Re: Code Red Specifics

From: Valdis.Kletnieksat_private
Date: Sat Sep 29 2001 - 20:39:49 PDT

Next message: Gary Maltzen: "Re: FBI Virus Alerts"

Previous message: info: "Re: FBI Virus Alerts"
In reply to: H C: "Code Red Specifics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 29 Sep 2001 06:42:40 PDT, H C <keydet89at_private>  said:
> 1.  Who was "patient 0"?  Who was the first the admin
> who contacted eEye with the initial reports?  What
> domain first reported the "attacks"?

The problem is that the first admin to contact eEye was probably
not "patient 0".  I know for Nimda, I think I was the first to
post to the NANOG list and state that the CodeRed-style scans seemed
to be related to an e-mail based virus.  On the other hand, I only
posted because there was *already* enough activity that it was
causing blips on provider's traffic monitors.

I was merely the first one to (a) get hit with a copy (b) be using
a Unix-based mail reader that didn't get infected (so I was able to
do forensics rather than be busy recovering the systen), (c) be
subscribed to mailing lists that gave me the info needed to make the
connection *and* (d) actually hit 'send' on the note.

I posted to NANOG, then talked to some internal people, packaged
the sucker up to send to the guys at Trend so they could get us some
footprints to use in our Mirapoints - and by that time (maybe 45 minutes
after I got into my office that morning), I didn't post to Bugtraq or
Incidents because other people were already ahead of me on the forensics.

Finding "patient 0" for an Ebola outbreak is usually pretty easy,
because patient 0 usually notices.  What you're looking at is
more like trying to track a food poisoning outbreak - but one
in which everbody leaves the banquet, and they don't notice getting
sick, but the 23rd person they meet notices that THEY get sick.

A similar situation exists here - if the first call comes in to eEye
at 9:15AM, their machine probably got nailed at 9:05AM.  And it was
probably actually released at 8:57AM, and gone through 5 or 6 hops
already before it nails somebody who notices.  Even if every site
actually keeps good logs (a dubious proposition at best), most won't
have NTP-synchronized time - and all it will take is a few servers
set via wristwatch time to totally muddy the trail.

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Gary Maltzen: "Re: FBI Virus Alerts"
Previous message: info: "Re: FBI Virus Alerts"
In reply to: H C: "Code Red Specifics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 30 2001 - 11:28:07 PDT