Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
5
Replies

Code Red worm attack signature

giovanni
Level 1
Level 1

‎07-18-2001 10:01 AM - edited ‎03-08-2019 08:29 PM

I've created this string match signature following the suggestion in the eEye analysis of the worm.

I'd like the moderators to check if it makes sense, and also tell us if there's an 'official' Cisco sig coming.

/default.ida?[A-Z][a-z][0-9]+%u9090%u6858%ucbd3%u7801%u9090+[]

Ciao,

Giovanni

Labels:
0 Helpful
5 Replies 5

scothrel
Level 3
Level 3

‎07-18-2001 11:36 AM

I'm forwarding your string to the guys who can check it out. There is an "official" string sig posted here in the NetPro forums. Look for a message title

"Cisco Secure IDS/NetRanger Custom String Match Signature for Remote" (name got cut off)

Buffer Overflow in Microsoft Index Server ISAPI Extension in IIS 4.0 and 5.0.

It will catch both types of use of the .ida overflow (code and DoS). That is, its not specific to Red Worm, but detects the general case of using .ida buffer overflows.

SC

0 Helpful

bkubesh
Level 1
Level 1

‎07-18-2001 01:45 PM

Giovanni,

Your signature needs some minor changes to make it functional. A '.' is a special character (it means anything except newline) and needs to be enclosed in a character class bracket '[]'.

try this:

/default[.]ida[?][a-zA-Z0-9]+%u9090%u6858%ucbd3%u7801%u9090

-Blaine

0 Helpful

crossmanj
Level 1
Level 1
In response to bkubesh

‎07-19-2001 04:34 PM

Blaine,

FWIF your sig does not work. :-( Not technical enough to repair it, but with 35000 hits of the worm today (both inbound and outbound) the signature above did not catch it. I used yours rather than the original, so I can't speak of it. I do know that the original ISAPI bufer overflow signature here did catch it so we knew which systems were infected and reattacking.

Thanks for the effort. Too tired after what today was like to flame. :-) If you're on the net with your probes I'm sure you'll get a chance to try a live detect. If not, here's the original eeye final analysis excerpt for IDS:

"How to setup your IDS to detect this specific worm?

---------------------------------------------------

The following is part of the packet data that is sent for this .ida "Code Red" worm attack:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

Just add that to your IDS signature database."

0 Helpful

giovanni
Level 1
Level 1
In response to crossmanj

‎07-20-2001 01:22 AM

After testing I changed it to the following, which worked flawlessly: 3000 detects over 24h, towards a single class C net. (0 infections :)

/default\.ida\?[a-zA-Z0-9]+%u9090%u6858%ucbd3%u7801%u9090

You're right that it was not so useful after all, the older and more generic sig detected it anyway.

Giovanni

0 Helpful

scothrel
Level 3
Level 3
In response to giovanni

‎07-20-2001 06:39 AM

Blaine also published the RegEx syntax under the thread that posted the generic .ida buffer overflow. You can use that as an aid for generating custom signatures. Blaine didn't check the operation of the string you sent in, he only checked it for syntax based on what he thought you were trying to do.

SC

0 Helpful
Customers Also Viewed These Support Documents