Re: Full analysis of the .ida "Code Red" worm.

From: Ryan Russell (ryan@securityfocus.com)
Date: 07/20/01


Date: Thu, 19 Jul 2001 19:35:49 -0600 (MDT)
From: Ryan Russell <ryan@securityfocus.com>
To: Laurence Hand <lhand@co.la.ca.us>
Subject: Re: Full analysis of the .ida "Code Red" worm.
Message-ID: <Pine.GSO.4.30.0107191927280.679-100000@mail>

On Thu, 19 Jul 2001, Laurence Hand wrote:

>
> I know MS watches this list, so I hope they will be checking their
> servers before this starts the DDOS tomorrow.
>

I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC,
the next day). I was getting 5-10 attempts an hour, and I've had 0
since 4:43:29 PDT.

Folks will notice that www.whitehouse.gov is still accessible. The worm
authors only put in one IP address, the one for www1.whitehouse.gov. BBN
(who appears to be the provider for whitehouse.gov, according to my
tracert) has blocked that single IP address at their peering points. So
www2.whitehouse.gov is still running just fine.

Presumably, www.whitehouse.gov used to be RR DNS between the two. Now,
www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of
only 872.

For a relatively clever worm, the author sure screwed up his target list.
Whoops.

                                        Ryan



Relevant Pages

  • .ida "Code Red" Worm
    ... Subject: .ida "Code Red" Worm ... Unpatched Microsoft IIS Web Servers ... showed that compromised hosts were being used to attack other hosts. ...
    (Security-Basics)
  • Full analysis of the .ida "Code Red" worm.
    ... The following is a detailed analysis of the "Code Red" .ida worm that we ... You can get a copy of this analysis, commented disassembly, full IDA ... recent .ida vulnerability that eEye Digital Security discovered ... details as to the functionality and method of propagation of this worm. ...
    (NT-Bugtraq)
  • Full analysis of the .ida "Code Red" worm.
    ... The following is a detailed analysis of the "Code Red" .ida worm that we ... You can get a copy of this analysis, commented disassembly, full IDA ... recent .ida vulnerability that eEye Digital Security discovered ... details as to the functionality and method of propagation of this worm. ...
    (Vuln-Dev)
  • Full analysis of the .ida "Code Red" worm.
    ... Full analysis of the .ida "Code Red" worm. ... recent .ida vulnerability that eEye Digital Security discovered ... service attack against www.whitehouse.gov. ...
    (Incidents)
  • Full analysis of the .ida "Code Red" worm.
    ... The following is a detailed analysis of the "Code Red" .ida worm that we ... You can get a copy of this analysis, commented disassembly, full IDA ... recent .ida vulnerability that eEye Digital Security discovered ... details as to the functionality and method of propagation of this worm. ...
    (Focus-IDS)