Security Incidents mailing list archives
Re: more Code Red analysis
From: "Ralph Mellor" <ralph () dimp com>
Date: Tue, 7 Aug 2001 14:42:00 -0500
Great analysis.
... Too many users are connected". ... This prevents people from exploiting the /scripts/root.exe backdoor
Which would suggest that black hats would have been hampered in any attempts to remodel. (By remodel I mean to invisibly remove the known backdoor and replace it with a new one.)
I think this will become an important algorithm for future worms.
Regularity and locality of ip allocation is a godsend to worm writers regarding both public and private ip spaces. For example, as I posted to a local linux user group yesterday: Use 10.x.x.x even for small private nets? . . 4. It's reasonable to surmise that many future worms will adopt this local bias philosophy. . . So, my tentative (but remember clueless) conclusion, is that, even on tiny private nets, it would probably be smart to use as sparse an ip space as possible, right?
the Morris Worm injected the community with a lot of knowledge about worms. ... When the next IIS exploit is announced, we've got two weeks to patch a million systems before that next worm takes down the Internet.
I disagree with the 2 weeks and the take down the Internet. Neither Code Red nor Code Red II took down the Internet. It could clearly happen, but one can't absolutely know. As for the 2 weeks:
There is even a danger that a worm will be written first, then the next exploit added to it later. Thus, the worm may appear on the first day the next vulnerability is announced, even though the writer didn't have 0-day knowledge.
Precisely. Soon we may no longer have the 2 week luxury. Timely patching may come to mean doing it within hours of announce (and in years to come, minutes).
I'm sure people have fully grasped the situation.
Did you miss a "not"?
If anybody has a large dark subnet to play with, I'd love to install by deredoc program mentioned above. It not only plays with the current worms, it can be used to encourage 0-day worms to reveal themselves.
Simple and beautiful. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- more Code Red analysis robert_david_graham (Aug 07)
- Re: more Code Red analysis Ralph Mellor (Aug 07)
- RE: more Code Red analysis Marc Maiffret (Aug 07)