Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Code Red Specifics

From: Valdis.Kletnieks () vt edu
Date: Sat, 29 Sep 2001 23:39:49 -0400
On Sat, 29 Sep 2001 06:42:40 PDT, H C <keydet89 () yahoo com>  said:

1.  Who was "patient 0"?  Who was the first the admin
who contacted eEye with the initial reports?  What
domain first reported the "attacks"?


The problem is that the first admin to contact eEye was probably
not "patient 0".  I know for Nimda, I think I was the first to
post to the NANOG list and state that the CodeRed-style scans seemed
to be related to an e-mail based virus.  On the other hand, I only
posted because there was *already* enough activity that it was
causing blips on provider's traffic monitors.

I was merely the first one to (a) get hit with a copy (b) be using
a Unix-based mail reader that didn't get infected (so I was able to
do forensics rather than be busy recovering the systen), (c) be
subscribed to mailing lists that gave me the info needed to make the
connection *and* (d) actually hit 'send' on the note.

I posted to NANOG, then talked to some internal people, packaged
the sucker up to send to the guys at Trend so they could get us some
footprints to use in our Mirapoints - and by that time (maybe 45 minutes
after I got into my office that morning), I didn't post to Bugtraq or
Incidents because other people were already ahead of me on the forensics.

Finding "patient 0" for an Ebola outbreak is usually pretty easy,
because patient 0 usually notices.  What you're looking at is
more like trying to track a food poisoning outbreak - but one
in which everbody leaves the banquet, and they don't notice getting
sick, but the 23rd person they meet notices that THEY get sick.

A similar situation exists here - if the first call comes in to eEye
at 9:15AM, their machine probably got nailed at 9:05AM.  And it was
probably actually released at 8:57AM, and gone through 5 or 6 hops
already before it nails somebody who notices.  Even if every site
actually keeps good logs (a dubious proposition at best), most won't
have NTP-synchronized time - and all it will take is a few servers
set via wristwatch time to totally muddy the trail.

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: