RE: Update to "Code Red" Worm. Its a date bomb, not time.

[emerson.c.tan () ca andersen com]

Obviously this is not going to live up to it's full potential as not
everywhere has access to OC12 connections to the internet. However what is
important is that the numbers are large enough that the ingress point for
whitehouse.gov will be saturated , even if they have filtering and traffic
shaping in place.

The numbers quoted are entirely theoretical although we can do a bit of
statistical modeling to improve on Marc's figures a bit.

An easy method would be to break up the estimated 196K infections accross a
statistical average of bandwidth accross the internet (excluding dial up's
as these are not likely to be terribly effective in the attack, nor are
they likely to have the right operating systems installed. In the vast
majority of cases we are talking about servers and permanently connected
workstations). A <Scientific Wild Ass Guess> guess is the figure is in the
order  of 1-10 's of meg per second. I was unable to find any good reliable
statistics about this sort of thing and if someone can point me in the
right direction I can do the analysis and see how it compares with what we
see tommorow.

Even at this conservative level, the numbers are still large enough to
totally saturate whitehouse.gov, theroetical figures or not. This sort of
thing is difficult to stop, and the only method that is likely to work is
to prevent worms from getting to this state in the first place. Good luck.

Emerson



To:   vuln-dev () securityfocus com, SECURITY-BASICS () securityfocus com
cc:   marc () eeye com
Date: 19/07/2001 03:36 PM
From: c0ncept () hushmail com
Subject:  RE: Update to "Code Red" Worm. Its a date bomb, not time.



     How many confirmed infections are setting on 410+ Meg connections?
     How many of them have systems busses even capable of saturating
multiple
infections?

     --c0ncept


[snip]
:Remember, each host can be infected multiple times, meaning that a single
:host can send 410MB * # of infections.
[snip]

-----Original Message-----
From: Marc Maiffret [mailto:marc () eeye com]
Sent: Thursday, July 19, 2001 1:55 PM
To: Vuln-Dev; SECURITY-BASICS
Subject: Update to "Code Red" Worm. Its a date bomb, not time.


Thanks to Eric from Symantec for tossing us a note about the worm being
Date
based and not Time based.

We made an error in our last analysis and said the worm would start
attacking whitehouse.gov based on a certain time. In reality its based on a
date (the 20th UTC) which is tomorrow.

If the worm infects your system between the 1st and the 19th it will
attempt
to deface the infected servers web page or try to propogate itself to other
systems. On the 20th all infected threads will attempt to attack
www.whitehouse.gov. This seems to continue until the worm is removed from
the infected system.

Any new infection that happens between the 20th and 28th will most likely
be
someone "hand infecting" your system as all other worms should be attacking
whitehouse.gov. If for some reason you are infected between the 20th and
the
28th then the worm will begin attacking whitehouse.gov without trying to
infect other systems. This attack will continue indefinitly.

The following are rough numbers, but we felt that it was important to
illustrate the affects this worm can _possibly_ have.

The worm has a timeline like this:

day of the month:
1-19: infect other hosts using the worm
20-27: attack whitehouse.gov forever
28-end of month: eternal sleep

Presumably, this could restart at any point in a new month again.

Also, some stats for the attack:

Each infection has 100 threads
Each thread is going to send about 100k, a byte at a time, which means you
have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data
per thread
100 threads * 4.1megs = 410 Megabytes
This will be repeated again every 4.5 hours or so

Remember, each host can be infected multiple times, meaning that a single
host can send 410MB * # of infections.

We have had reports between 15 thousand and 196 thousand unique hosts
infected with the "Code Red" worm. However, there has been cross infection
and we have heard reports of at least 300+ thousand infections/instances
(machines with multiple infections etc..) of this worm.

If there are 300 thousand infections then that means you have (300,000 *
410
megabytes) that is going to be attempted to be flooded against
whitehouse.gov every 4 and a half hours. If this is true and the worm
"works
as advertised" then the fact that whitehouse.gov goes offline is only the
begining of what _can_ possibly happen...

----

I am actually writing this part of the eMail about 45 minutes after the
first part because our Internet connection here in california has been
going
up and down. We have also heard reports of internet connectivity going down
in parts of northern california and new york.

Signed,
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities







*******************Internet Email Confidentiality Footer*******************


Privileged/Confidential Information may be contained in this message.  If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this
message to anyone. In such case, you should destroy this message and kindly
notify the sender by reply email. Please advise immediately if you or your
employer do not consent to Internet email for messages of this kind.
Opinions, conclusions and other information in this message that do not
relate to the official business of my firm shall be understood as neither
given nor endorsed by it.