Internet Scanner FlexCheck for Code Red Backdoor Now Available

From: CustomerRelations (bpq@iss.net)
Date: 08/08/01


Message-Id: <4.2.2.20010808173548.00a8b670@msgatl01.iss.net>
Date: Wed, 08 Aug 2001 17:36:18 -0400
To: xpress@iss.net
From: CustomerRelations <bpq@iss.net>
Subject: Internet Scanner FlexCheck for Code Red Backdoor Now Available 


TO UNSUBSCRIBE: email "unsubscribe xpress" in the body of your message to
MAJORDOMO@ISS.NET. Contact xpress-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

----------------------------------------------------------------------------

Internet Scanner FlexCheck for Code Red Backdoor Now Available

----------------------------------------------------------------------------

FLEXCHECK NOW AVAILABLE TO IDENTIFY BACKDOOR INSTALLED
BY THE CODE RED WORM

An Internet Scanner FlexCheck is now available to detect the backdoor
installed by the Code Red Worm. This check is relevant to machines
vulnerable to the Remote IIS Index Server ISAPI Extension vulnerability,
which is exploited by the Code Red Worm.

For further information on this check, please consult the ReadMe.

To learn more about the vulnerability that enables this backdoor
to be installed please see the X-Force Alert at:
http://xforce.iss.net/alerts/advise90.php.

DOWNLOADING AND INSTALLING FLEXCHECKS

The Internet Scanner FlexCheck can be downloaded from the X-Press
Update download center at http://www.iss.net/eval/eval.php. Please
note that this is a FlexCheck, not an X-Press Update, and a
different update process is required. The ReadMe for this file
outlines the installation process. The process for configuring
FlexChecks is also outlined in the Internet Scanner User Guide.

Please be aware that FlexChecks are not supported by Technical
Support, but Support can assist you if you have difficulty installing
them.

Data found by FlexChecks are not included in reports, but can
be viewed in the GUI immediately after the scan or in the session
log file.

COVERAGE OF THE REMOTE IIS INDEX SERVER ISAPI EXTENSION
VULNERABILITY IN ISS PRODUCTS

This vulnerability is addressed by a check included in Internet
Scanner XPU 4.10 released June 20, 2001. For customers with
administrative access, we recommend the check included in
XPU 4.10 - IisIsapiIdqBo. For customers without administrative
access, utilize the FlexCheck provided to identify the vulnerability.

RealSecure detects this vulnerability through use of a signature
included in XPU 3.1. A user-defined signature is also available and
is included in the following X-Force Alert:
http://xforce.iss.net/alerts/advise79.php.

Black ICE agents versions 2.5ev and higher detect this exploit
as ISAPI index extension overflow. Black ICE Sentry detect this
exploit as HTTP GET data with repeated char.

System Scanner also detects this vulnerability, utilizing the
MS01-033 check included with XPU 3.01.