RE: new codered worm penetrates content-filtering

From: Shackleford, Dave (znz1at_private)
Date: Thu Jan 10 2002 - 09:56:19 PST

  • Next message: Chris Russel: "Re: new codered worm penetrates content-filtering"

    I have seen an enormous number of CodeRed hits lately, and yes - many of
    them are prefaced with an empty HTTP request. I've been wondering the same
    thing -- has anyone heard of a scheduled resurgence?
    
    -----Original Message-----
    From: Chris Russel [mailto:russelat_private]
    Sent: Thursday, January 10, 2002 10:14 AM
    To: incidentsat_private
    Subject: new codered worm penetrates content-filtering
    
    
    For a long time I havn't seen codered since we've been using
    content-screening at the router for blocking the attacks, but suddenly
    they are showing up again on my IDS.  So I was wondering how it is that
    now they are getting through the content-screening.
    
    After waiting for a capture of an attack session (I didn't have to wait
    long) it seems that the familiar "GET /default.ida*" is now being
    delievered with the "GET " in a separate packet which appears designed to
    defeat the web content-screening features of routers and packet shapers.
    
    It's been a while, but I don't recall it being split up like that before -
    and I still get some with the "GET" in the same packet so I'm led to
    believe there's a new code red variant out there.  Can anyone else verify
    that this is new behaviour?
    
    -- 
    Chris Russel     | CNS Information Security
    russelat_private  | York University, Toronto, Canada
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 10:58:19 PST