Re: new codered worm penetrates content-filtering

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Thu Jan 10 2002 - 17:10:59 PST

  • Next message: Bob Fryer: "Windows XP - Still has a Windows NT4 DoS hangover?"

    Ryan Russell <ryanat_private> wrote:
    
    > OK, I got a sample of one of the CodeReds from Chris Russel that had the
    > "GET " in one packet, and the rest in subsequent packets.  They are whole
    > IP packets, so it's not fragmentation.  The actual worm itself is simply
    > CodeRed.b.  The only other weird thing I've noted is that the PSH flag is
    > set on the first two packets from the attacker, after the handshake.  I
    > don't think that's normal.
    
    So, it's deliberate injection into the network in this psuedo- 
    fragmented form, presumably to beat at least some IDSes or other 
    filtering mechanisms.  If the rest of the code is unchanged, as you 
    say, then any successfully exploited targets will then only be 
    spreading the "normal" CodeRed.B, so it won't be too huge an 
    outbreak.
    
    People receiving these should consider how to approach the sending 
    machine(s) because they are likely either friendly to hosting such 
    dubious practises or compromised and unaware of this...
    
    
    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 08:20:03 PST