Security Incidents mailing list archives

Re: CodeRedII worm..

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Mon, 6 Aug 2001 19:19:01 +1200

Pluto <pluto () stderr de> wrote:

On Sun, Aug 05, 2001 at 04:38:55AM -0400, Valdis.Kletnieks () vt edu wrote:

(Sorry for the cross-posting)

Given that initial analysis of the CodeRedII worm indicates that it leaves
a backdoor laying around, I hereby request that those people who made
lists of infected hosts available last time *NOT* do so again.


I wholeheartedly support Valdis' request in this matter (and made the 
same request in private to the incidents list moderator).

I have seen no checks for root.exe so far. But Nessus already has a
codered_x.nasl, congrats to this speed!

# special root.exe from CR2
alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; 
classtype:attempted-admin;)


Not wishing to be offensive (I know -- some will say it's my nature 
and unavoidable) but such a signature shows an entirely clue-devoid 
understanding of the real nature of the backdooring that CoreRed.C 
(or whatever you want to call it does).

I know this is a full-disclosure list, but I will not publicly 
release for the delight of the dipshit kiddies how to circumvent such 
inadequate IDS rules.  (This is not an attack against Nessus and its 
makers -- I'm sure many (if not all) other IDS makers/maintainers 
have added similar, and similarly flawed, rules for just this issue 
in the lasty 12 hours or so.  If you verifiably work for or an IDS 
vendor or maintain a freeware/open-source/etc IDS and do not 
understand the utter inadequacy of such a simplistic rule, feel free 
to contact me for the details (there may not be anything you can do 
to "fix" this without getting horrendous false positive rates but at 
least I can safely explain to you why the above is grossly 
inadequate.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CodeRedII worm.. Valdis . Kletnieks (Aug 05)
- Re: CodeRedII worm.. Pluto (Aug 05)
  - Re: CodeRedII worm.. A.L.Lambert (Aug 05)
  - Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Emory Wood (Aug 06)