Code Red Worm, New information

From: Alfred Huger (ahat_private)
Date: Fri Jul 20 2001 - 12:34:52 PDT

  • Next message: Stuart Staniford: "Re: CodeRed: the next generation"

    Heya all,
    
    By now we are all aware of the serious nature of the Core Red Worm. One of
    the most powerfull lessons we can all take away from this is how this
    community is capable of mustering in times of crisis like in order to face
    and analyze threats. The traffic accross the Incidents, Bugtraq lists
    among other sources has been outstanding in terms of rallying against
    this. A number of efforts are underway to address this situation outside
    of list discussion, I am going to outline what we are doing here at
    SecurityFocus. This is not intended to detract from anyone elses work,
    it's all great, we are just bringing you into our contribution.
    
    
    Notification
    ------------
    
    First, we are in the process of notifying all of the infected IP owners
    that we know of. This data has been taken from the ARIS Analyzer user base
    as well contributions from individuals in the community (I will post a
    public thanks to them just as soon as they give me permission to do so).
    The list of infected hosts that we are now in the process of notifying
    against is a little over 40,000 hosts. Each host owner that we can
    indentify will be recieving a mail outlining the fact that they are
    infected, which IP's are infected and how to address the situation.
    
    New Data Reports
    ----------------
    
    Second we are posting a series of reports derived from ARIS Predictor, a
    SecurityFocus system designed to track events such as these. The data is
    coming from a system wich is pre-production so it will contain some minor
    inconsistencies, please take this into account. The data we are posting
    here is derived from 100 IDS sensors accross 6 continents with statistics
    derived from a 10 day period, the 10th until today. The information
    available herein is quite interesting and worth a read. We will make a
    point of making this type of information available whenever we face a
    problem like this in the community. Now, onto the reports:
    
    1. New Attacks Trend Report
    
    This report displays the frequency of attacks which attacks have been
    viewed (in terms of abnormal compared against a baseline) over the last 10
    days. It clearly shows our first contact with the worm on the 11th
    (earlier than previously thought). Other reports (not listed here) show
    the first contact happening at 17:00 GMT in the USA on the 11th.
    
    http://www.securityfocus.com/data/staff/Trends.pdf
    
    2. Top 10 Destination (Attacked Countries) for the Core Red Worm
    
    This report displays the top ten victim countries for which the greatest
    number of attacks is destined. This pie graph and all of the others only
    tabulate data from the IDS's which saw the attack, therefore the numbers
    will not add up to 100%.
    
    http://www.securityfocus.com/data/staff/destination.pdf
    
    
    3. Average Attacks Based On Averaged Time Of Day (10 days)
    
    This graph shows the frequency of attacks accross time of day as seen by
    each continent. Very interesting.
    
    http://www.securityfocus.com/data/staff/timeofday.pdf
    
    4. Average Attacks Based On Averaged Time Of Day (1 day)
    
    This graph shows the frequency of attacks accross time of day as seen by
    each continent for the 19th.
    
    http://www.securityfocus.com/data/staff/timeofday-1.pdf
    
    5. Attacked Industries Report
    
    This report displays the frequency of attacks targeted against specific
    industry types over our 10 day period.
    
    http://www.securityfocus.com/data/staff/industry.pdf
    
    6. Targets As Determined By Revenue
    
    This report displays the frequency of attacks targeted against companies
    of a particular annual revenue range.
    
    http://www.securityfocus.com/data/staff/revenue.pdf
    
    We could post a large number of other reports with more granular data or
    against other data points, but this should be sufficient for the time
    being to help augment the current data available. We will quite possibly
    post other information in the near future.
    
    Cheers, Alfred Huger
    
    VP Engineering
    SecurityFocus
    "Vae Victis"
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 12:47:23 PDT