Code Red Worm, closing notes

[Alfred Huger <ah () securityfocus com>]

It seems as if the Code Red worm has gone to sleep for now, at least so
far as we can tell. It will be interesting to see what happens when it
re-awakens.

My previous email noted that the ARIS project would be notifying as many
IP's as we could about possible infections of the worm. To that end we
notified against 172,066 unique IP's within 27,640 unique domains. We owe
a special thanks to Vern Paxson of LBL in this regard for supplying a
significant amount of data alongside our own ARIS data.

Some notes of interest:

List of the largest bulk offenders:

    923 Level3.net
    1159 cnc.net
    1251 shawcable.net
    1309 att.net
    1363 bellatlantic.net
    1404 wanadoo.fr
    1438 gtei.net
    1452 btinternet.com
    1705 mindspring.com
    1709 swbell.net
    1905 bellsouth.net
    2358 mediaone.net
    2395 uu.net
    2496 aol.com
    2909 hinet.net
    3870 pacbell.net
    4148 t-dialin.net
    5940 rr.com

As I said earlier, the traffic seems to have dropped off. This is a graph
showing this attack alongside the rest of the Internet noise( in terms of
attacks trending up), the cessation is readily apparent:

http://www1.securityfocus.com/data/staff/trended3.pdf



Cheers,
-al

VP Engineering
SecurityFocus.com
"Vae Victis"