OT: Code Red Worm....
Thread Starter
Junior Member
Joined: Dec 2000
Posts: 684
Likes: 0
OT: Code Red Worm....
Here's some info on this that I just got, looks like it could be pretty serious. Only affects WinNT and 2K boxes running IIS without MS01-033 patch applied:
This should be interesting.....
-----Original Message-----
Thanks to Eric from Symantec for tossing us a note about the worm being
Date
based and not Time based.
We made an error in our last analysis and said the worm would start
attacking whitehouse.gov based on a certain time. In reality its based
on a
date (the 20th UTC) which is tomorrow.
If the worm infects your system between the 1st and the 19th it will
attempt
to deface the infected servers web page or try to propogate itself to
other
systems. On the 20th all infected threads will attempt to attack
www.whitehouse.gov. This seems to continue until the worm is removed
from
the infected system.
Any new infection that happens between the 20th and 28th will most
likely be
someone "hand infecting" your system as all other worms should be
attacking
whitehouse.gov. If for some reason you are infected between the 20th and
the
28th then the worm will begin attacking whitehouse.gov without trying to
infect other systems. This attack will continue indefinitly.
The following are rough numbers, but we felt that it was important to
illustrate the affects this worm can _possibly_ have.
The worm has a timeline like this:
day of the month:
1-19: infect other hosts using the worm
20-27: attack whitehouse.gov forever
28-end of month: eternal sleep
Presumably, this could restart at any point in a new month again.
Also, some stats for the attack:
Each infection has 100 threads
Each thread is going to send about 100k, a byte at a time, which means
you
have a (40 for ip + 1 for each byte) which means you have 4.1 megs of
data
per thread
100 threads * 4.1megs = 410 Megabytes
This will be repeated again every 4.5 hours or so
Remember, each host can be infected multiple times, meaning that a
single
host can send 410MB * # of infections.
We have had reports between 15 thousand and 196 thousand unique hosts
infected with the "Code Red" worm. However, there has been cross
infection
and we have heard reports of at least 300+ thousand infections/instances
(machines with multiple infections etc..) of this worm.
If there are 300 thousand infections then that means you have (300,000 *
410
megabytes) that is going to be attempted to be flooded against
whitehouse.gov every 4 and a half hours. If this is true and the worm
"works
as advertised" then the fact that whitehouse.gov goes offline is only
the
begining of what _can_ possibly happen...
----
I am actually writing this part of the eMail about 45 minutes after the
first part because our Internet connection here in california has been
going
up and down. We have also heard reports of internet connectivity going
down
in parts of northern california and new york.
This should be interesting.....
-----Original Message-----
Thanks to Eric from Symantec for tossing us a note about the worm being
Date
based and not Time based.
We made an error in our last analysis and said the worm would start
attacking whitehouse.gov based on a certain time. In reality its based
on a
date (the 20th UTC) which is tomorrow.
If the worm infects your system between the 1st and the 19th it will
attempt
to deface the infected servers web page or try to propogate itself to
other
systems. On the 20th all infected threads will attempt to attack
www.whitehouse.gov. This seems to continue until the worm is removed
from
the infected system.
Any new infection that happens between the 20th and 28th will most
likely be
someone "hand infecting" your system as all other worms should be
attacking
whitehouse.gov. If for some reason you are infected between the 20th and
the
28th then the worm will begin attacking whitehouse.gov without trying to
infect other systems. This attack will continue indefinitly.
The following are rough numbers, but we felt that it was important to
illustrate the affects this worm can _possibly_ have.
The worm has a timeline like this:
day of the month:
1-19: infect other hosts using the worm
20-27: attack whitehouse.gov forever
28-end of month: eternal sleep
Presumably, this could restart at any point in a new month again.
Also, some stats for the attack:
Each infection has 100 threads
Each thread is going to send about 100k, a byte at a time, which means
you
have a (40 for ip + 1 for each byte) which means you have 4.1 megs of
data
per thread
100 threads * 4.1megs = 410 Megabytes
This will be repeated again every 4.5 hours or so
Remember, each host can be infected multiple times, meaning that a
single
host can send 410MB * # of infections.
We have had reports between 15 thousand and 196 thousand unique hosts
infected with the "Code Red" worm. However, there has been cross
infection
and we have heard reports of at least 300+ thousand infections/instances
(machines with multiple infections etc..) of this worm.
If there are 300 thousand infections then that means you have (300,000 *
410
megabytes) that is going to be attempted to be flooded against
whitehouse.gov every 4 and a half hours. If this is true and the worm
"works
as advertised" then the fact that whitehouse.gov goes offline is only
the
begining of what _can_ possibly happen...
----
I am actually writing this part of the eMail about 45 minutes after the
first part because our Internet connection here in california has been
going
up and down. We have also heard reports of internet connectivity going
down
in parts of northern california and new york.
Junior Member
Joined: Jul 2000
Posts: 984
Likes: 0
This is the info. I received on the worm this morning.
<ul><li><a href="http://it.mycareer.com.au/breaking/2001/07/20/FFXJM0IUCPC.html">http://it.mycareer.com.au/breaking/2001/07/20/FFXJM0IUCPC.html</a</li></ul>
AudiWorld Super User
Joined: May 2000
Posts: 4,514
Likes: 0
I think we were getting hit by that yesterday.
I've got tons of hits in all of our logs that match the worm (GET /default.ida?NNNNNNNN.... or something like that) and they started right about the same time one of our NT web servers just started shutting down for no apparent reason. The machine would stay up, but IIS would just stop all the web and FTP servers so I would have to start them all back up again. Rebooted a few times and it still kept on doing it. After looking around for a while, I figured out that was the one server that apparently got skipped when I was applying patches last time...Oops. Patch applied, reboot, no more problems.
Supposedly, the worm does some sort of defacement after it has been installed for 2 hours, so luckily, I got the machine patched and rebooted before that happened. BTW, if you have a Windows 2000 server running IIS 5, you can download an application from MS that will check for hotfixes periodically...I highly recommend it. If you need more info on that, just ask and I can probably track it down.
Supposedly, the worm does some sort of defacement after it has been installed for 2 hours, so luckily, I got the machine patched and rebooted before that happened. BTW, if you have a Windows 2000 server running IIS 5, you can download an application from MS that will check for hotfixes periodically...I highly recommend it. If you need more info on that, just ask and I can probably track it down.
AudiWorld Member
Joined: Aug 2000
Posts: 506
Likes: 0
Mostly affecting ISPs and backbone providers...
the worm is also IP address-based. whitehouse.gov changed its IP address, and some major backbone providers filtered the old IP addresses. My ISP had been hit by 33,000 distinct infected hosts as of yesterday afternoon, but since they're not MS-based, no infection occurred at the ISP.
Thread
Thread Starter
Forum
Replies
Last Post
MADD2.0T
Rocky Mountain Discussion
2
Jul 11, 2007 03:53 PM
Jon G
A4 (B5 Platform) Discussion
4
Apr 3, 2002 05:06 AM
got_root?
A4 (B5 Platform) Discussion
1
Jul 20, 2001 01:26 AM
