Re: Code Red gone to sleep?

From: Ryan Russell (ryanat_private)
Date: Tue Oct 02 2001 - 16:30:53 PDT

  • Next message: Kath: "Re: Code Red gone to sleep?"

    On Tue, 2 Oct 2001, Jay D. Dyson wrote:
    
    > 	We were discussing on the Early Bird Developers list that none of
    > us have seen any Code Red scans since September 30th.  This can only mean
    > one of four things:
    <SNIP>
    
    This is due to dates built into CodeRed II.  CodeRed II killed off CodeRed
    I by periodically rebooting the victim.  They use the same entry method,
    so presumably the victim base is approximately the same.  CodeRedII is
    then designed to die off when Oct 1 rolls around (UTC).
    
    CR1 now has an opportunity to come back if there are any infections left,
    or if someone reinjects a copy.  None of the anti-CodeRed worms seem to
    have had any success spreading, so the only way the original ISAPI
    overflow vulnerability is gone is if people have patched their boxes.  I'm
    sure many have, but I wouldn't be willing to bet that all of them have.
    
    The first time around, CRv1 took several days to reach critical mass
    before the world noticed.  With a smaller victim pool, it would take even
    longer.
    
    					Ryan
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 17:15:14 PDT