Security Incidents mailing list archives
Re: CodeRedII worm..
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Mon, 6 Aug 2001 19:19:01 +1200
Pluto <pluto () stderr de> wrote:
On Sun, Aug 05, 2001 at 04:38:55AM -0400, Valdis.Kletnieks () vt edu wrote:(Sorry for the cross-posting) Given that initial analysis of the CodeRedII worm indicates that it leaves a backdoor laying around, I hereby request that those people who made lists of infected hosts available last time *NOT* do so again.
I wholeheartedly support Valdis' request in this matter (and made the same request in private to the incidents list moderator).
I have seen no checks for root.exe so far. But Nessus already has a codered_x.nasl, congrats to this speed! # special root.exe from CR2 alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;)
Not wishing to be offensive (I know -- some will say it's my nature and unavoidable) but such a signature shows an entirely clue-devoid understanding of the real nature of the backdooring that CoreRed.C (or whatever you want to call it does). I know this is a full-disclosure list, but I will not publicly release for the delight of the dipshit kiddies how to circumvent such inadequate IDS rules. (This is not an attack against Nessus and its makers -- I'm sure many (if not all) other IDS makers/maintainers have added similar, and similarly flawed, rules for just this issue in the lasty 12 hours or so. If you verifiably work for or an IDS vendor or maintain a freeware/open-source/etc IDS and do not understand the utter inadequacy of such a simplistic rule, feel free to contact me for the details (there may not be anything you can do to "fix" this without getting horrendous false positive rates but at least I can safely explain to you why the above is grossly inadequate.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CodeRedII worm.. Valdis . Kletnieks (Aug 05)
- Re: CodeRedII worm.. Pluto (Aug 05)
- Re: CodeRedII worm.. A.L.Lambert (Aug 05)
- Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Nick FitzGerald (Aug 06)
- Re: CodeRedII worm.. Emory Wood (Aug 06)
- Re: CodeRedII worm.. Pluto (Aug 05)