RE: more Code Red analysis

["Marc Maiffret" <marc () eeye com>]

|-----Original Message-----
|From: robert_david_graham [mailto:robert_david_graham () yahoo com]
|Sent: Monday, August 06, 2001 4:58 PM
|To: incidents () securityfocus com
|Subject: more Code Red analysis
<snip>
|There
|are thousands of hackers out there studying the details of the two Code Red
|worms. When the next IIS exploit is announced, we've got two weeks to patch
|a million systems before that next worm takes down the Internet. There is
|even a danger that a worm will be written first, then the next
|exploit added
|to it later. Thus, the worm may appear on the first day the next
|vulnerability is announced, even though the writer didn't have 0-day
|knowledge.
<snip>
|Robert Graham

You know what's funny is that CodeRed is actually a worm based off of
another worm that was written for a .HTR ISAPI vulnerability. The .htr ISAPI
worm works almost exactly the same as the CodeRed worm (except the .htr one
attacks the whitehouse on the 9th instead of the 19th and a few other minor
things). When we first got a copy of it we thought the worm must exploit
systems by using the eEye published .htr overflow from back in 99 however
that was not the case. Some of you might remember that when we published the
.htr vulnerability that Microsoft fixed "other vulnerabilities" however
Microsoft never gave out any information as to what those other
vulnerabilities were (so there were no IDS signatures for those attacks,
which is one of the reasons why no one ever heard about the .htr worm). Well
it turns out one of those "other vulnerabilities" was found by someone and
someone exploited it and wrote a worm for it which eventually became the
template for the CodeRed worm. The "zero day" .htr overflow was fixed in
SP6a (and some hotfix number which I forget) but anyways its not to long off
before the first IIS zero day worm is released. There as already been an
increase in MS related vulnerabilities being sent to mailing lists, without
the authors contacting the vendors (Hi Georgi heh) and therefore the
vulnerability is around for a week or two (or longer) until Microsoft can
fix it.

Hopefully CodeRed has worked as a wake up call, I doubt it has though.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com