perhaps none, perhaps many. but it is a sequential 410 megs. you can push 410 megs across a 1200 baud modem if you want. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer ----- Original Message ----- From: "c0ncept" <c0nceptat_private> To: "Vuln-Dev" <vuln-devat_private>; "SECURITY-BASICS" <SECURITY-BASICSat_private> Cc: "Marc Maiffret" <marcat_private> Sent: Thursday, July 19, 2001 2:36 PM Subject: RE: Update to "Code Red" Worm. Its a date bomb, not time. > > How many confirmed infections are setting on 410+ Meg connections? > How many of them have systems busses even capable of saturating multiple > infections? > > --c0ncept > > > [snip] > :Remember, each host can be infected multiple times, meaning that a single > :host can send 410MB * # of infections. > [snip] > > -----Original Message----- > From: Marc Maiffret [mailto:marcat_private] > Sent: Thursday, July 19, 2001 1:55 PM > To: Vuln-Dev; SECURITY-BASICS > Subject: Update to "Code Red" Worm. Its a date bomb, not time. > > > Thanks to Eric from Symantec for tossing us a note about the worm being Date > based and not Time based. > > We made an error in our last analysis and said the worm would start > attacking whitehouse.gov based on a certain time. In reality its based on a > date (the 20th UTC) which is tomorrow. > > If the worm infects your system between the 1st and the 19th it will attempt > to deface the infected servers web page or try to propogate itself to other > systems. On the 20th all infected threads will attempt to attack > www.whitehouse.gov. This seems to continue until the worm is removed from > the infected system. > > Any new infection that happens between the 20th and 28th will most likely be > someone "hand infecting" your system as all other worms should be attacking > whitehouse.gov. If for some reason you are infected between the 20th and the > 28th then the worm will begin attacking whitehouse.gov without trying to > infect other systems. This attack will continue indefinitly. > > The following are rough numbers, but we felt that it was important to > illustrate the affects this worm can _possibly_ have. > > The worm has a timeline like this: > > day of the month: > 1-19: infect other hosts using the worm > 20-27: attack whitehouse.gov forever > 28-end of month: eternal sleep > > Presumably, this could restart at any point in a new month again. > > Also, some stats for the attack: > > Each infection has 100 threads > Each thread is going to send about 100k, a byte at a time, which means you > have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data > per thread > 100 threads * 4.1megs = 410 Megabytes > This will be repeated again every 4.5 hours or so > > Remember, each host can be infected multiple times, meaning that a single > host can send 410MB * # of infections. > > We have had reports between 15 thousand and 196 thousand unique hosts > infected with the "Code Red" worm. However, there has been cross infection > and we have heard reports of at least 300+ thousand infections/instances > (machines with multiple infections etc..) of this worm. > > If there are 300 thousand infections then that means you have (300,000 * 410 > megabytes) that is going to be attempted to be flooded against > whitehouse.gov every 4 and a half hours. If this is true and the worm "works > as advertised" then the fact that whitehouse.gov goes offline is only the > begining of what _can_ possibly happen... > > ---- > > I am actually writing this part of the eMail about 45 minutes after the > first part because our Internet connection here in california has been going > up and down. We have also heard reports of internet connectivity going down > in parts of northern california and new york. > > Signed, > eEye Digital Security > T.949.349.9062 > F.949.349.9538 > http://eEye.com/Retina - Network Security Scanner > http://eEye.com/Iris - Network Traffic Analyzer > http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities > >
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 15:46:34 PDT