Re: more Code Red analysis

From: Ralph Mellor (ralphat_private)
Date: Tue Aug 07 2001 - 12:42:00 PDT

Next message: Ralph Mellor: "Microsoft support"

Previous message: Kyle Maus: "UDP scans from CodeRed-infected hosts"
In reply to: robert_david_graham: "more Code Red analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Great analysis.


> ... Too many users are connected". ... This prevents people
> from exploiting the /scripts/root.exe backdoor

Which would suggest that black hats would have been hampered
in any attempts to remodel. (By remodel I mean to invisibly remove
the known backdoor and replace it with a new one.)


> I think this will become an important algorithm for future worms.

Regularity and locality of ip allocation is a godsend to worm writers
regarding both public and private ip spaces. For example, as I
posted to a local linux user group yesterday:

    Use 10.x.x.x even for small private nets?
    .
    .
    4. It's reasonable to surmise that many future worms will adopt
    this local bias philosophy.
    .
    .
    So, my tentative (but remember clueless) conclusion, is that,
    even on tiny private nets, it would probably be smart to use
    as sparse an ip space as possible, right?


> the Morris Worm injected the community with a lot of knowledge
> about worms. ... When the next IIS exploit is announced, we've got
> two weeks to patch a million systems before that next worm takes
> down the Internet.

I disagree with the 2 weeks and the take down the Internet.

Neither Code Red nor Code Red II took down the Internet.
It could clearly happen, but one can't absolutely know.

As for the 2 weeks:

> There is even a danger that a worm will be written first,
> then the next exploit added to it later. Thus, the worm may
> appear on the first day the next vulnerability is announced,
> even though the writer didn't have 0-day knowledge.

Precisely. Soon we may no longer have the 2 week luxury.
Timely patching may come to mean doing it within hours of
announce (and in years to come, minutes).


> I'm sure people have fully grasped the situation.

Did you miss a "not"?


> If anybody has a large dark subnet to play with, I'd love to
> install by deredoc program mentioned above. It not only
> plays with the current worms, it can be used to encourage
> 0-day worms to reveal themselves.

Simple and beautiful.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ralph Mellor: "Microsoft support"
Previous message: Kyle Maus: "UDP scans from CodeRed-infected hosts"
In reply to: robert_david_graham: "more Code Red analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:10:45 PDT