Fwd: SYSTEM: Update to "Code Red" Worm. Its a date bomb, not time. (fwd)

Joanna Sheldon cjs10 at cornell.edu
Thu Jul 19 18:28:20 PDT 2001


Anybody on an NT machine? This just in from my hyper-geek ISP guy...

Joanna


>X-Authentication-Warning: gem.lightlink.com: majordom set sender to
>owner-swem-l at lightlink.com using -f
>Date: Thu, 19 Jul 2001 20:07:26 -0400 (EDT)
>X-PH: V4.1 at router2.mail.cornell.edu (Cornell Modified)
>From: Homer Wilson Smith <homer at lightlink.com>
>To: <swem-l at lightlink.com>
>Subject: SYSTEM: Update to "Code Red" Worm. Its a date bomb, not time. (fwd)
>Sender: owner-swem-l at lightlink.com
>Reply-To: homer at lightlink.com
>
> CODE RED WORM
>
> There is a serious worm going around the internet infecting Windows
>NT servers running IIS, the NT web server. This worm scans random IP
>numbers looking for other NT servers and in the process is crashing a lot
>of Cisco DSL modems along with a host load of other DSL modems and routers
>taking untold numbers of end users off line. We spent all day chasing
>this down with two Cisco DLS modem customers until we finally understood
>what was going on.
>
> The below posting indicates there are upwards of 300,000 NT machines
>infected with this worm, and they are all destined to start attacking
>www.whitehouse.gov tomorrow.
>
> ANYONE WHO IS RUNNING NT/IIS AND IS NOT KEEPING IT PATCHED AND UP TO
>DATE *CONSTANTLY* IS A THREAT NOT ONLY TO THEMSELVES BUT TO EVERYONE ELSE
>TOO.
>
> Homer
>
>------------------------------------------------------------------------
>Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink
>(607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY
>homer at lightlink.com Is that too much to ask? http://www.lightlink.com
>
>---------- Forwarded message ----------
>Date: Thu, 19 Jul 2001 13:54:37 -0700
>From: Marc Maiffret <marc at eeye.com>
>To: BUGTRAQ <BUGTRAQ at securityfocus.com>
>Subject: Update to "Code Red" Worm. Its a date bomb, not time.
>
>Thanks to Eric from Symantec for tossing us a note about the worm being Date
>based and not Time based.
>
>We made an error in our last analysis and said the worm would start
>attacking whitehouse.gov based on a certain time. In reality its based on a
>date (the 20th UTC) which is tomorrow.
>
>If the worm infects your system between the 1st and the 19th it will attempt
>to deface the infected servers web page or try to propogate itself to other
>systems. On the 20th all infected threads will attempt to attack
>www.whitehouse.gov. This seems to continue until the worm is removed from
>the infected system.
>
>Any new infection that happens between the 20th and 28th will most likely be
>someone "hand infecting" your system as all other worms should be attacking
>whitehouse.gov. If for some reason you are infected between the 20th and the
>28th then the worm will begin attacking whitehouse.gov without trying to
>infect other systems. This attack will continue indefinitly.
>
>The following are rough numbers, but we felt that it was important to
>illustrate the affects this worm can _possibly_ have.
>
>The worm has a timeline like this:
>
>day of the month:
>1-19: infect other hosts using the worm
>20-27: attack whitehouse.gov forever
>28-end of month: eternal sleep
>
>Presumably, this could restart at any point in a new month again.
>
>Also, some stats for the attack:
>
>Each infection has 100 threads
>Each thread is going to send about 100k, a byte at a time, which means you
>have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data
>per thread
>100 threads * 4.1megs = 410 Megabytes
>This will be repeated again every 4.5 hours or so
>
>Remember, each host can be infected multiple times, meaning that a single
>host can send 410MB * # of infections.
>
>We have had reports between 15 thousand and 196 thousand unique hosts
>infected with the "Code Red" worm. However, there has been cross infection
>and we have heard reports of at least 300+ thousand infections/instances
>(machines with multiple infections etc..) of this worm.
>
>If there are 300 thousand infections then that means you have (300,000 * 410
>megabytes) that is going to be attempted to be flooded against
>whitehouse.gov every 4 and a half hours. If this is true and the worm "works
>as advertised" then the fact that whitehouse.gov goes offline is only the
>begining of what _can_ possibly happen...
>
>----
>
>I am actually writing this part of the eMail about 45 minutes after the
>first part because our Internet connection here in california has been going
>up and down. We have also heard reports of internet connectivity going down
>in parts of northern california and new york.
>
>Signed,
>eEye Digital Security
>T.949.349.9062
>F.949.349.9538
>http://eEye.com/Retina - Network Security Scanner
>http://eEye.com/Iris - Network Traffic Analyzer
>http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
>
>-----------------------------------------------------------------------
>The System Wide Emergency and Maintenance list will bring you only
>information critical to your account and your use of Lightlink.
>If you wish to be removed from this list contact homer at lightlink.com.
>-----------------------------------------------------------------------



More information about the lbo-talk mailing list