Re: Update to "Code Red" Worm. Its a date bomb, not time.
From: Ryan Permeh (ryan_at_eEye.com)Date: 07/20/01
- Vorherige Nachricht: Marc Maiffret: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Als Antwort auf: c0ncept: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Next in thread: josh abulamhammedramashi: "A code red that could bring down the net?"
- Nächste im Thread: matt sommer: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
- Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]
perhaps none, perhaps many. but it is a sequential 410 megs. you can push
410 megs across a 1200 baud modem if you want.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
----- Original Message -----
From: "c0ncept" <c0ncept_at_hushmail.com>
To: "Vuln-Dev" <vuln-dev_at_securityfocus.com>; "SECURITY-BASICS"
<SECURITY-BASICS_at_SECURITYFOCUS.COM>
Cc: "Marc Maiffret" <marc_at_eeye.com>
Sent: Thursday, July 19, 2001 2:36 PM
Subject: RE: Update to "Code Red" Worm. Its a date bomb, not time.
>
> How many confirmed infections are setting on 410+ Meg connections?
> How many of them have systems busses even capable of saturating multiple
> infections?
>
> --c0ncept
>
>
> [snip]
> :Remember, each host can be infected multiple times, meaning that a single
> :host can send 410MB * # of infections.
> [snip]
>
> -----Original Message-----
> From: Marc Maiffret [mailto:marc_at_eeye.com]
> Sent: Thursday, July 19, 2001 1:55 PM
> To: Vuln-Dev; SECURITY-BASICS
> Subject: Update to "Code Red" Worm. Its a date bomb, not time.
>
>
> Thanks to Eric from Symantec for tossing us a note about the worm being
Date
> based and not Time based.
>
> We made an error in our last analysis and said the worm would start
> attacking whitehouse.gov based on a certain time. In reality its based on
a
> date (the 20th UTC) which is tomorrow.
>
> If the worm infects your system between the 1st and the 19th it will
attempt
> to deface the infected servers web page or try to propogate itself to
other
> systems. On the 20th all infected threads will attempt to attack
> www.whitehouse.gov. This seems to continue until the worm is removed from
> the infected system.
>
> Any new infection that happens between the 20th and 28th will most likely
be
> someone "hand infecting" your system as all other worms should be
attacking
> whitehouse.gov. If for some reason you are infected between the 20th and
the
> 28th then the worm will begin attacking whitehouse.gov without trying to
> infect other systems. This attack will continue indefinitly.
>
> The following are rough numbers, but we felt that it was important to
> illustrate the affects this worm can _possibly_ have.
>
> The worm has a timeline like this:
>
> day of the month:
> 1-19: infect other hosts using the worm
> 20-27: attack whitehouse.gov forever
> 28-end of month: eternal sleep
>
> Presumably, this could restart at any point in a new month again.
>
> Also, some stats for the attack:
>
> Each infection has 100 threads
> Each thread is going to send about 100k, a byte at a time, which means you
> have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data
> per thread
> 100 threads * 4.1megs = 410 Megabytes
> This will be repeated again every 4.5 hours or so
>
> Remember, each host can be infected multiple times, meaning that a single
> host can send 410MB * # of infections.
>
> We have had reports between 15 thousand and 196 thousand unique hosts
> infected with the "Code Red" worm. However, there has been cross infection
> and we have heard reports of at least 300+ thousand infections/instances
> (machines with multiple infections etc..) of this worm.
>
> If there are 300 thousand infections then that means you have (300,000 *
410
> megabytes) that is going to be attempted to be flooded against
> whitehouse.gov every 4 and a half hours. If this is true and the worm
"works
> as advertised" then the fact that whitehouse.gov goes offline is only the
> begining of what _can_ possibly happen...
>
> ----
>
> I am actually writing this part of the eMail about 45 minutes after the
> first part because our Internet connection here in california has been
going
> up and down. We have also heard reports of internet connectivity going
down
> in parts of northern california and new york.
>
> Signed,
> eEye Digital Security
> T.949.349.9062
> F.949.349.9538
> http://eEye.com/Retina - Network Security Scanner
> http://eEye.com/Iris - Network Traffic Analyzer
> http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
>
>
- Vorherige Nachricht: Marc Maiffret: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Als Antwort auf: c0ncept: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Next in thread: josh abulamhammedramashi: "A code red that could bring down the net?"
- Nächste im Thread: matt sommer: "Re: Update to "Code Red" Worm. Its a date bomb, not time."
- Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]
Relevant Pages
|
|
