new codered worm penetrates content-filtering

From: Chris Russel (russelat_private)
Date: Thu Jan 10 2002 - 07:13:39 PST

  • Next message: Ryan Russell: "Re: new codered worm penetrates content-filtering"

    For a long time I havn't seen codered since we've been using
    content-screening at the router for blocking the attacks, but suddenly
    they are showing up again on my IDS.  So I was wondering how it is that
    now they are getting through the content-screening.
    
    After waiting for a capture of an attack session (I didn't have to wait
    long) it seems that the familiar "GET /default.ida*" is now being
    delievered with the "GET " in a separate packet which appears designed to
    defeat the web content-screening features of routers and packet shapers.
    
    It's been a while, but I don't recall it being split up like that before -
    and I still get some with the "GET" in the same packet so I'm led to
    believe there's a new code red variant out there.  Can anyone else verify
    that this is new behaviour?
    
    -- 
    Chris Russel     | CNS Information Security
    russelat_private  | York University, Toronto, Canada
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 09:46:23 PST