Wide-scale Code Red Damage Assessment and Report

From: Jon O . (jonoat_private)
Date: Sun Jul 22 2001 - 14:50:53 PDT

Next message: Yotam Rubin: "Code Red packet dumps."

Previous message: Alfred Huger: "Code Red Worm, closing notes"
In reply to: Vern Paxson: "Re: My list of default.ida connection attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

During the infection phase of Code Red (on the 19th) we wrote a small tool
for research purposes.

This tool read in logs of machines sending the default.ida attack and connected
 back to them on port 80, made a GET request and dumped the resulting data. 

This tool was run continuously from 3 unique machines in different locations 
around the internet, but all in the West Coast US. These "Reponse machines" 
connected to over 40K machines over the course of the next 24 hours. 

The goal is to research and gain statistics on what types of companies were 
launching these attack on our servers.

Around 10:00 am PST we saw a sharp decrease in the succees of our connections to
the attacking machines on port 80. Obiviously, this was probably the result
of administrators finding these machines compromised and attacking a phantom
www1.whitehouse.gov. Our port 80 connections to these machines steadily 
decreased over the next 12 hours.

After dumping the index.html (or similar) pages from the attacking machines, 
we began to analyize the data. We decided the only real good information 
contained in this data was the time aspect mentioned above and the type of 
website being served. 

The time is of interest because it shows how quickly the infection was responded
 to by engineers and administrators. Although, this data is far from scientific
 and admins could have patched their machines and had them back up when the 
Response machines connected. 

The other item of interest was the sites being served on these machines. We 
are attempting to break the sites down into categories as follows:
	
	E-Commerce Site
	General Website
	Health Care providers
	Government Agencies
	Online Banking Institutions

We will publish this information to this list when complete. However, to protect
privacy of these sites, companies, etc. we are not planning on releasing names.

Also, there are some sites which appear to contain gateways to sensitive data. 
We encourage the Responsible Parties of these machines to fix them in the 
interest of protecting Patient, Government and private data. We also encourage 
you to look through your logs in order to be more informed about these companies
 who were attacking and their apparent disregard for simple security fixes such
 as a patch. This disregard resulted in a massive about of DoS traffic to be 
transferred all over the internet.  We can only hope to be so lucky next time.

application/pgp-signature attachment: stored

Next message: Yotam Rubin: "Code Red packet dumps."
Previous message: Alfred Huger: "Code Red Worm, closing notes"
In reply to: Vern Paxson: "Re: My list of default.ida connection attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 08:48:46 PDT