Bugtraq mailing list archives
Re: CodeRed: the next generation
From: Stuart Staniford <stuart () silicondefense com>
Date: Fri, 20 Jul 2001 12:26:43 -0700
I've now analyzed data from three different sites, using the simple random spread model I outlined in my post to Incidents very early this morning. All three sets of data are very consistent with each other, and all are well explained by the hypothesis that the CRv2 worm was released in the early hours of yesterday morning, that it had a reasonably good random spread algorithm (unlike CRv1) and that it was capable of a spread of approximately 1.8 compromises/hour. (That is, a compromised host in the early stages of the infection could find and compromise about 1.8 other hosts in an hour - in the later stages it drops off because most hosts are already compromised. It probably compromised almost all the .ida vulnerable hosts on the Internet over the course of about twelve hours before being cleaned up and/or turning itself dormant. There's no doubt a great deal of it still lieing dormant. This was definitely a big bad worm. I imagine the worm writers can improve significantly on 1.8 compromises/hour though, so it's only going to get worse. I'm sure we can expect to see smarter targeting too. The analysis from early this morning is at http://www.silicondefense.com/cr/ I'll hopefully get a fuller analysis out some time soon. Stuart. -- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuart () silicondefense com http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX)
Current thread:
- CodeRed: the next generation Marc Maiffret (Jul 20)
- Re: CodeRed: the next generation Stuart Staniford (Jul 20)