RE: Code Red for RealSecure

Wed, 01 Aug 2001 12:29:07 -0700 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

I agree, I've been looking at what some of the CodeRed detectors do and they
send:

GET /x.ida
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X

So what's to stop a minor variant of CodeRed just changing the file it asks
for.  Seems a very short sited signature.

Later'ish
Craig

> -----Original Message-----
> From: Dan Wangler [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 01, 2001 1:57 AM
> To: [EMAIL PROTECTED]
> Subject: Code Red for RealSecure
> 
> 
> 
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of 
> your message to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help 
> with any problems!
> --------------------------------------------------------------
> --------------
> 
> I received the X-Press alert for Code Red yesterday.  In it  
> was some good
> information on what it is and does and how to detect it.
> 
> I do have a question concerning the RS signature.  In the 
> text of the alert,
> it says that Code Red sends the string "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
> 0%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
> 000%u00=a".
> 
> However, the signature string for RS is simply 
> "default\.ida$".  I do not
> understand how the two can relate since the RS string does 
> not match that
> part of the attack.  Can someone explain it for me?
> 
> Thanks
> 
> 
> Dan Wangler, GIAC Certified Intrusion Analyst
> IT Security Engineering and Development
> IT Security, Texas Instruments, Inc.
> 6500 Chase Oaks Blvd., MS 8417
> Plano, Texas, 75023, Phone: 972-927-8304
> Email: [EMAIL PROTECTED]
> 
> 
> 
>

Reply via email to