RE: new codered worm penetrates content-filtering

["Shackleford, Dave" <znz1 () cdc gov>]

I have seen an enormous number of CodeRed hits lately, and yes - many of
them are prefaced with an empty HTTP request. I've been wondering the same
thing -- has anyone heard of a scheduled resurgence?

-----Original Message-----
From: Chris Russel [mailto:russel () yorku ca]
Sent: Thursday, January 10, 2002 10:14 AM
To: incidents () securityfocus com
Subject: new codered worm penetrates content-filtering


For a long time I havn't seen codered since we've been using
content-screening at the router for blocking the attacks, but suddenly
they are showing up again on my IDS.  So I was wondering how it is that
now they are getting through the content-screening.

After waiting for a capture of an attack session (I didn't have to wait
long) it seems that the familiar "GET /default.ida*" is now being
delievered with the "GET " in a separate packet which appears designed to
defeat the web content-screening features of routers and packet shapers.

It's been a while, but I don't recall it being split up like that before -
and I still get some with the "GET" in the same packet so I'm led to
believe there's a new code red variant out there.  Can anyone else verify
that this is new behaviour?

-- 
Chris Russel     | CNS Information Security
russel () yorku ca  | York University, Toronto, Canada



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com