Re: Where to get " code red worm source" ?

[Phil Wood <cpw () lanl gov>]

Mel,

It was not an email virus.  If you were to pipe it to nc (netcat) on tcp/80
to a Microsoft web server running whatever IIS web software that is
vulnerable to codered II, that web server would be infected.  I believe
that just about all of the vulnerable systems in the Universe are infected
at this time.  I've been hit by 500,000 different systems in the past two weeks,
as you probably read in a previous message.  Our systems aren't vulnerable.
However, the web proxy dutifully responded to the millions of codered II
messages, and still is at this very instant.  I captured the http request
and sent that as an attachment to the snort-list.  Various anti-virus software
applications sensed the malignancy, and prevented the attachment and possibly
the entire mail message from being received by snort users.  

I've learned some things from this.  In particular, when I send something like
this again, it will be only readable on unix like systems, or systems with
openssl capability.  Another thing I learned is what kind of anti-virus
software I might want to buy.  No single AV application caught all 5 encapsulations that I sent.  But, some did get 4 
of the 5.  But, that's for a later
message.

I wasn't worried about sending this.  I was surprised that the virus software
considered the attachment as a virus, since it is not executable.  However,
this is what we see all the time in the snort world, false positives.  A
better diagnosis would have been some verbage to the effect that the patterns
that triggered the event were most likely from malicous code, but that
opening the attachment would have just yielded a non executable file.

On Thu, Aug 30, 2001 at 09:47:26AM -0700, Mel Chandler PMI wrote:
> I can't believe you sent a virus to the group.  OMG
>
> Mel L. Chandler, A+, Network+, MCNE, MCDBA, MCSE+I, CCNA
> MChandler () PMI Delta org
> Network Analyst
> Information Services
> PMI Delta Dental
> (562) 467-6627
>
>
>
> -----Original Message-----
> From: Phil Wood [mailto:cpw () lanl gov]
> Sent: Wednesday, August 29, 2001 4:18 PM
> To: Phil Wood; ls1100; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Where to get " code red worm source" ?
>
>
> Second try.  I be a glutton for punishment.
>
> This will be the contents of each attachment:
>
>   % ls -l CR
>   total 8
>   -rw-r--r--    1 nobody   nogroup      5336 Aug 29 16:49 cr
>
> There are 4 different files attached:
>
>   -rw-r--r--    1 nobody   nogroup      2644 Aug 29 17:05 CR.bz2
>   -rw-r--r--    1 nobody   nogroup      2190 Aug 29 17:06 CR.tgz
>   -rw-r--r--    1 nobody   nogroup      7376 Aug 29 17:07 CR.uue
>   -rw-r--r--    1 nobody   nogroup      2175 Aug 29 17:06 CR.zip
>
> I guess zip wins in the storage department.
>
> (in case you didn't see the fall out from my first attempt, 'cr' is the
>  http payload that comprises codeRed II.  Sending as cr.bin was a bad
>  or good idea depending on your frame of mind. Only time will tell with
>  this post.  Also, contrary to some of the virus notices, as far as I
>  know, this is not an executable piece of code.  It will only cause a
>  problem if passed through an http server running some bogus IIS product.)
>
> What a great day.
>
> -- 
> Phil Wood, cpw () lanl gov

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users