Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [unisog] Code Red(s) being confused with sadmind/IIS worm?

From: Anderson Johnston <andy () umbc edu>
Date: Thu, 9 Aug 2001 18:31:52 -0400
What seems to have happened here is that NT systems that had been
infected by the worm last May and *not* been cleaned out were quietly
doing whatever they did until last late June or so.  At that point,
several NTs on our campus started scanning off-campus IPs, and
getting picked up by the NIDS.

At another level, diseases ebb and flow with time as the proportion of
the population vulnerable to the disease increses and decreases.  The
worms we see now may take decades to disappear completely from the
Internet.  After an outbreak, a lot of systems will get patched and the
worm drops off the radar.  A few months pass and new (and unpatched)
systems are put into service.  When the number of new, unpatched systems
reaches a threshold level, the worm "booms" again and the cycle repeats.


I don't have the data to test this idea, but it fits some models for
biological diseases and parasite-host relationships.  In fact, the
sadmind/IIS worm is a nice example of a parasite with a two-stage life
cycle ...  Anyone out there looking for a thesis topic?  8-)

                                                        - Andy


On Thu, 9 Aug 2001, Stephen W. Thompson wrote:


Follow my line of thinking here.


If I'm correct, that implies a) sadmind/IIS is more prevalent than
we'd realized and, possibly b) that there might be a variant of
sadmind/IIS that succeeds on non-Solaris machines unlike the original
variant.  Any corroboration on (b) from anyone?





------------------------------------------------------------------------------
** Andy Johnston (andy () umbc edu)          *            pager: 410-678-8949  **
** Distributed Systems Manager            * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: