Re: .ida Intrusion Attempt

From: Stuart Staniford (stuartat_private)
Date: Thu Jul 19 2001 - 20:48:04 PDT

  • Next message: Ivan: "RE: CodeRed" 

    Russell Fulton wrote:
> 
> On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith
> <shadowm4nat_private> wrote:
> 
> > Interesting.  I played around with the rules some, and
> > figured out why snort wasn't finding it with the .ida
> > rule.  Since I'm only logging the first 100 bytes of
> > data, the .ida rule misses it because part of the
> > criteria of the rule is for data size to be greater
> > than 239 bytes.
> >
> 
> Ahh... that explains that!  my snort was seeing some '.ida?' probes
> *but* none of the machines that got hit by the red code worm were
> logged.
> 
> The external addresses that were detected by snort appear to be probing
> random addresses on port 80 -- just like the red worm does.
> 
> Are there two versions out there?

I've been working on that possibility for the last several hours.  Data from Ken
Eichman of cas.org at

http://www.incidents.org/diary/diary.php

show a sudden dramatic increase in the probe rate earlier this morning (US
time).  This could be consistent with a new version which is spreading much more
effectively (possibly because it seeds its random number better).  I'm trying to
fit this data.  If anyone has similar hourly data for the last day or two, or a
freshly captured copy of the worm, I'd like to get hold of them.  If there is a
second version, it looks like it has happened since the Eeye disassembly.

I note also that www.whitehouse.gov is still fully accessible, which seems
inconsistent with Eeye's prediction as modified by Eric at Symantec (see
www.snort.org).  I speculate that if there is a second worm, it does something
else.

Hour    # Code Red Worm Scans     Scanning During the Hour
                    ------  ---------------------   -------------------------
                     00           12699                     2450
                     01           13059                     2577
                     02           13272                     2590
                     03           13056                     2564
                     04           13283                     2632
                     05           13229                     2612
                     06           13554                     2601
                     07           13517                     2608
                     08           13746                     2685
                     09           16819                     3325
                     10           36589                     7838
                     11          116083                    26823
                     12          295348                    68085
                     13          466542                   103522
                     14          520973                   113451
                     15          513513                   115124
                     16          513894                    90931 

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuartat_private  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 23:49:34 PDT