Re: [unisog] Code Red(s) being confused with sadmind/IIS worm?

From: Anderson Johnston (andyat_private)
Date: Thu Aug 09 2001 - 15:31:52 PDT

Next message: John Davidson: "CodeRed II Mutants"

Previous message: Paul Dokas: "Re: Possible trojaned wlogon.exe?"
In reply to: Stephen W. Thompson: "Code Red(s) being confused with sadmind/IIS worm?"
Next in thread: ghandiat_private: "Re: Code Red(s) being confused with sadmind/IIS worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What seems to have happened here is that NT systems that had been
infected by the worm last May and *not* been cleaned out were quietly
doing whatever they did until last late June or so.  At that point,
several NTs on our campus started scanning off-campus IPs, and
getting picked up by the NIDS.

At another level, diseases ebb and flow with time as the proportion of
the population vulnerable to the disease increses and decreases.  The
worms we see now may take decades to disappear completely from the
Internet.  After an outbreak, a lot of systems will get patched and the
worm drops off the radar.  A few months pass and new (and unpatched)
systems are put into service.  When the number of new, unpatched systems
reaches a threshold level, the worm "booms" again and the cycle repeats.

I don't have the data to test this idea, but it fits some models for
biological diseases and parasite-host relationships.  In fact, the
sadmind/IIS worm is a nice example of a parasite with a two-stage life
cycle ...  Anyone out there looking for a thesis topic?  8-)

							- Andy

On Thu, 9 Aug 2001, Stephen W. Thompson wrote:

> Follow my line of thinking here.
>
>
> If I'm correct, that implies a) sadmind/IIS is more prevalent than
> we'd realized and, possibly b) that there might be a variant of
> sadmind/IIS that succeeds on non-Solaris machines unlike the original
> variant.  Any corroboration on (b) from anyone?
>

------------------------------------------------------------------------------
** Andy Johnston (andyat_private)          *            pager: 410-678-8949  **
** Distributed Systems Manager            * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Davidson: "CodeRed II Mutants"
Previous message: Paul Dokas: "Re: Possible trojaned wlogon.exe?"
In reply to: Stephen W. Thompson: "Code Red(s) being confused with sadmind/IIS worm?"
Next in thread: ghandiat_private: "Re: Code Red(s) being confused with sadmind/IIS worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:22:53 PDT