Re: CodeRed: the next generation

From: Stuart Staniford (stuartat_private)
Date: Fri Jul 20 2001 - 12:26:43 PDT

  • Next message: Stuart Staniford: "Re: CodeRed: the next generation"

    I've now analyzed data from three different sites, using the simple random
    spread model I outlined in my post to Incidents very early this morning.  All
    three sets of data are very consistent with each other, and all are well
    explained by the hypothesis that the CRv2 worm was released in the early hours
    of yesterday morning, that it had a reasonably good random spread algorithm
    (unlike CRv1) and that it was capable of a spread of approximately 1.8
    compromises/hour.  (That is, a compromised host in the early stages of the
    infection could find and compromise about 1.8 other hosts in an hour - in the
    later stages it drops off because most hosts are already compromised.
    
    It probably compromised almost all the .ida vulnerable hosts on the Internet
    over the course of about twelve hours before being cleaned up and/or turning
    itself dormant.  There's no doubt a great deal of it still lieing dormant.
    
    This was definitely a big bad worm.  I imagine the worm writers can improve
    significantly on 1.8 compromises/hour though, so it's only going to get worse. 
    I'm sure we can expect to see smarter targeting too.
    
    The analysis from early this morning is at 
    
    http://www.silicondefense.com/cr/
    
    I'll hopefully get a fuller analysis out some time soon.
    
    Stuart.
    
    -- 
    Stuart Staniford     ---     President     ---     Silicon Defense
             ** Silicon Defense: Technical Support for Snort **
    mailto:stuartat_private  http://www.silicondefense.com/
    (707) 445-4355 x 16                           (707) 445-4222 (FAX)
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 12:48:33 PDT