Code Red(s) being confused with sadmind/IIS worm?

["Stephen W. Thompson" <thompson () pobox upenn edu>]

Follow my line of thinking here.

In many cases, we're getting reports of Code Red for machines that are
not running Win2k -- Win9x or a unix variant.  We jump to the
conclusion that the reports were in error.

However, lots of the reports are not coming from signature-checking
sources (e.g., IDS), but rather are simply seen to be hitting port
80/tcp on a machine that isn't a (perhaps public) webserver.

So are a lot of the reports simply a distraction?  I don't think so.
I've noticed we have a good amount of the sadmind/IIS worm presence on
our network.  (See http://www.cert.org/advisories/CA-2001-11.html for
one writeup.)  Recall that this is the worm that hits Solaris boxes
with a sadmind buffer overflow, and then those machines go after IIS
with a Unicode directory traversal vulnerability.

If I'm correct, that implies a) sadmind/IIS is more prevalent than
we'd realized and, possibly b) that there might be a variant of
sadmind/IIS that succeeds on non-Solaris machines unlike the original
variant.  Any corroboration on (b) from anyone?

En paz,
Steve, (tired) security analyst
-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson () isc upenn edu    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use security () isc upenn edu, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com