORAGE variable. This is used for worm propagation functionality and
to make sure not to re-infect the local system.
seg000:000002EB

B. Sleep for 64h milliseconds
seg000:000002F1

C. Get local system time. The worm checks to see if it the year is less than 2002 or
if the month is less than 10. If the date is beyond either of those, then the worm
reboots the local system. That limits the worm to 10/01 for its spreading (in a perfect
world.)
seg000:000002FD

D. Setup SockAddr_in. This will reference the GET_IP section.
seg000:0000031A

E. Setup Socket: This performs a Socket(), stores the handle, then makes it a
non-blocking socket (this is important for speed dealing with connect() calls)
seg000:00000337

F. Connect to the remote host, if it returns a connect right away, go to H.
seg000:00000357

The following is how the worm generates the IP address for the next host to connect to:

GET_IP: ; CODE XREF: sub_1C4+168 p

call GET_OCTET ; load 4th octet (this is in reverse order due to byte ordering)
mov bh, al
call GET_OCTET ; get 3rd octet
mov bl, al
shl ebx, 10h ; shift bx to the top of ebx
call GET_OCTET ; get 2nd octet
mov bh, al
call GET_OCTET ; 1st
mov bl, al
call GEN_OCTET ; get first octet
and eax, 7 ; and it by 7
call CHECK_ADDR_MASK ; ecx has eip

For each octet, generate a pseudo random byte between 1 and 254, next get a random
octet between 1 and 254 and mask it by 7 finally, use this last byte to gen a 1st octet.

Most pertinent bit is CHECK_ADDR_MASK

This specifies the following:
dd 0FFFFFFFFh ; 0 - addr masks
dd 0FFFFFF00h ; 1
dd 0FFFFFF00h ; 2
dd 0FFFFFF00h ; 3
dd 0FFFFFF00h ; 4
dd 0FFFF0000h ; 5
dd 0FFFF0000h ; 6
dd 0FFFF0000h ; 7

This mask is applied to the local systems IP address, and matched to the generated IP
Address. This makes a new IP with 0,1 or 2 bytes of data with the local IP.

For instance, the worm will 1/8th of the time generate a random IP not within any
ranges of the local IP Address.
1/2th of the time, it will stay within the same class A range of the local IP Address
3/8th of the time, it will stay within the same class B range of the local IP Address

Also, note that if the IP the worm generates is 127.x.x.x, 224.x.x.x, or the same as
the local systems IP address then the worm will skip that IP address and generate a
new IP address to try to infect.

The way the worm generates IP addresses allows it to find more possible IIS web servers
quicker then the other CodeRed worms that have previously been released. This new worm
is also going to cause a lot more data to be zig zaged across networks.

G. Do a select to get the handle. If no handle is returned, then go to K.
seg000:000003B6

H. Set socket to Blocking. This is so select is not required after the connect.
seg000:000003C5

I. Send a copy of the worm.
seg000:000003E4

J. Do a recv(), this is not actually used anywhere.
seg000:000003FC

K. Close the socket and loop to A.

Trojan system:
This portion of the worm is designed to dump root.exe (root.exe is cmd.exe) into msadc
and s, and create a Trojan on the local drive.

seg000:00000804

A. Get System directory, this gets the native system directory (i.e., c:/winnt/system32)
seg000:00000810

B. Append cmd to the system directory string (c:/winnt/system32/cmd.exe)
seg000:00000828

C. Set drive modifier to c:
seg000:0000082D

D. copy cmd.exe to / s/root.exe (Actual path: Drivemodifier:/inetpub/ s/root.exe)
seg000:00000831

E. copy cmd.exe to /msadc/root.exe (Actual Path: DriveModifier:/progra~1/common~1/system/MSADC/root.exe)
seg000:00000863

F. Initialize area for explorer.exe
seg000:000008A2

G. Create Drive/explorer.exe (drive is c, then d)
seg000:00000E83

H. The worm now writes out explorer.exe. There is an embedded binary within the worm
that will be written out to explorer.exe. It has the property that if an embedded byte
is 0xFC, it replaced by 20h 0x00 bytes instead of the regular byte. For more on what
the Trojan explorer.exe binary does then go to the Explorer.exe Trojan section. Also
the way NT works is that when a user logs into the local system it has to load
explorer.exe (desktop, task bar, etc.) however NT looks for explorer.exe first in the
main drive path c:/ which means the Trojan explorer.exe is going to be loaded the next
time a user logs in - therefore keeping the system Trojaned over and repeatedly.
seg000:00000EC8

I. close explorer.exe
seg000:00000ED5

J. Change drive modifier to D, then the worm goes back to the code in step D. After it
is done then it goes back to step k of the infection process.
seg000:00000EDD

Explorer.exe Trojan:
explorer.exe quick overview:

1. Get local systems windows directory.
2. Execute explorer.exe from within the local systems windows directory.
3. The worm now goes into the following loop:

while(1)
{
set SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/SFCDisable to
0FFFFFF9Dh, which basically disables system file protection.
set SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/Scripts to ,,217
set SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/msadc to ,,217
Set SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/c to c:/,,217
Set SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/d to d:/,,217
sleep for 10 minutes
}

The above code creates a virtual web path (/c and /d) which maps /c to c:/ and /d
to d:/. The writer of this worm has put in this functionality to allow for a backdoor
to be placed on the system so even if you remove the root.exe (cmd.exe prompt) from your
/ s folder an attacker can still use the /c and /d virtual roots to compromise your
system. The attacks would look like:

http://IpAddress/c/inetpub/ s/root.exe?/c+dir (if root.exe was still there) or:
http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any command an
attacker would want to execute.

As long as the Trojan explorer.exe is running then an attacker will be able to remotely
access your server.


Additional information
The information has been provided by Ryan Permeh and Marc Maiffret of eEye Digital Security

病毒名称:红色代码II(CodeRedII…

病毒名称:红色代码II(CodeRedII) 别名:CODERED.C, CODERED, HBC, W32/CodeRed.C, CodeRedIII, CodeRed III, Code Red ...
  • shantikai
  • shantikai
  • 2015年01月23日 20:59
  • 1226

红色代码病毒分析

2001年08月07日 14:14:00 CODE RED 利用 IIS WEB 服务器 .IDA 缓冲区溢出漏洞传播。 如果它感染了一个主机,将会在受影响机器上作如下活动:1、建立起初始蠕虫...
  • softart
  • softart
  • 2007年10月27日 08:02
  • 232

病毒分析流程总结

前段时间拜读了《恶意代码分析实战》一书,算是对整个病毒分析的流程和常用方法有个大致的了解,现在总结一下,也算是给自己做的一个笔记。         首先,病毒分析师必须具备以下知识:编程、汇编/反汇...
  • auriel
  • auriel
  • 2015年04月27日 15:48
  • 2199

病毒分析基础

第 1 章病毒分析病毒分析是将病毒行为还原的过程,在此过程中病毒的行为流程将被分解,病毒的每一步操作都有可能影响正常的操作系统配置或文件。病毒分析的基础是依托于逆向工程的基础,所以在做病毒分析工作之...
  • hanyang291
  • hanyang291
  • 2015年05月24日 20:07
  • 669

PC病毒分析师所需技能和面试题

标 题: 【原创】PC病毒分析师所需技能和面试题 作 者: FIGHTING安 时 间: 2015-03-26,12:47:33 链 接: http://bbs.pediy.com/showth...
  • cosmoslife
  • cosmoslife
  • 2016年07月05日 20:51
  • 673

纯小白系列(一)之PC病毒分析

目前才开通博客,整理并转移以前写的文章 本文于2015年4月1号发表于看雪,2015年7月22号发表于52pojie。 以前博客:http://youngs-rsr.blog.163.com/ 首选...
  • Youngs0xff
  • Youngs0xff
  • 2017年05月03日 10:35
  • 326

病毒分析

  • u011672712
  • u011672712
  • 2016年08月10日 11:09
  • 204

导入项目都idea中,正常启动,但是代码有红色的波浪线

今天把一个maven项目导入到idea中,项目能够正常的运行,但是代码有很多的红色波浪线,影响美观,而且在编写的时候报错了都不晓得。最后,搜了之后终于解决了。美滋滋。。。File —> setting...
  • xusheng_Mr
  • xusheng_Mr
  • 2017年09月14日 16:31
  • 702

D3DCOLOR 与 D3DXCOLOR

Directx 9:    D3DCOLOR 和 D3DXCLOLOR结构是不同的,    D3DCOLOR是一个结构体,形如:struct D3DCOLOR{   float r,g,b;};   ...
  • chchxl
  • chchxl
  • 2010年11月22日 13:16
  • 551

盗号木马分析

木马共采用vb和c#两种外壳,来保护真正的核心代码,并采用采用对核心代码加密来躲避杀软,从执行到结束都在内存中,无交互,收集完信息之后直接通过RC4加密后发送到C&C服务器,同时里面有很多反虚拟机和反...
  • u011636170
  • u011636170
  • 2016年11月22日 10:03
  • 304
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:红色代码病毒分析
举报原因:
原因补充:

(最多只允许输入30个字)