Re: new codered worm penetrates content-filtering

From: Ryan Russell (ryanat_private)
Date: Thu Jan 10 2002 - 10:11:00 PST

  • Next message: Shackleford, Dave: "RE: new codered worm penetrates content-filtering"

    On Thu, 10 Jan 2002, Chris Russel wrote:
    
    > After waiting for a capture of an attack session (I didn't have to wait
    > long) it seems that the familiar "GET /default.ida*" is now being
    > delievered with the "GET " in a separate packet which appears designed to
    > defeat the web content-screening features of routers and packet shapers.
    >
    > It's been a while, but I don't recall it being split up like that before -
    > and I still get some with the "GET" in the same packet so I'm led to
    > believe there's a new code red variant out there.  Can anyone else verify
    > that this is new behaviour?
    
    Not yet.  I have some questions, though:
    
    Do you have packet traces of one of these?  I'm curious as to what they
    looks like, i.e. are they IP fragments, seperate TCP packets, etc..?
    
    Are the ones that have the "GET " seperated otherwise regular Code Red?
    Have you caught a whole transaction?  It occurs that this could
    potentially be a human attacker that figured out he had to bypass the
    filter.  If they look like Code Red, grabbing one will tell you if it's a
    variant or not.  If you get a packet trace of the whole thing, I can tell
    you pretty quickly.
    
    					Ryan
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 10:38:23 PST