[ISN] Net security experts carve up Code Red II worm over dinner

From: InfoSec News (isnat_private)
Date: Tue Aug 07 2001 - 03:10:55 PDT

  • Next message: InfoSec News: "[ISN] Japan hit hard by Code Red II"

    Monday, Aug. 6, 2001 
    SAN FRANCISCO (Reuters) - They came to dine on filet and smoked duck
    but a computer worm ended up as the main course.
    A group of high-powered Internet security experts took their laptops
    to dinner on Saturday and between courses began analyzing the virulent
    new worm that now threatens the Web, the researcher who hosted the
    gathering said Monday.
    Analysts from Microsoft, Symantec, Computer Associates, Deloitte &
    Touche and the U.S. Naval Fleet Warfare Center among others had been
    gathered at the third annual NTBugTraq retreat in Canada when the
    first reports of Code Red II circulated, said Russ Cooper, surgeon
    general of TruSecure Corp.
    The group, representing about 20 companies, was finishing up a
    six-course dinner that included smoked duck, filet mignon and South
    Australian Shiraz wine on Saturday night at Cooper's home in Lindsay,
    Ontario, he said.
    ``It was a meal with laptops beside the dinner plates,'' said Cooper,
    who runs the NTBugTraq email list where security alerts about Internet
    viruses are routinely distributed.
    Nick Fitzgerald, who works for Computer Associates in New Zealand, was
    checking his email when he found an alert for members of the Computer
    Antivirus Researcher's Organization (CARO) around 10:30 p.m. EDT,
    Cooper said.
    The email, from a Romanian researcher for Cambridge, England-based
    antivirus firm Kaspersky Labs, warned of a new Code Red worm.
    The group gathered around the dinner table in Canada then managed to
    get a copy of the worm and began disassembling its code, while
    communicating with researchers in other countries via instant
    messenger, Cooper said.
    At 12:30 a.m. EDT, ``we were talking on the phone with a network
    administrator in Australia, comparing log entries,'' he said. ``We did
    pretty much cover the globe in terms of speaking to experts around the
    Cooper e-mailed a copy of the worm to Bruce Hughes, a manager in
    TruSecure's Internet Computer Security Association (ICSA) antivirus
    testing lab, dubbed ``Death Row.''
    After being awakened by Cooper's phone call, Hughes drove to the lab
    in Carlisle, Penn., and got busy infecting several of its 165
    computers with the worm to see how it operates, Cooper said.
    Cooper sent out his first Code Red II advisory to the NTBugTraq email
    list around 11:30 p.m. EDT on Saturday and another one at 5:20 a.m.
    EDT on Sunday, around the time the group was finally calling it a
    ``We had it pretty well sussed out at that point,'' he said. ''We knew
    what it could do and how to stop it.''
    Other efforts to dissect and analyze the worm were going on at the
    same time.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 05:37:42 PDT