RE: Update to "Code Red" Worm. Its a date bomb, not time.
From: eEye Digital Security (eeye@eeye.com)Date: 07/20/01
- Previous message: Ryan Permeh: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
- In reply to: c0ncept: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Next in thread: josh abulamhammedramashi: "A code red that could bring down the net?"
- Next in thread: emerson.c.tan@ca.andersen.com: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "eEye Digital Security" <eeye@eeye.com> To: "c0ncept" <c0ncept@hushmail.com>, "Vuln-Dev" <vuln-dev@securityfocus.com>, "SECURITY-BASICS" <SECURITY-BASICS@SECURITYFOCUS.COM> Subject: RE: Update to "Code Red" Worm. Its a date bomb, not time. Date: Thu, 19 Jul 2001 22:28:19 -0000 Message-ID: <EIEOJCKGEPCLJHGCNNOPCEBKEBAA.eeye@eeye.com>
not sure yet. its what it looks like it will do. we'll have to sit and wait
and see if thats what happens.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
|-----Original Message-----
|From: c0ncept [mailto:c0ncept@hushmail.com]
|Sent: Thursday, July 19, 2001 9:36 PM
|To: Vuln-Dev; SECURITY-BASICS
|Cc: Marc Maiffret
|Subject: RE: Update to "Code Red" Worm. Its a date bomb, not time.
|
|
|
| How many confirmed infections are setting on 410+ Meg connections?
| How many of them have systems busses even capable of
|saturating multiple
|infections?
|
| --c0ncept
|
|
|[snip]
|:Remember, each host can be infected multiple times, meaning that a single
|:host can send 410MB * # of infections.
|[snip]
|
|-----Original Message-----
|From: Marc Maiffret [mailto:marc@eeye.com]
|Sent: Thursday, July 19, 2001 1:55 PM
|To: Vuln-Dev; SECURITY-BASICS
|Subject: Update to "Code Red" Worm. Its a date bomb, not time.
|
|
|Thanks to Eric from Symantec for tossing us a note about the worm
|being Date
|based and not Time based.
|
|We made an error in our last analysis and said the worm would start
|attacking whitehouse.gov based on a certain time. In reality its based on a
|date (the 20th UTC) which is tomorrow.
|
|If the worm infects your system between the 1st and the 19th it
|will attempt
|to deface the infected servers web page or try to propogate itself to other
|systems. On the 20th all infected threads will attempt to attack
|www.whitehouse.gov. This seems to continue until the worm is removed from
|the infected system.
|
|Any new infection that happens between the 20th and 28th will most
|likely be
|someone "hand infecting" your system as all other worms should be attacking
|whitehouse.gov. If for some reason you are infected between the
|20th and the
|28th then the worm will begin attacking whitehouse.gov without trying to
|infect other systems. This attack will continue indefinitly.
|
|The following are rough numbers, but we felt that it was important to
|illustrate the affects this worm can _possibly_ have.
|
|The worm has a timeline like this:
|
|day of the month:
|1-19: infect other hosts using the worm
|20-27: attack whitehouse.gov forever
|28-end of month: eternal sleep
|
|Presumably, this could restart at any point in a new month again.
|
|Also, some stats for the attack:
|
|Each infection has 100 threads
|Each thread is going to send about 100k, a byte at a time, which means you
|have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data
|per thread
|100 threads * 4.1megs = 410 Megabytes
|This will be repeated again every 4.5 hours or so
|
|Remember, each host can be infected multiple times, meaning that a single
|host can send 410MB * # of infections.
|
|We have had reports between 15 thousand and 196 thousand unique hosts
|infected with the "Code Red" worm. However, there has been cross infection
|and we have heard reports of at least 300+ thousand infections/instances
|(machines with multiple infections etc..) of this worm.
|
|If there are 300 thousand infections then that means you have
|(300,000 * 410
|megabytes) that is going to be attempted to be flooded against
|whitehouse.gov every 4 and a half hours. If this is true and the
|worm "works
|as advertised" then the fact that whitehouse.gov goes offline is only the
|begining of what _can_ possibly happen...
|
|----
|
|I am actually writing this part of the eMail about 45 minutes after the
|first part because our Internet connection here in california has
|been going
|up and down. We have also heard reports of internet connectivity going down
|in parts of northern california and new york.
|
|Signed,
|eEye Digital Security
|T.949.349.9062
|F.949.349.9538
|http://eEye.com/Retina - Network Security Scanner
|http://eEye.com/Iris - Network Traffic Analyzer
|http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
|
|
- Previous message: Ryan Permeh: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
- In reply to: c0ncept: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Next in thread: josh abulamhammedramashi: "A code red that could bring down the net?"
- Next in thread: emerson.c.tan@ca.andersen.com: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
