Re: Code Red gone to sleep?

From: cambriaat_private
Date: Tue Oct 02 2001 - 16:33:00 PDT

  • Next message: Andreas Östling: "Re: Code Red gone to sleep?"

    CR's 10/1 exit was predicted by some of the analyses of CR.
    
    From http://www.incidents.org/react/code_redII.php ...
    
    "Before each attempt to connect to a new target, the worm
    checks the local time to see if the year is less than 2002 
    and if the month is less than 10. If either of these checks 
    return false, then the worm ceases the propagation cycle 
    and reboots the server. Note that this implies that all worms 
    will cease propagating by Oct. 1, 2001."
    
    
    
    Greg
    
    
    
    On 10/2/2001 at 3:54 PM Jay D. Dyson wrote:
    
    >-----BEGIN PGP SIGNED MESSAGE-----
    >
    >Hi folks,
    >
    >	We were discussing on the Early Bird Developers list that none of
    >us have seen any Code Red scans since September 30th.  This can only mean
    >one of four things: 
    >
    >	1.	Code Red has "gone to sleep,"
    >
    >	2.	Code Red committed ritual seppuku and rm'd every box it
    >		previously infected,
    >
    >	3.	Nimda has taken over all previously infected Code Red
    >		systems[*],
    >
    >	4.	All the automated intrusion attempt notices finally paid
    >		off and affected sites have finally shut their infected
    >		systems down.
    >
    >	While I'd like to believe that the silence is due to option #4,
    >experience leads me to believe that options #1 and #2 are most likely, and
    >option #3 is a close runner-up.
    >
    >- - -Jay
    >
    >* Nimda is still banging away like a nympho bunny on Spanish Fly.
    >
    >  (    (                                                         _______
    >  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
    >C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
    > `--' `--'  `--------------- rm -rf /bin/laden ---------------'  `------'
    >
    >-----BEGIN PGP SIGNATURE-----
    >Version: 2.6.2
    >Comment: See http://www.treachery.net/~jdyson/ for current keys.
    >
    >iQCVAwUBO7o3j7lDRyqRQ2a9AQH6JgP/dBanAhC7L2O9Y0DiqXYx7sqX/dmiSmVh
    >Bd4eBI/t/01FmYBg+EV3SgFWrX/+u+JCl5soPz/ck0XQ+0YN5Lmq3ltsw1TDqwVa
    >ApyxIRhNBe3hZSpID1LnpuNuNpQm+O3ZXD/jXPRGHVnaobzjAMnPwDYNhNGHRUhV
    >wIJs3tFt6VM=
    >=yh/M
    >-----END PGP SIGNATURE-----
    >
    >
    >----------------------------------------------------------------------------
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management 
    >and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 17:22:14 PDT