ALERT-TSA03-004

TSA 03-004 - CodeRed.F Worm

Date:  March 11, 2003
Time:  11:45 EDT

SUMMARY:  A variation of the Code Red and Code Red II worm is in thewild. TruSecure Essential Practices will prevent this worm from becoming a risk among our customers. However it is infecting Internet hosts, is likely to receive media attention and unlike Code Red II, this worm does not appear to have a date in it's code to cause it to cease activity.

RISK INDICES:

Initial Assessment: IMPORTANT

Threat: LOW - Especially to TruSecure customers who have adopted TS Essential Practices or IIS Essential Configurations.

Vulnerability Prevalence: MEDIUM in general population, LOW at TS Sites Although the exploits are well known and easily patched or configured for
protection, the target population is still moderately large.

Cost: If infected: HIGH
Web sites where the Trojan is loaded which may allow other actions to occur.

Vulnerable Systems:  IIS 5.0 & Outlook Web Access Any IIS web server which has not previously been patched against Code Red (MS01-033) or has not removed script mappings (in particular .IDA), is a potential target
 
NOTES:
Code red (several versions) has been replicating actively ever since birth in July and August of 2001 although Code Red II was programmed to end
replication in October.  If you have not been infected by older versions, either at the perimeter or on the inside, then there is little reason to worry about this new version.  However, it is spreading and the rate of replication is growing. 

In order to be infected the machine must be running IIS.  Unexpected IIS is typically found on developer's PCs and laptops and on un-sanctioned Intranet web servers - especially web servers that may have been commissioned in the past 18 months unknown to IT. 

This version of Code Red should have the same ability to "jump to the inside" as the 2001 versions. - by two or three different potential mechanisms  a) VPN from infected remote user to inside LAN, b) WAN / business partner connection to inside LAN/DMZ where there are vulnerable
IIS machines not otherwise exposed to the Internet, or 3) from hibernating laptops that come out of hibernation while connected to the corporate LAN. Though if other recent Code Red infections have not bothered your company, then this one should not either. 

Size:  This code is 3818 bytes long

IDS may pick up it up as Code Red II. 

Some anti-virus will detect it as Code Red when it's written to the host's disk.

MITIGATIONS: 
The vulnerabilities that are being widely exploited have all been addressed in previous TruSecure Alerts, through the TruSecure Monitor, and through the TruSecure essential practices. 

Disable ISAPI system or constrain mapping to exclude IDA (and others not used, see TruSecure Essential Configuration on your TruSecure portal.)

Apply any MS IIS roll up patch since summer, 2001. 

Consider notifying potential IIS users especially those who might have exposure outside of your corporate LAN (like developers who work from home,
or outsourced developers).

As with any worm that has the potential to jump to the inside, consider notifying laptop users to please reboot laptop PRIOR to connecting to
your LAN (consider e-mail and or photocopy notes on entrances)

REFERENCES:  The following are the best reference material: 

TS Alert 00-13 IIS Mappings 7/21/00
TS Alert 00-17 IIS Mappings 10/18/00
TS Alert 01-12 IIS Mappings 5/1/01
TS Alert 01-18 IIS Patch & Mappings 6/17/01
TS Alert 01-020 1st Code Red Alert, Patch and Mappings 7/17/01
TS ALERT 01-021 - New Code Red Worm
TS ALERT 01-021a - Update - Internal Code Red Worm Infections
The most frequently exploited ones are addressed in the following

Microsoft Security Bulletins: 
MS01-033 6/17/01
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp


COMMUNICATION:
Please contact your TruSecure analyst at 877.330.0465 if you have any questions or if you see actual attempts to exploit this vulnerability.

TruSecure Corporation provides information security assurance services including TruSecure(tm) which significantly reduces the likelihood of
participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk
(virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk.  See http://www.trusecure.com for further
information on these services.

DISCLAIMER:
Copyright 2003 TruSecure Corporation.  All rights reserved.  This Alert is the property of the TruSecure Corporation.  It may not be redistributed except within your own company or organization.  This Alert is being provided for informational purposes only and is provided AS IS."  The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.