Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new codered worm penetrates content-filtering

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 10 Jan 2002 17:19:28 -0700 (MST)
On Fri, 11 Jan 2002, Nick FitzGerald wrote:


So, it's deliberate injection into the network in this psuedo-
fragmented form, presumably to beat at least some IDSes or other
filtering mechanisms.


At present, I'm trying to determine (if I can) if there is possibly a
proxy that might be doing it.  Something on the scale of a National
Firewall.  Nothing but an app proxy would cause that kind of change
(working on the assumption that some intermediate network device is doing
it.)


If the rest of the code is unchanged, as you
say, then any successfully exploited targets will then only be
spreading the "normal" CodeRed.B, so it won't be too huge an
outbreak.


And that is what confuses me.  Were it I, I'd rather inject CodeRedII, and
get the root.exe backdoor.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: