As of the end of July 2003, Computer Economics (an independent research organization in Carlsbad, CA) estimated that the "Code Red" worm had cost corporations $1.2 billion (U.S.) in recovery from network damage and in lost productivity. This estimate rose significantly with the subsequent release of the more potent "Code Red II" worm. The Cisco Secure Intrusion Detection System (IDS), a key component of the Cisco SAFE Blueprint, has demonstrated its value in detecting and mitigating network security risks, including the "Code Red" worm.
This document describes a software update to detect the exploitation method used by the "Code Red" worm (see Signature 2 below).
You can create the custom string match signatures shown below to catch the exploitation of a buffer overflow for web servers running Microsoft Windows NT and Internet Information Services (IIS) 4.0 or Windows 2000 and IIS 5.0. Note also that the indexing service in Windows XP beta is also vulnerable. The security advisory that describes this vulnerability is at http://www.eeye.com/html/Research/Advisories/AD20010618.html . Microsoft has released a patch for this vulnerability that can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx .
The signatures discussed in this document became available in signature update release S(5). Cisco Systems recommends that sensors be upgraded to 2.2.1.8 or 2.5(1)S3 signature update prior to implementing this signature. Registered users can download these signature updates from the Cisco Secure Software Center. All users can contact Cisco Technical Support by e-mail and telephone through the Cisco Worldwide Contacts.
There are no specific requirements for this document.
The information in this document is based on the following software versions:
Microsoft Windows NT and IIS 4.0
Microsoft Windows 2000 and IIS 5.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
There are two specific custom string match signatures to address this issue. Each signature is described below, and applicable product settings are provided.
This signature fires on an attempted buffer overflow on the Indexing Server ISAPI Extension combined with an attempt to pass shell code to the server to gain privileged access in the original form of the code. The signature fires only on the attempt to pass shell code to the target service in an attempt to gain full SYSTEM level access. One possible problem is that this signature does not fire if the attacker does not try to pass any shell code, but just runs the buffer overflow against the service in an attempt to crash IIS and create a denial of service.
[Gg][Ee][Tt].*[.][Ii][Dd][Aa][\x00-\x7f]+[\x80-\xff]
Occurrences: 1
Port: 80
Note: If you have web servers listening on other TCP ports (for example, 8080), you need to create a separate custom string match for each port number.
Recommended Alarm Severity Level:
High (Cisco Secure Policy Manager)
5 (Unix Director)
Direction:
TO
The second signature fires on an attempted buffer overflow on the Indexing Server ISAPI Extension combined with an attempt to pass shell code to the server to gain privileged access in the obfuscated form that the "Code Red" Worm uses. This signature fires only on the attempt to pass shell code to the target service in an attempt to gain full SYSTEM level access. One possible problem is that this signature does not fire if the attacker does not try to pass any shell code, but just runs the buffer overflow against the service in an attempt to crash IIS and create a denial of service.
[/]default[.]ida[?][a-zA-Z0-9]+%u
Note: There are no blank spaces in the above string.
Occurrences: 1
Port: 80
Note: If you have web servers listening on other TCP ports (for example, 8080), you need to create a separate custom string match for each port number.
Recommended Alarm Severity Level:
High (Cisco Secure Policy Manager)
5 (Unix Director)
Direction:
TO
For more information on Cisco Secure IDS, refer to Cisco Secure Intrusion Detection.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
24-Jun-2008 |
Initial Release |