Re: Code Red, anyone?

[Joseph Nicholas Yarbrough <nyarbrough () lurhq com>]

On Tuesday 31 July 2001 21:31, Alfred Huger wrote:
> Anyone seeing Code Red activity yet?

When I came in tonight at 1 am I was told that there was no code red activity 
seen all night. Now (5:14EDT) I'm seeing dozens of connects per minute. If it 
grows at the rate it had previously, we are possibly looking at an another 
serious problem. Since the end of the last batch of scanning, I'm sure many 
infected hosts were rebooted because of crashing or some other reason 
(installing software/changing IPs/etc). After reboot they are no longer 
infected (because the virus wasn't spreading). Now that these systems, and 
possibly others that weren't infected the first time around, are getting 
infected and starting to scan. Chances are, anyone who hasn't applied the 
patch by now isn't going to. As another list went over, some vendors won't 
support thier product if you apply patches to the system that are not from 
them (I believe it was some web-banking software on IIS that was specifically 
mentioned). I don't take a dooms day attitute with Code Red, but it's clear 
it's going to continue to create problems to some degree.

My company monitors many class C and B networks' firewall logs/IDS/network 
appliance reports/etc. We only monitor a tiny chunk of the internet as a 
whole. However, if I see this just on our clients' networks then the rest of 
the world has to be seeing it.

Remember, it took several days last time before it got big. This time there 
are less systems for it to infect, but it has a bigger base number from which 
to spread. Without hard numbers, it's impossible to come up with even a guess 
at what the spread rate will be. Lets hope all the organizations who repost 
advisories as if they had anything to do with the discovery actually got 
threw to some people.

Remember, the problem is people who have to hear about available patches to 
serious security problems on thier local news. Perhaps if major news networks 
and the AP would run a story on system/network admins that don't subscribe to 
security mailing lists we wouldn't have had such a problem.

No flames were intended in this message. Don't misinterpret it that way and 
counterflame.

-- 

Joseph Nicholas Yarbrough
Information Security Analyst
LURHQ Corporation


***NOTE***
These words and thoughts are my own, not my companies.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com