Re: Nimda Infections and code red resurgence

[Dug Song <dugsong () monkey org>]

On Wed, Nov 14, 2001 at 11:17:20AM +1300, Russell Fulton wrote:

> Code Red never went a way, it just sleeps on the 19th (or 20th ?)of the 
> month and reawakes on the 1st.  Since it is cleared by rebooting then 
> many infections die off over the ten days.

a graph of unique infected hosts per day since December 2000, as seen
on our blackhole monitor (watching an unused /8):

        http://www.monkey.org/~dugsong/worms.jpg

> What puzzels me however is that we see to the odd machine in some
> unrelated /8 probing at very high rates (well over 100 per hour).
> On at least one ocassion I verified (from the IDS) that the machine
> was attempting Nimda style attacks on any web server it found.

we have seen these too - check the User-Agent: header, and you may
find that some of them are from a free third-party win32 HTTP library
(CSHttpClient). widespread scanning for the IIS Unicode directory
traversal bug has been going on since late last year - perhaps
attackers are trying to hide their scans in all the noise...

-d.

---
http://www.monkey.org/~dugsong/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com