Re: new codered worm penetrates content-filtering

[Ryan Russell <ryan () securityfocus com>]

On Thu, 10 Jan 2002, Chris Russel wrote:

> After waiting for a capture of an attack session (I didn't have to wait
> long) it seems that the familiar "GET /default.ida*" is now being
> delievered with the "GET " in a separate packet which appears designed to
> defeat the web content-screening features of routers and packet shapers.
>
> It's been a while, but I don't recall it being split up like that before -
> and I still get some with the "GET" in the same packet so I'm led to
> believe there's a new code red variant out there.  Can anyone else verify
> that this is new behaviour?

Not yet.  I have some questions, though:

Do you have packet traces of one of these?  I'm curious as to what they
looks like, i.e. are they IP fragments, seperate TCP packets, etc..?

Are the ones that have the "GET " seperated otherwise regular Code Red?
Have you caught a whole transaction?  It occurs that this could
potentially be a human attacker that figured out he had to bypass the
filter.  If they look like Code Red, grabbing one will tell you if it's a
variant or not.  If you get a packet trace of the whole thing, I can tell
you pretty quickly.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com