On Tue, 2 Oct 2001, Jay D. Dyson wrote: > We were discussing on the Early Bird Developers list that none of > us have seen any Code Red scans since September 30th. This can only mean > one of four things: <SNIP> This is due to dates built into CodeRed II. CodeRed II killed off CodeRed I by periodically rebooting the victim. They use the same entry method, so presumably the victim base is approximately the same. CodeRedII is then designed to die off when Oct 1 rolls around (UTC). CR1 now has an opportunity to come back if there are any infections left, or if someone reinjects a copy. None of the anti-CodeRed worms seem to have had any success spreading, so the only way the original ISAPI overflow vulnerability is gone is if people have patched their boxes. I'm sure many have, but I wouldn't be willing to bet that all of them have. The first time around, CRv1 took several days to reach critical mass before the world noticed. With a smaller victim pool, it would take even longer. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 17:15:14 PDT