RE: Full analysis of the .ida "Code Red" worm.

From: Marc Maiffret (marcat_private)
Date: Thu Jul 19 2001 - 18:55:13 PDT

Next message: Tony Langdon: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."

Previous message: Stephen Cimarelli: "Re: 'Code Red' does not seem to be scanning for IIS"
In reply to: Ryan Russell: "Re: Full analysis of the .ida "Code Red" worm."
Next in thread: Eric Chien: "RE: Full analysis of the .ida "Code Red" worm."
Next in thread: Pierre Vandevenne: "Re: Full analysis of the .ida "Code Red" worm."
Reply: Eric Chien: "RE: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You basically just summed up what I was writing in an eMail... As far as
things look right now... whitehouse.gov will remain standing upright because
they blackholed the IP address that use to map to it which was the right
thing to do and kept this from turning into a much bigger problem then it
already is.

This of course does not by any means the worm is done. Hopefully enough
people are talking and administrators are listening and installing patches
right away.

---
as a side note... some people asked about why the worm has "slowed down" on
infecting and thats because the worm was designed to do that... to stop
infecting and start attacking an IP address that use to point to
whitehouse.gov.

This whole worm process that we have been going through will basically start
from scratch and run its course again when the 1st of next month comes
around.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Web Application Firewall

| -----Original Message-----
| From: Ryan Russell [mailto:ryanat_private]
| Sent: Thursday, July 19, 2001 6:36 PM
| To: Laurence Hand
| Cc: Marc Maiffret; BUGTRAQ
| Subject: Re: Full analysis of the .ida "Code Red" worm.
|
|
| On Thu, 19 Jul 2001, Laurence Hand wrote:
|
| >
| > I know MS watches this list, so I hope they will be checking their
| > servers before this starts the DDOS tomorrow.
| >
|
| I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC,
| the next day).  I was getting 5-10 attempts an hour, and I've had 0
| since 4:43:29 PDT.
|
| Folks will notice that www.whitehouse.gov is still accessible.  The worm
| authors only put in one IP address, the one for www1.whitehouse.gov.  BBN
| (who appears to be the provider for whitehouse.gov, according to my
| tracert) has blocked that single IP address at their peering points.  So
| www2.whitehouse.gov is still running just fine.
|
| Presumably, www.whitehouse.gov used to be RR DNS between the two.  Now,
| www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of
| only 872.
|
| For a relatively clever worm, the author sure screwed up his target list.
| Whoops.
|
| 					Ryan
|
|

Next message: Tony Langdon: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."
Previous message: Stephen Cimarelli: "Re: 'Code Red' does not seem to be scanning for IIS"
In reply to: Ryan Russell: "Re: Full analysis of the .ida "Code Red" worm."
Next in thread: Eric Chien: "RE: Full analysis of the .ida "Code Red" worm."
Next in thread: Pierre Vandevenne: "Re: Full analysis of the .ida "Code Red" worm."
Reply: Eric Chien: "RE: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 21:47:37 PDT