"The Death" <thedeadhat_private> wrote: > 1) Is it known if the CRv2 worm will function like CRv1, in the matter of > c:\noworm ? If so, then systems who were once infected (with the CRv1 worm) > will actually not go trough step 7 (attacking www.whitehouse.gov) "CRv2" *is* identical to "CRv1" except in that it has an effective random network address generator and it does not intercept page serving and return "defaced" pages. (And note that the defaced page serving, like everything else in this worm, is done entirely from running code. I've seen many well-meaning descriptions of cleaning it up that end with something to the effect of "search for and replace any defaced web pages" -- well, that's a waste of time if the only thing that could have "defaced" your server was Code Red, because there are no defaced web page files.) > 2) Is it known for the destenation of attack used by the CRv2 worm? Is it > still trying to attack the blocked IP as CRv1 ? "CRv2" is identical to "CRv1" except... It "attacks" the same IP in the same way at the same time for the same duration. > 3) What, do you think, caused the 'black hat' who made CRv1 to release CRv2? Do you know it was the same person? Perhaps you should be talking to the authorities... > It isn't too smart to send CRv1 to "check the ground", as CRv1 brought alot > of awareness to the bug exploited, therefore CRv2 will have much less hosts > to exploit. Might it be that the 'black-hat' was not aware of the short > period of the PRNG he designed? The evidence is that "CRv1" did *not* significantly reduce the potential host-base for this exploit. It was CRv2 that "took off" on (US) Thursday. If you think about the way CRv1 works, with every instance trying to hit the same sequence of machines, CRv1 *must* spread slowly because the first machine hit will "lead the pack" with all its offspring simply following in its footsteps. Unless one of its early hits is a much more powerful machine or has much more bandwidth to exploit, the first victim will lead the way and the others will just keep following. If that initial victim is stopped for whatever reason ("unexplainable" performance degradation causing a frustrated (and largely clueless) admin to reboot it being the most likely cause), the instance most closely at that first victims heels will take over the lead, with a growing pack following it. It was this observation and the sudden explosive growth of Code Red on Thursday that tipped various people off that something new was happening. You should check Stuart Sandiford's modelling of various Code Red attack reports (posted to incidents.org and the incidents list on Friday) to get more of an idea of these issues. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 13:54:24 PDT