Re: new codered worm penetrates content-filtering

From: Ryan Russell (ryanat_private)
Date: Thu Jan 10 2002 - 16:19:28 PST

  • Next message: Gideon Lenkey: "ld.so.preload Root Kit"

    On Fri, 11 Jan 2002, Nick FitzGerald wrote:
    
    > So, it's deliberate injection into the network in this psuedo-
    > fragmented form, presumably to beat at least some IDSes or other
    > filtering mechanisms.
    
    At present, I'm trying to determine (if I can) if there is possibly a
    proxy that might be doing it.  Something on the scale of a National
    Firewall.  Nothing but an app proxy would cause that kind of change
    (working on the assumption that some intermediate network device is doing
    it.)
    
    > If the rest of the code is unchanged, as you
    > say, then any successfully exploited targets will then only be
    > spreading the "normal" CodeRed.B, so it won't be too huge an
    > outbreak.
    
    And that is what confuses me.  Were it I, I'd rather inject CodeRedII, and
    get the root.exe backdoor.
    
    					Ryan
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 08:23:28 PST