Code Red Revision

From: Alfred Huger (ahat_private)
Date: Sat Aug 04 2001 - 22:00:39 PDT

Next message: Ryan Russell: "CodeRed II (fwd)"

Previous message: Fred Cohen: "Code red variation sends Os instead of Ns - seems to be running at a higher rate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Evening all,

I had planned on sending out a thanks this evening to all of the
contributors (in terms of logs) who came through on the Code Red (revision
2) surge last week. Regrettably it looks like I will have to wait due to a
new variant or rather new worm on the loose.

As some of you know a new worm has been released into the wild which uses
the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI
Buffer Overflow Attack (http://www.securityfocus.com/bid/2880). However,
this is most likely not a revision of the initial Code Red worm but a new
worm which simply uses uses the same entry point. It carries an actual
malicious payload and has a number of other very interesting features. The
SecurityFocus ARIS Team and eEye Digital Security will be releasing an
in-depth writeup in the next hour or two with technical details as well as
information about it's spread to date.

As opposed to filling the list with logs of attacks I will reserve the
list for discussion of the worm's payload and features - after we post an
analysis. So very shortly. Until then, it would be fantastic if you can
send your log files to:

aris-reportat_private

Because we have caught this very early we plan on starting the
notification process tonight. We sent close to 400,000 notifications
against Code Red 1 & 2  previously - hopefully because we are on top of
this our notifications now will help address the situation much, much
faster.

If you would like to send offending IP data - Please send it in the
following format:

IP ADDRESS DATE/TIME

Or something similar to this. Please ensure the information is contained
to IP address and date per line as we do our notification automatically
and our system needs to be to understand the los you send us.

We will be posting more shortly.

-Al



VP Engineering
SecurityFocus.com
"Vae Victis"


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Russell: "CodeRed II (fwd)"
Previous message: Fred Cohen: "Code red variation sends Os instead of Ns - seems to be running at a higher rate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 22:39:38 PDT