[Dshield] port 80 "on the high side"

James C Slora Jr Jim.Slora at phra.com
Fri Mar 28 00:09:22 GMT 2003

Allen Witt wrote Tuesday, March 25, 2003 10:20 AM

> The increase may be partly due to Code Red II. I'm still detecting attempts
> on various web servers using the new variety with the xxxxx nop slide. Code
> Reds go dormant after the 20'th of the month, but maybe something changed
> besides the url..... Anyone else seeing this?

I am seeing far more traffic from Code Red F than I ever saw from the original
Code Red II. There is no code change to explain this AFAIK. One explanation is
that there are far more vulnerable servers around than there were when CR was
originally released. I doubt this, but it's possible. A likely partial
explanation is that average CPU speeds have risen so the worm can scan more

This does not explain why some machines scan a single address 6 times in 2
minutes then never show up again, while others hit every few minutes day after
day. It does not explain why some machines hit the entire subnet at once,
while others hit only a random address once in a while. There are lots of
other anomalies. Some of the differences are due to the subnet favoritism
inherent in the worm, but some differences remain unexplained to me.

One other explanation to my simple mind is that some of this traffic is
actually generated by botnets and script kiddies. It's a trivial task to
insert Code Red F into an HTTP scanning script. This would also explain why
code that goes dormant after the 20th is still pumping through the net at full
velocity on the 27th (although I don't recall if CRII/F has the same dormancy
period as CRI).

There have been plenty of botnets that use standard unicode directory
traversal exploits as found in Nimda - why is it any less likely that some of
them would use Code Red? If you're not vulnerable, all you see is a Code Red
hit. If you are vulnerable, the propagation script could test for success then
hit the Code Red back door. On failure it would just move on to the next
targe. If the script waits a few minutes before hitting the back door from
another address, people will just assume that the machine was taken over as a
result of a normal Code Red infection. As an added bonus, the genuine Code Red
infection would continue to contribute to the background noise on the net that
hides the real action.

It would not look any different from the standard infection scenario, and
admins who don't look beyond the results of a virus scanner would find only
Code Red. Lazy admins of critical servers might just leave the server online
after cleaning the obvious infection, while the botnet hums happily along.

More information about the list mailing list