Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Code Red worm attack signature

I've created this string match signature following the suggestion in the eEye analysis of the worm.

I'd like the moderators to check if it makes sense, and also tell us if there's an 'official' Cisco sig coming.

/default.ida?[A-Z][a-z][0-9]+%u9090%u6858%ucbd3%u7801%u9090+[]

Ciao,

Giovanni

5 REPLIES
Cisco Employee

Re: Code Red worm attack signature

I'm forwarding your string to the guys who can check it out. There is an "official" string sig posted here in the NetPro forums. Look for a message title

"Cisco Secure IDS/NetRanger Custom String Match Signature for Remote" (name got cut off)

Buffer Overflow in Microsoft Index Server ISAPI Extension in IIS 4.0 and 5.0.

It will catch both types of use of the .ida overflow (code and DoS). That is, its not specific to Red Worm, but detects the general case of using .ida buffer overflows.

SC

Cisco Employee

Re: Code Red worm attack signature

Giovanni,

Your signature needs some minor changes to make it functional. A '.' is a special character (it means anything except newline) and needs to be enclosed in a character class bracket '[]'.

try this:

/default[.]ida[?][a-zA-Z0-9]+%u9090%u6858%ucbd3%u7801%u9090

-Blaine

New Member

Re: Code Red worm attack signature

Blaine,

FWIF your sig does not work. :-( Not technical enough to repair it, but with 35000 hits of the worm today (both inbound and outbound) the signature above did not catch it. I used yours rather than the original, so I can't speak of it. I do know that the original ISAPI bufer overflow signature here did catch it so we knew which systems were infected and reattacking.

Thanks for the effort. Too tired after what today was like to flame. :-) If you're on the net with your probes I'm sure you'll get a chance to try a live detect. If not, here's the original eeye final analysis excerpt for IDS:

"How to setup your IDS to detect this specific worm?

---------------------------------------------------

The following is part of the packet data that is sent for this .ida "Code Red" worm attack:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

Just add that to your IDS signature database."

New Member

Re: Code Red worm attack signature

After testing I changed it to the following, which worked flawlessly: 3000 detects over 24h, towards a single class C net. (0 infections :)

/default\.ida\?[a-zA-Z0-9]+%u9090%u6858%ucbd3%u7801%u9090

You're right that it was not so useful after all, the older and more generic sig detected it anyway.

Giovanni

Cisco Employee

Re: Code Red worm attack signature

Blaine also published the RegEx syntax under the thread that posted the generic .ida buffer overflow. You can use that as an aid for generating custom signatures. Blaine didn't check the operation of the string you sent in, he only checked it for syntax based on what he thought you were trying to do.

SC

198
Views
0
Helpful
5
Replies
CreatePlease login to create content