Bugtraq mailing list archives

Re: Mitigating some of the effects of the Code Red worm

From: "Johannes B. Ullrich" <jullrich () euclidian com>
Date: Thu, 19 Jul 2001 21:13:23 -0400 (EDT)


I have sent about 5000+ emails over the last week to systems very
likely infected with the Red Alert Virus (based on data collected
by DShield.org). It was the first time in the 6+ months I am running
that service now, that I got flooded with abusive e-mail because
I attempted to notify sysadmins that there machine was hacked.

Many did just not understand, that even though the report indicated
a hit against port 80, it is not 'usual web traffic'. If you have a
web server, there is no need for it to hit port 80 on random machines.

Also, how hard is it to check if a machine is ok or not? The Code Red
was not very obvious to spot, and it took us a couple of days to find
out what was going on. But if someone tells you that a machine on your
network is doing something that is perceived as unusual, why not take
a quick look.

In short, as long as sysadmins don't start to care and get there systems
up to date, things like this will continue to happen. I was lucky that
the main submitters of the data where very patient with the abusive
responses and took the time to respond to them individually.

We are not talking about home users here, that installed the latest
magic 'improve your modem speed' virus.

Well, I won't give up. I am sure the 'Dark Red Alert' is just around the
corner waiting.. And I don't mind playing 'whack the worm' for a while.

We could send 'RMV's to all Subsevens, or 'noworm' files to all IIS
servers. But the next worm will not care... and if someone has no
virus scanner they will get reinfected with subseven on there next
visit to IRC.

....

1) There is something of an ongoing log of affected machines that can be
obtained from boxes earlier in the IP list.
2) Machines which have been compromised can STILL be compromised.
3) The worm has a "lysine deficiency" which can be remotely introduced.

.....


Ben Lard
University of Colorado, Boulder


-- 
-------
jullrich () dshield org                 Join http://www.DShield.org

                          Distributed Intrusion Detection System

Current thread:

Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm., (continued)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
  - Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
    - RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
    - RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
  - Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
    - Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
    - Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Mitigating some of the effects of the Code Red worm LARD BENJAMIN LEE (Jul 19)
  - Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
  - Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)
  - Re: Mitigating some of the effects of the Code Red worm Ryan Russell (Jul 20)
    - RE: Mitigating some of the effects of the Code Red worm Linda Custer (Jul 20)