Security Incidents mailing list archives
Re: new codered worm penetrates content-filtering
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 11 Jan 2002 10:59:05 -0700 (MST)
So, I went and looked at the eEye disassembly for CodeRed (.a, I believe) and found this: seg000:00000A87 8B F4 mov esi, esp ; Send a "GET " seg000:00000A89 6A 00 push 0 seg000:00000A8B 6A 04 push 4 seg000:00000A8D 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; points to GET seg000:00000A93 51 push ecx seg000:00000A94 8B 95 78 FE FF FF mov edx, [ebp-188h] ; points to socket seg000:00000A9A 52 push edx seg000:00000A9B FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send a GET In other words, CodeRed sends the "GET " in it's own send() call, it allways has. The operating system has the option to put multiple send calls together into one packet, at least for stream connections. Most of the time, it will do so. Whether it will depends on things like load, MTU (though that shouldn't come into play in this instance), etc... So, I think this has been going on on occasion for some time, and has gone largely unnoticed. I don't think this was intended to bypass IDSes or filtering mechanisms, I think it's just a side-effect of the way it was written. (Though worms could certainly do this sort of thing on purpose if the author wanted.) Another reader pointed out to me off-list that this has been going on for some time: http://securityfocus.com/archive/75/197449 Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Chris Russel (Jan 10)
- Re: new codered worm penetrates content-filtering Michael H. Warfield (Jan 10)
- <Possible follow-ups>
- RE: new codered worm penetrates content-filtering Shackleford, Dave (Jan 10)
- RE: new codered worm penetrates content-filtering Robert Gile @Agoura (Jan 10)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 10)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Ryan Russell (Jan 11)
- Re: new codered worm penetrates content-filtering Nick FitzGerald (Jan 11)