detecting "Code Red" worm in NetFlow records

Date view Thread view Subject view Author view

Subject: detecting "Code Red" worm in NetFlow records
From: Dave Plonka (plonka@doit.wisc.edu)
Date: Fri Jul 20 2001 - 09:39:20 CDT 

flow-tools and FlowScan users,

While this may be a bit late, here's a technique that I'm using to
determine which hosts were participating in the "Code Red" worm.  (This
hit us really hard yesterday.  For background on the worm see the links
below.)

After investigating a number of hosts that had been infected, I see
that the original infection of a host leaves a recognizable signature
in the non-sampled NetFlow records.

The successful infection looks like this (with "flowdumper -s"):

   2001/07/19 10:17:14 invector.2179 -> infectee.80 6(PUSH|SYN|FIN|ACK) 7 4327
   2001/07/19 10:17:14 infectee.80 -> infector.2179 6(PUSH|SYN|ACK)
5 212

Then, immediately upon successful infection, the infectee starts the
probes to random destionation hosts on port 80:

   2001/07/19 10:17:15 infectee.4321 -> 52.22.95.40.80 6(PUSH|RST|SYN|ACK)
11 4487
   2001/07/19 10:17:15 infectee.4322 -> 91.167.212.99.80 6(PUSH|RST|SYN|ACK) 11 4487
   2001/07/19 10:17:15 infectee.4323 -> 130.56.74.159.80 6(PUSH|RST|SYN|ACK) 11 4487
   ...

The infection preable allows us to select just the candidate infectee
hosts like this:

   $ flowdumper -se '6 == $protocol && 7 == $pkts && 4327 == $bytes && ($TH_FIN & $tcp_flags)' raw_flow_file

For those of you using flow-tools rather than cflowd, you can alos make
use the flow-dscan tool to detect the hosts performing port 80 probes:

   $ /usr/local/netflow/bin/flow-filter -P80 < raw_flow_file | /usr/local/netflow/bin/flow-dscan -b

Dave

P.S. below are some references on the IIS vulnerability and the worm
which exploits it.

Announcement of the vulnerability:

   http://www.eeye.com/html/Research/Advisories/AD20010618.html

Discussion about the "Code Red" exploit/worm:

   http://www.securityfocus.com/templates/headline.html?id=12021
   http://www.securityfocus.com/templates/headline.html?id=12004
   http://www.cert.org/incident_notes/IN-2001-08.html

Patch to the vulnerability:
  
   http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

-- 
plonka@doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI

--
Help        mailto:majordomo@net.doit.wisc.edu and say "help" in message body
Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
"unsubscribe flowscan" in message body
Archive     http://net.doit.wisc.edu/~plonka/list/flowscan/archive/

Date view Thread view Subject view Author view

This archive was generated by hypermail 2b25 : Fri Jul 20 2001 - 09:44:47 CDT