As of the end of July, Computer Economics (an independent research organization in Carlsbad, CA) estimates that the "Code Red" worm has cost corporations $1.2 billion (U.S.) in recovery from network damage and in lost productivity. This estimate will rise significantly because of the recent release of the more potent "Code Red II" worm. The Cisco Secure Intrusion Detection System (IDS), a key component of the Cisco SAFE Blueprint, has demonstrated its value in detecting and mitigating network security risks, including the "Code Red" worm.
This document describes a software update to detect the exploitation method used by the "Code Red" Worm (see Signature 2 below).
You can create the following custom string match signatures to catch the exploitation of a buffer overflow for web servers running Microsoft Windows NT and Internet Information Services (IIS) 4.0 or Windows 2000 and IIS 5.0. Note also that the indexing service in Windows XP beta is also vulnerable. The security advisory describing this vulnerability is at http://www.eeye.com/html/Research/Advisories/AD20010618.html. 
Microsoft has released a patch for this vulnerability that can be downloaded
from http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
The signatures discussed in this document will be included in an upcoming signature update (signature release S(5)). Cisco Systems recommends that you upgrade your sensors to 2.2.1.8 or 2.5(1)S3 signature update prior to implementing this signature. Registered users can download these signature updates from the Cisco Software Center for IDS Cryptographic Sofware . All users can contact the Technical Assistance Center via e-mail and telephone through the Cisco Worldwide Contacts.
There are two specific custom string match signatures to address this issue. Each signature is described below, and applicable product settings are provided.
String
Product Settings
Note: If you have web servers listening on other TCP ports (e.g., 8080), you will need to create a separate custom string match for each port number.
The second signature fires on an attempted buffer overflow on the Indexing Server ISAPI Extension combined with an attempt to pass shellcode to the server to gain privileged access in the obfuscated form that the "Code Red" Worm uses. This signature will fire only on the attempt to pass shellcode to the target service in an attempt to gain full SYSTEM level access. One possible problem is that this signature will not fire if the attacker does not try to pass any shellcode but just runs the buffer overflow against the service in an attempt to crash IIS and create a denial of service.
String
Note: There are no blank spaces in the above string.
Product Settings
Note: If you have web servers listening on other TCP ports (e.g., 8080), you will need to create a separate custom string match for each port number.
For more information on Cisco's IDS, please visit the Cisco Secure Intrusion Detection product page.
All contents are Copyright © 1992--2003 Cisco Systems Inc. All rights reserved. Important Notices and Privacy Statement.
| Updated: Apr 22, 2003 | Document ID: 13870 |