Re: Any one seen any evidence of "Code Blue?"

["Nick FitzGerald" <nick () virus-l demon co uk>]

Michael Katz <mike () responsible com> wrote:

> Why have I not seen anything on this list about the "Code Blue" worm?  ...

Because it is hype and does not exist in the wild, or if it does, it 
is so buggy/flawed that it is effectively non-viable in "real world" 
infestations.

> ...  I 
> have received some alerts and news stories about a "Code Blue" worm:

Ignore the hype -- here are some real facts:

1.  CodeRed.C (aka CodeRedII) had compromised perhaps 200,000 
machines within less than 12 hours of its release.  That is, it 
(almost) saturated the population of non-patched, Internet-accessible 
IIS machines in about half the time CodeRed.B did (although CodeRed.B 
hit more machines total because news of its earlier spread alerted 
some system admins to patch their potentially vulnerable machines).

2.  In the days following CodeRed.C's release, I regularly captured
samples with a trivial "worm catcher" (netcat listening on port 80)
in less than an hour of going on-line with a dial-up connection.  I
did this consistently from a United Airlines lounge in Chicago, on
several different ISPs in Los Angeles, 2 or 3 different ISPs in
Dallas, again back in LA and have consistently caught around 100
CodeRed.C and CodeRed.D samples per day since returning to New
Zealand (pro-rated for hours on-line).

3.  I caught one of the first samples of CodeRed.D and apparently did
so within a few hours of its release.  I now see dozens and dozens a
day -- roughly half of my daily CodeRed catches are the .D variant.  
Thus, I would expect to have seen at least one sample of something 
that is "worse than CodeRed" as CodeRed.D spreads about the same or 
slightly less successfully than CodeRed.C.

4.  CodeBlue (aka BlueCode) is repeatedly said to be "potentially
much worse" than CodeRed.C with "the potential to spread much
faster".  Some (snake-oilers) drop the "potentially" when repeating 
those claims about this reputed new "super worm"...

5.  It is now 5 (? 6??) days since CodeBlue was reputedly released
yet my "worm catcher" (I've been using something more sophisticated
than the netcat-based one since returning to LA from Dallas and 
before returning home) has not caught a single sample of CodeBlue.

6.  Despite claims (by the snake-oilers) that CodeBlue is rampant -- 
and thus should be "killing" huge numbers of CodeReds *and* be
"inoculating" those machines from further CodeRed (re-)infestation -- 
neither my worm catcher nor any of the others in the network of worm 
catchers it is part of has seen any CodeBlue *and* those worm 
catchers are still seeing similar levels of CodeRed.C and .D each 
day.  In fact, the CodeRed capture rate has remained fairly 
consistent with that seen prior to the first mention of BlueCode.

My conclusion -- CodeBlue is vendor snake-oil and/or media hype.

[To the journalists who will write asking for a quote if this is 
posted to the list, you may  use "CodeBlue is vendor snake-oil and/or 
media hype" without seeking further quoting permission.]


Regards,

Nick FitzGerald

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com