RE: Code Red Worm, New information

From: Pat Moffitt (pmoffittat_private)
Date: Fri Jul 20 2001 - 15:48:59 PDT

  • Next message: The Death: "CRv2 - Questions"

    So, how do we wish to report these things to those keeping track?  I didn't
    start getting hit by this until days after the initial reports, therefore I
    did not believe that anyone needed to hear about the (comparatively) low
    number of hits by the Code Red Worm.  (But it sure was interesting to hear
    about it so I knew it was coming.)  I sure have not seen the volume of scans
    and attempted attacks that others have.
    
    Oh, and think you guys very much for sending out information on the subject
    before I started getting hit.
    
    Are you expecting information from us on what IPs are hitting us or are you
    doing all your own scanning?
    
    Pat Moffitt
    MIS Administrator
    Western Recreational Vehicles, Inc.
    
    
    > -----Original Message-----
    > From: Alfred Huger [mailto:ahat_private]
    > Sent: Friday, July 20, 2001 12:35 PM
    > To: incidentsat_private
    > Cc: bugtraqat_private
    > Subject: Code Red Worm, New information
    >
    >
    >
    >
    > Heya all,
    >
    > By now we are all aware of the serious nature of the Core Red Worm. One of
    > the most powerfull lessons we can all take away from this is how this
    > community is capable of mustering in times of crisis like in order to face
    > and analyze threats. The traffic accross the Incidents, Bugtraq lists
    > among other sources has been outstanding in terms of rallying against
    > this. A number of efforts are underway to address this situation outside
    > of list discussion, I am going to outline what we are doing here at
    > SecurityFocus. This is not intended to detract from anyone elses work,
    > it's all great, we are just bringing you into our contribution.
    >
    >
    > Notification
    > ------------
    >
    > First, we are in the process of notifying all of the infected IP owners
    > that we know of. This data has been taken from the ARIS Analyzer user base
    > as well contributions from individuals in the community (I will post a
    > public thanks to them just as soon as they give me permission to do so).
    > The list of infected hosts that we are now in the process of notifying
    > against is a little over 40,000 hosts. Each host owner that we can
    > indentify will be recieving a mail outlining the fact that they are
    > infected, which IP's are infected and how to address the situation.
    >
    > New Data Reports
    > ----------------
    >
    > Second we are posting a series of reports derived from ARIS Predictor, a
    > SecurityFocus system designed to track events such as these. The data is
    > coming from a system wich is pre-production so it will contain some minor
    > inconsistencies, please take this into account. The data we are posting
    > here is derived from 100 IDS sensors accross 6 continents with statistics
    > derived from a 10 day period, the 10th until today. The information
    > available herein is quite interesting and worth a read. We will make a
    > point of making this type of information available whenever we face a
    > problem like this in the community. Now, onto the reports:
    >
    > 1. New Attacks Trend Report
    >
    > This report displays the frequency of attacks which attacks have been
    > viewed (in terms of abnormal compared against a baseline) over the last 10
    > days. It clearly shows our first contact with the worm on the 11th
    > (earlier than previously thought). Other reports (not listed here) show
    > the first contact happening at 17:00 GMT in the USA on the 11th.
    >
    > http://www.securityfocus.com/data/staff/Trends.pdf
    >
    > 2. Top 10 Destination (Attacked Countries) for the Core Red Worm
    >
    > This report displays the top ten victim countries for which the greatest
    > number of attacks is destined. This pie graph and all of the others only
    > tabulate data from the IDS's which saw the attack, therefore the numbers
    > will not add up to 100%.
    >
    > http://www.securityfocus.com/data/staff/destination.pdf
    >
    >
    > 3. Average Attacks Based On Averaged Time Of Day (10 days)
    >
    > This graph shows the frequency of attacks accross time of day as seen by
    > each continent. Very interesting.
    >
    > http://www.securityfocus.com/data/staff/timeofday.pdf
    >
    > 4. Average Attacks Based On Averaged Time Of Day (1 day)
    >
    > This graph shows the frequency of attacks accross time of day as seen by
    > each continent for the 19th.
    >
    > http://www.securityfocus.com/data/staff/timeofday-1.pdf
    >
    > 5. Attacked Industries Report
    >
    > This report displays the frequency of attacks targeted against specific
    > industry types over our 10 day period.
    >
    > http://www.securityfocus.com/data/staff/industry.pdf
    >
    > 6. Targets As Determined By Revenue
    >
    > This report displays the frequency of attacks targeted against companies
    > of a particular annual revenue range.
    >
    > http://www.securityfocus.com/data/staff/revenue.pdf
    >
    > We could post a large number of other reports with more granular data or
    > against other data points, but this should be sufficient for the time
    > being to help augment the current data available. We will quite possibly
    > post other information in the near future.
    >
    > Cheers, Alfred Huger
    >
    > VP Engineering
    > SecurityFocus
    > "Vae Victis"
    >
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Jul 21 2001 - 14:37:34 PDT