Heya all, By now we are all aware of the serious nature of the Core Red Worm. One of the most powerfull lessons we can all take away from this is how this community is capable of mustering in times of crisis like in order to face and analyze threats. The traffic accross the Incidents, Bugtraq lists among other sources has been outstanding in terms of rallying against this. A number of efforts are underway to address this situation outside of list discussion, I am going to outline what we are doing here at SecurityFocus. This is not intended to detract from anyone elses work, it's all great, we are just bringing you into our contribution. Notification ------------ First, we are in the process of notifying all of the infected IP owners that we know of. This data has been taken from the ARIS Analyzer user base as well contributions from individuals in the community (I will post a public thanks to them just as soon as they give me permission to do so). The list of infected hosts that we are now in the process of notifying against is a little over 40,000 hosts. Each host owner that we can indentify will be recieving a mail outlining the fact that they are infected, which IP's are infected and how to address the situation. New Data Reports ---------------- Second we are posting a series of reports derived from ARIS Predictor, a SecurityFocus system designed to track events such as these. The data is coming from a system wich is pre-production so it will contain some minor inconsistencies, please take this into account. The data we are posting here is derived from 100 IDS sensors accross 6 continents with statistics derived from a 10 day period, the 10th until today. The information available herein is quite interesting and worth a read. We will make a point of making this type of information available whenever we face a problem like this in the community. Now, onto the reports: 1. New Attacks Trend Report This report displays the frequency of attacks which attacks have been viewed (in terms of abnormal compared against a baseline) over the last 10 days. It clearly shows our first contact with the worm on the 11th (earlier than previously thought). Other reports (not listed here) show the first contact happening at 17:00 GMT in the USA on the 11th. http://www.securityfocus.com/data/staff/Trends.pdf 2. Top 10 Destination (Attacked Countries) for the Core Red Worm This report displays the top ten victim countries for which the greatest number of attacks is destined. This pie graph and all of the others only tabulate data from the IDS's which saw the attack, therefore the numbers will not add up to 100%. http://www.securityfocus.com/data/staff/destination.pdf 3. Average Attacks Based On Averaged Time Of Day (10 days) This graph shows the frequency of attacks accross time of day as seen by each continent. Very interesting. http://www.securityfocus.com/data/staff/timeofday.pdf 4. Average Attacks Based On Averaged Time Of Day (1 day) This graph shows the frequency of attacks accross time of day as seen by each continent for the 19th. http://www.securityfocus.com/data/staff/timeofday-1.pdf 5. Attacked Industries Report This report displays the frequency of attacks targeted against specific industry types over our 10 day period. http://www.securityfocus.com/data/staff/industry.pdf 6. Targets As Determined By Revenue This report displays the frequency of attacks targeted against companies of a particular annual revenue range. http://www.securityfocus.com/data/staff/revenue.pdf We could post a large number of other reports with more granular data or against other data points, but this should be sufficient for the time being to help augment the current data available. We will quite possibly post other information in the near future. Cheers, Alfred Huger VP Engineering SecurityFocus "Vae Victis"
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 12:38:51 PDT