Re: new codered worm penetrates content-filtering

From: Ryan Russell (ryanat_private)
Date: Fri Jan 11 2002 - 09:59:05 PST

  • Next message: Richard Arends: "Re: New DNS connection with SYN ACK"

    So, I went and looked at the eEye disassembly for CodeRed (.a, I believe)
    and found this:
    
    seg000:00000A87 8B F4 mov esi, esp ; Send a "GET "
    seg000:00000A89 6A 00 push 0
    seg000:00000A8B 6A 04 push 4
    seg000:00000A8D 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; points to GET
    seg000:00000A93 51 push ecx
    seg000:00000A94 8B 95 78 FE FF FF mov edx, [ebp-188h] ; points to socket
    seg000:00000A9A 52 push edx
    seg000:00000A9B FF 95 C0 FE FF FF call dword ptr [ebp-140h] ; send a GET
    
    In other words, CodeRed sends the "GET " in it's own send() call, it
    allways has.  The operating system has the option to put multiple send
    calls together into one packet, at least for stream connections.  Most of
    the time, it will do so.  Whether it will depends on things like load, MTU
    (though that shouldn't come into play in this instance), etc...
    
    So, I think this has been going on on occasion for some time, and has gone
    largely unnoticed.  I don't think this was intended to bypass IDSes or
    filtering mechanisms, I think it's just a side-effect of the way it was
    written.  (Though worms could certainly do this sort of thing on purpose
    if the author wanted.)
    
    Another reader pointed out to me off-list that this has been going on for
    some time:
    http://securityfocus.com/archive/75/197449
    
    					Ryan
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 10:22:34 PST