Michael Katz <mikeat_private> wrote: > Why have I not seen anything on this list about the "Code Blue" worm? ... Because it is hype and does not exist in the wild, or if it does, it is so buggy/flawed that it is effectively non-viable in "real world" infestations. > ... I > have received some alerts and news stories about a "Code Blue" worm: Ignore the hype -- here are some real facts: 1. CodeRed.C (aka CodeRedII) had compromised perhaps 200,000 machines within less than 12 hours of its release. That is, it (almost) saturated the population of non-patched, Internet-accessible IIS machines in about half the time CodeRed.B did (although CodeRed.B hit more machines total because news of its earlier spread alerted some system admins to patch their potentially vulnerable machines). 2. In the days following CodeRed.C's release, I regularly captured samples with a trivial "worm catcher" (netcat listening on port 80) in less than an hour of going on-line with a dial-up connection. I did this consistently from a United Airlines lounge in Chicago, on several different ISPs in Los Angeles, 2 or 3 different ISPs in Dallas, again back in LA and have consistently caught around 100 CodeRed.C and CodeRed.D samples per day since returning to New Zealand (pro-rated for hours on-line). 3. I caught one of the first samples of CodeRed.D and apparently did so within a few hours of its release. I now see dozens and dozens a day -- roughly half of my daily CodeRed catches are the .D variant. Thus, I would expect to have seen at least one sample of something that is "worse than CodeRed" as CodeRed.D spreads about the same or slightly less successfully than CodeRed.C. 4. CodeBlue (aka BlueCode) is repeatedly said to be "potentially much worse" than CodeRed.C with "the potential to spread much faster". Some (snake-oilers) drop the "potentially" when repeating those claims about this reputed new "super worm"... 5. It is now 5 (? 6??) days since CodeBlue was reputedly released yet my "worm catcher" (I've been using something more sophisticated than the netcat-based one since returning to LA from Dallas and before returning home) has not caught a single sample of CodeBlue. 6. Despite claims (by the snake-oilers) that CodeBlue is rampant -- and thus should be "killing" huge numbers of CodeReds *and* be "inoculating" those machines from further CodeRed (re-)infestation -- neither my worm catcher nor any of the others in the network of worm catchers it is part of has seen any CodeBlue *and* those worm catchers are still seeing similar levels of CodeRed.C and .D each day. In fact, the CodeRed capture rate has remained fairly consistent with that seen prior to the first mention of BlueCode. My conclusion -- CodeBlue is vendor snake-oil and/or media hype. [To the journalists who will write asking for a quote if this is posted to the list, you may use "CodeBlue is vendor snake-oil and/or media hype" without seeking further quoting permission.] Regards, Nick FitzGerald ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 08:55:59 PDT