Re: CodeRedII worm..

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Mon Aug 06 2001 - 00:19:01 PDT

Next message: Mark Ng: "RE: disinfection tool"

Previous message: corecode: "Re: Bad CodeRed request ?"
In reply to: Pluto: "Re: CodeRedII worm.."
Next in thread: Nick FitzGerald: "Re: CodeRedII worm.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pluto <plutoat_private> wrote:

> On Sun, Aug 05, 2001 at 04:38:55AM -0400, Valdis.Kletnieksat_private wrote:
> > (Sorry for the cross-posting)
> > 
> > Given that initial analysis of the CodeRedII worm indicates that it leaves
> > a backdoor laying around, I hereby request that those people who made
> > lists of infected hosts available last time *NOT* do so again.

I wholeheartedly support Valdis' request in this matter (and made the 
same request in private to the incidents list moderator).

> I have seen no checks for root.exe so far. But Nessus already has a
> codered_x.nasl, congrats to this speed!
> 
> # special root.exe from CR2
> alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;)

Not wishing to be offensive (I know -- some will say it's my nature 
and unavoidable) but such a signature shows an entirely clue-devoid 
understanding of the real nature of the backdooring that CoreRed.C 
(or whatever you want to call it does).

I know this is a full-disclosure list, but I will not publicly 
release for the delight of the dipshit kiddies how to circumvent such 
inadequate IDS rules.  (This is not an attack against Nessus and its 
makers -- I'm sure many (if not all) other IDS makers/maintainers 
have added similar, and similarly flawed, rules for just this issue 
in the lasty 12 hours or so.  If you verifiably work for or an IDS 
vendor or maintain a freeware/open-source/etc IDS and do not 
understand the utter inadequacy of such a simplistic rule, feel free 
to contact me for the details (there may not be anything you can do 
to "fix" this without getting horrendous false positive rates but at 
least I can safely explain to you why the above is grossly 
inadequate.)

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mark Ng: "RE: disinfection tool"
Previous message: corecode: "Re: Bad CodeRed request ?"
In reply to: Pluto: "Re: CodeRedII worm.."
Next in thread: Nick FitzGerald: "Re: CodeRedII worm.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:39:42 PDT