|-----Original Message----- |From: robert_david_graham [mailto:robert_david_grahamat_private] |Sent: Monday, August 06, 2001 4:58 PM |To: incidentsat_private |Subject: more Code Red analysis <snip> |There |are thousands of hackers out there studying the details of the two Code Red |worms. When the next IIS exploit is announced, we've got two weeks to patch |a million systems before that next worm takes down the Internet. There is |even a danger that a worm will be written first, then the next |exploit added |to it later. Thus, the worm may appear on the first day the next |vulnerability is announced, even though the writer didn't have 0-day |knowledge. <snip> |Robert Graham You know what's funny is that CodeRed is actually a worm based off of another worm that was written for a .HTR ISAPI vulnerability. The .htr ISAPI worm works almost exactly the same as the CodeRed worm (except the .htr one attacks the whitehouse on the 9th instead of the 19th and a few other minor things). When we first got a copy of it we thought the worm must exploit systems by using the eEye published .htr overflow from back in 99 however that was not the case. Some of you might remember that when we published the .htr vulnerability that Microsoft fixed "other vulnerabilities" however Microsoft never gave out any information as to what those other vulnerabilities were (so there were no IDS signatures for those attacks, which is one of the reasons why no one ever heard about the .htr worm). Well it turns out one of those "other vulnerabilities" was found by someone and someone exploited it and wrote a worm for it which eventually became the template for the CodeRed worm. The "zero day" .htr overflow was fixed in SP6a (and some hotfix number which I forget) but anyways its not to long off before the first IIS zero day worm is released. There as already been an increase in MS related vulnerabilities being sent to mailing lists, without the authors contacting the vendors (Hi Georgi heh) and therefore the vulnerability is around for a week or two (or longer) until Microsoft can fix it. Hopefully CodeRed has worked as a wake up call, I doubt it has though. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:04:29 PDT