Code Red 2
Or how to anonymously get root access on 250,000 machines overnight.
This article describes a means through which a complete list of the estimated 250,000 Code Red II infected and backdoor compromised hosts can be easily obtained by any individual who has been keeping a web server log of attempts on his machine, by using the backdoors on the machines that have attacked him to obtain the web logs of the infected attacking IIS web servers to l earn of new infected hosts. The strong recommendation from this report is that as part of any Code Red II recovery effort, the system web logs should immediately be destroyed, and Intrusion Detection Systems (IDS) should be checking for and tracing recursive attempts to access web logs though the backdoor.
The Code Red II worm has been infecting IIS web servers with a speed equal to or greater than that of the original Code Red. The original Code Red infected what is thought to be all vulnerable machines, approximately 250,000 hosts, in under 24 hours.
While Code Red I was relatively harmless, Code Red II installs a full administrator-access back door shell that can be accessed via HTTP. This creates a very interesting situation and, with the techniques discussed in this article, opens a new potential door for mass system cracking.
The problem with releasing a worm or virus to obtain some information of value is that to transmit the information back to the worm originator a very clear trail is created that can be traced back to the perpetrator. Primitive and naive worms or viruses sometimes attempt to email, or otherwise communicate, password files or information back to some origination point, allowing a trace to the original author. A more sophisticated worm might attempt to just pass information upstream to get it closer to some origination node, and make attempts to destroy records of the transmission. But this too leaves a trace of the worm's spread. All records of the transmission in things like firewall logs and IDS systems can never be removed.
It is difficult enough to find an anonymous enough node to make the initial release of the worm. Preferably, one would do this far from home in a previously unpatronized Internet cafe or the like, through a large number of randomly cracked systems. If an author actually makes some attempt to return to the scene of the crime" to retrieve anything of value the worm might send back to some rendezvous node, he would most certainly be caught.
The alternative to this is to attempt to make the information the worm gathers public, and then attempt to retrieve it just like thousands of others will. For example, a worm might send password lists to a USENET newsgroup or post it in some public forum. But any public forum usually has some form of moderation and administration, so any malicious information at such a site would not stay online for long.
In addition, the more sophisticated the initial worm, the more stylistic and linguistic "fingerprints" the original author will leave on it. Posting to public forums may well double the code in a simple worm. If an author has ever made any of this code public, there may well be government agencies that could use code fingerprinting to narrow the field of suspects, particularly if other profiling information can be used.
If a true "anonymous common carrier" system like FreeNet is ever successfully put into place, this may well change the landscape. But true untraceability will probably always remain elusive once national security or currency laundering enforceability is at stake, even if unfortunate Draconian legal means are required to achieve it.
Code Red II, however, presents a very different alternative. Code Red II infects its hosts with a simple worm, inserts a simple administrator-access backdoor shell into the victim, and begins scanning for new victims. At first glance, the backdoor is of little use to the worm originator. After all, the originator has no list of infected hosts communicated back to him or left at some secret drop point. The originator, like anyone else, can perform massive network scans for the backdoor, but that would put him on a relatively short and easily compiled list of suspects. The worm also keeps no log of hosts that it has infected, and indeed no log is essential to keep the spread untraceable to the originating node. Perhaps a public-key encrypted log could be compiled, but that leaves us back to the original problem of a fixed "drop point" or communication of the data.
Lack of usefulness appears to be the case, except for the fact that the Internet is now saturated with Code Red II worms, each leaving web logs across the Internet full of records of buffer overflow attempts, with the infected host's IP address. These attack attempts perform an additional service than just attempted infection... they serve to announce the infection of the attacking host. And they do so in a way that leaves no direct trail of initial spread of the worm, and thus no direct risk of discovering the originating node.
This means that by the end of the first week, I personally had in my web log the IP addresses of over 100 random hosts with full-access backdoors installed that I could attack directly. One hundred hosts on different unrelated networks is a large compromise, but not some thing that requires a massive Internet worm to achieve. This is not enough value to make the plague of a worm worthwhile to its originator.
However, each of those 100 random infected hosts I know about are also IIS web servers with logs of, for example, another 100 random infected hosts each that attempted to re-infect them. That means by breaking into the 100 hosts I know about and reading their logs, I now have backdoor access to approximately 100 * 100 = 10,000 hosts! Repeat this another level (preferably originating from the broken nodes), and I will have 1,000,000 break-in attempts by random hosts. At this point, many of these attempts will be from duplicate hosts, since only an estimated 250,000 hosts will be infected (this from the Code Red I estimates), however it is clear that the implication of this worm is far greater than random hosts with backdoors. It provides a clear mechanism for obtaining a list of thousands of infected hosts with backdoors.
While this technique is nice, it is still not entirely untraceable. IDS systems will surely be looking for this type of backdoor exploiting traffic in the near term, and contacting several thousand hosts either directly or through a worm-backdoor distributed mechanism will be detectable on some level. A full list would require the recursive retrieval of web logs from several thousand hosts. However, the originator of the worm himself does not need to fear exposure... he has essentially made this information available to anyone who understands Code Red II and its implications described above. A public list of all infected hosts is probably already available online.