Re: Mitigating some of the effects of the Code Red worm

From: Johannes B. Ullrich (jullrichat_private)
Date: Thu Jul 19 2001 - 18:13:23 PDT

Next message: Nick FitzGerald: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."

Previous message: Vern Paxson: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."
In reply to: LARD BENJAMIN LEE: "Mitigating some of the effects of the Code Red worm"
Next in thread: Ryan Russell: "Re: Mitigating some of the effects of the Code Red worm"
Next in thread: Laurence Hand: "Re: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have sent about 5000+ emails over the last week to systems very
likely infected with the Red Alert Virus (based on data collected
by DShield.org). It was the first time in the 6+ months I am running
that service now, that I got flooded with abusive e-mail because
I attempted to notify sysadmins that there machine was hacked.

Many did just not understand, that even though the report indicated
a hit against port 80, it is not 'usual web traffic'. If you have a
web server, there is no need for it to hit port 80 on random machines.

Also, how hard is it to check if a machine is ok or not? The Code Red
was not very obvious to spot, and it took us a couple of days to find
out what was going on. But if someone tells you that a machine on your
network is doing something that is perceived as unusual, why not take
a quick look.

In short, as long as sysadmins don't start to care and get there systems
up to date, things like this will continue to happen. I was lucky that
the main submitters of the data where very patient with the abusive
responses and took the time to respond to them individually.

We are not talking about home users here, that installed the latest
magic 'improve your modem speed' virus.

Well, I won't give up. I am sure the 'Dark Red Alert' is just around the
corner waiting.. And I don't mind playing 'whack the worm' for a while.

We could send 'RMV's to all Subsevens, or 'noworm' files to all IIS
servers. But the next worm will not care... and if someone has no
virus scanner they will get reinfected with subseven on there next
visit to IRC.

....
> 1) There is something of an ongoing log of affected machines that can be
> obtained from boxes earlier in the IP list.
> 2) Machines which have been compromised can STILL be compromised.
> 3) The worm has a "lysine deficiency" which can be remotely introduced.
.....
>
> Ben Lard
> University of Colorado, Boulder
>
>

-- 
-------
jullrichat_private                 Join http://www.DShield.org

                          Distributed Intrusion Detection System

Next message: Nick FitzGerald: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."
Previous message: Vern Paxson: "Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm."
In reply to: LARD BENJAMIN LEE: "Mitigating some of the effects of the Code Red worm"
Next in thread: Ryan Russell: "Re: Mitigating some of the effects of the Code Red worm"
Next in thread: Laurence Hand: "Re: Full analysis of the .ida "Code Red" worm."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 22:51:57 PDT