Security Incidents mailing list archives
Re: new codered worm penetrates content-filtering
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 11 Jan 2002 13:10:59 +1200
Ryan Russell <ryan () securityfocus com> wrote:
OK, I got a sample of one of the CodeReds from Chris Russel that had the "GET " in one packet, and the rest in subsequent packets. They are whole IP packets, so it's not fragmentation. The actual worm itself is simply CodeRed.b. The only other weird thing I've noted is that the PSH flag is set on the first two packets from the attacker, after the handshake. I don't think that's normal.
So, it's deliberate injection into the network in this psuedo- fragmented form, presumably to beat at least some IDSes or other filtering mechanisms. If the rest of the code is unchanged, as you say, then any successfully exploited targets will then only be spreading the "normal" CodeRed.B, so it won't be too huge an outbreak. People receiving these should consider how to approach the sending machine(s) because they are likely either friendly to hosting such dubious practises or compromised and unaware of this... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Michael H. Warfield (Jan 10)
- <Possible follow-ups>
- RE: new codered worm penetrates content-filtering Shackleford, Dave (Jan 10)
- RE: new codered worm penetrates content-filtering Robert Gile @Agoura (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)