Code Red Worm, closing notes

From: Alfred Huger (ahat_private)
Date: Sun Jul 22 2001 - 18:35:22 PDT

  • Next message: Soeren Ziehe: "code red - some questions"

    It seems as if the Code Red worm has gone to sleep for now, at least so
    far as we can tell. It will be interesting to see what happens when it
    re-awakens.
    
    My previous email noted that the ARIS project would be notifying as many
    IP's as we could about possible infections of the worm. To that end we
    notified against 172,066 unique IP's within 27,640 unique domains. We owe
    a special thanks to Vern Paxson of LBL in this regard for supplying a
    significant amount of data alongside our own ARIS data.
    
    Some notes of interest:
    
    List of the largest bulk offenders:
    
        923 Level3.net
        1159 cnc.net
        1251 shawcable.net
        1309 att.net
        1363 bellatlantic.net
        1404 wanadoo.fr
        1438 gtei.net
        1452 btinternet.com
        1705 mindspring.com
        1709 swbell.net
        1905 bellsouth.net
        2358 mediaone.net
        2395 uu.net
        2496 aol.com
        2909 hinet.net
        3870 pacbell.net
        4148 t-dialin.net
        5940 rr.com
    
    As I said earlier, the traffic seems to have dropped off. This is a graph
    showing this attack alongside the rest of the Internet noise( in terms of
    attacks trending up), the cessation is readily apparent:
    
    http://www1.securityfocus.com/data/staff/trended3.pdf
    
    
    
    Cheers,
    -al
    
    VP Engineering
    SecurityFocus.com
    "Vae Victis"
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 18:47:47 PDT