Code Red worm address generator pattern

From: Ken Eichman (keichmanat_private)
Date: Fri Jul 20 2001 - 12:34:47 PDT

  • Next message: Pat Moffitt: "RE: Code Red Worm, New information"

    I posted this chart before showing non-legitimate http syn scans
    targeting my class-b address space on 07/19 broken down by hour (EDT,
    GMT-4); probable code red probes.  However I did some further
    crunching and added an additional column showing the number of
    destination addresses within my class-b address space being targeted
    by non-legitimate http syn scans during that 60 minute timeframe.
    
    Note that the number of addresses being targeted held steady and then
    suddenly jumped until it covered nearly the entire class-b range.
    This jump coincides with the increase in source addresses scanning.
    Worm variant? Or sudden increase in efficiency?
    
    			      # Unique Source        # Unique Dest
    Hour   # Code Red Worm Scans    Addresses Scanning   Addresses being
    EDT                                                     Scanned
    -----  ---------------------  --------------------   ---------------
     00          12699                    2450                562
     01          13059                    2577                562
     02          13272                    2590                541
     03          13056                    2564                525
     04          13283                    2632                507
     05          13229                    2612                502
     06          13554                    2601                468
     07          13517                    2608                506
     08          13746                    2685                612
     09          16819                    3325               1724
     10          36589                    7838               8338
     11         116083                   26823              28462
     12         295348                   68085              51459
     13         466542                  103522              59699
     14         520973                  113451              60881
     15         513513                  115124              60814
     16         513894                   90931              60900
     17         499642                  111175              60469
     18         480850                  106215              59987
     19         449712                   97699              58908
     20          26687                    7319               8507
     21           9197                    2181               3046
     22           7782                    1814               2570
     23           7056                    1648               2343
    
    Ken Eichman                  Senior Security Engineer
    Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
    2540 Olentangy River Road    Fax:   (614) 447-3855
    Columbus, OH 43210           Email: keichmanat_private
    



    This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 12:56:54 PDT