Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Code Red Worm, New information

From: Alfred Huger <ah () securityfocus com>
Date: Fri, 20 Jul 2001 13:34:52 -0600 (MDT)


Heya all,

By now we are all aware of the serious nature of the Core Red Worm. One of
the most powerfull lessons we can all take away from this is how this
community is capable of mustering in times of crisis like in order to face
and analyze threats. The traffic accross the Incidents, Bugtraq lists
among other sources has been outstanding in terms of rallying against
this. A number of efforts are underway to address this situation outside
of list discussion, I am going to outline what we are doing here at
SecurityFocus. This is not intended to detract from anyone elses work,
it's all great, we are just bringing you into our contribution.


Notification
------------

First, we are in the process of notifying all of the infected IP owners
that we know of. This data has been taken from the ARIS Analyzer user base
as well contributions from individuals in the community (I will post a
public thanks to them just as soon as they give me permission to do so).
The list of infected hosts that we are now in the process of notifying
against is a little over 40,000 hosts. Each host owner that we can
indentify will be recieving a mail outlining the fact that they are
infected, which IP's are infected and how to address the situation.

New Data Reports
----------------

Second we are posting a series of reports derived from ARIS Predictor, a
SecurityFocus system designed to track events such as these. The data is
coming from a system wich is pre-production so it will contain some minor
inconsistencies, please take this into account. The data we are posting
here is derived from 100 IDS sensors accross 6 continents with statistics
derived from a 10 day period, the 10th until today. The information
available herein is quite interesting and worth a read. We will make a
point of making this type of information available whenever we face a
problem like this in the community. Now, onto the reports:

1. New Attacks Trend Report

This report displays the frequency of attacks which attacks have been
viewed (in terms of abnormal compared against a baseline) over the last 10
days. It clearly shows our first contact with the worm on the 11th
(earlier than previously thought). Other reports (not listed here) show
the first contact happening at 17:00 GMT in the USA on the 11th.

http://www.securityfocus.com/data/staff/Trends.pdf

2. Top 10 Destination (Attacked Countries) for the Core Red Worm

This report displays the top ten victim countries for which the greatest
number of attacks is destined. This pie graph and all of the others only
tabulate data from the IDS's which saw the attack, therefore the numbers
will not add up to 100%.

http://www.securityfocus.com/data/staff/destination.pdf


3. Average Attacks Based On Averaged Time Of Day (10 days)

This graph shows the frequency of attacks accross time of day as seen by
each continent. Very interesting.

http://www.securityfocus.com/data/staff/timeofday.pdf

4. Average Attacks Based On Averaged Time Of Day (1 day)

This graph shows the frequency of attacks accross time of day as seen by
each continent for the 19th.

http://www.securityfocus.com/data/staff/timeofday-1.pdf

5. Attacked Industries Report

This report displays the frequency of attacks targeted against specific
industry types over our 10 day period.

http://www.securityfocus.com/data/staff/industry.pdf

6. Targets As Determined By Revenue

This report displays the frequency of attacks targeted against companies
of a particular annual revenue range.

http://www.securityfocus.com/data/staff/revenue.pdf

We could post a large number of other reports with more granular data or
against other data points, but this should be sufficient for the time
being to help augment the current data available. We will quite possibly
post other information in the near future.

Cheers, Alfred Huger

VP Engineering
SecurityFocus
"Vae Victis"



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: