Bugtraq mailing list archives

Re: CodeRed: the next generation


From: Stuart Staniford <stuart () silicondefense com>
Date: Fri, 20 Jul 2001 12:26:43 -0700


I've now analyzed data from three different sites, using the simple random
spread model I outlined in my post to Incidents very early this morning.  All
three sets of data are very consistent with each other, and all are well
explained by the hypothesis that the CRv2 worm was released in the early hours
of yesterday morning, that it had a reasonably good random spread algorithm
(unlike CRv1) and that it was capable of a spread of approximately 1.8
compromises/hour.  (That is, a compromised host in the early stages of the
infection could find and compromise about 1.8 other hosts in an hour - in the
later stages it drops off because most hosts are already compromised.

It probably compromised almost all the .ida vulnerable hosts on the Internet
over the course of about twelve hours before being cleaned up and/or turning
itself dormant.  There's no doubt a great deal of it still lieing dormant.

This was definitely a big bad worm.  I imagine the worm writers can improve
significantly on 1.8 compromises/hour though, so it's only going to get worse. 
I'm sure we can expect to see smarter targeting too.

The analysis from early this morning is at 

http://www.silicondefense.com/cr/

I'll hopefully get a fuller analysis out some time soon.

Stuart.

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart () silicondefense com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)


Current thread: