nanog mailing list archives
Re: Fwd: Re: Code Red variants
From: Marius Strom <marius () marius org>
Date: Sun, 5 Aug 2001 10:32:11 -0500
Odd thing: from a Sprint connected network, he seess the most attempts from Sprint's Class A. On my cable-modem connected box through Cox Internet, I see 248 out of 256 attempts coming from *.cox-internet.com. Does the new variant perhaps try to "stick to it's own domain"? I do see some non-localdomain stuff as well, so it's not 100% definite, and I can't say whether or not the providers are proactively filtering inbound to prevent other providers from getting in. On Sun, Aug 05, 2001 at 10:18:56AM -0400, Jeff Ogden wrote:
FYIDate: Sat, 04 Aug 2001 20:16:55 -0700 To: Jeff Ogden <jogden () merit edu> From: John Moore <misclists () tinyvital com> Subject: Re: Code Red variants At 07:48 PM 8/4/2001, you wrote:Do we know if anyone has looked at the code for variants of the worn in detail recently? I've seen announcements about new versions with better random IP address generation. Does anyone know if other aspects of the worm are the same? Is it still set to spread itself until the 19th and then switch to attacking the IP address that was once www1.whitehouse.gov or are their variants with different dates and different IP address or attack scenarios?Jeff, I tried sending info to the list but may not have posting priveleges. Anyway, you can relay this. I have a home system on Sprint Broadband, with a little sniffer on port 80 to see the full payload of what is coming in. Starting this morning a new variant of CodeRed started hitting, with a lot more frequency than I ever saw from the original. This variant has the text "CodeRedII" in the payload. It also has the names of the windows registry entries you would want to hit to install a rebootable trojan. It does not have any domain name in it, and nothing about "Hacked by Chinese." It has XXXXXXXXXXXXXXXXXXX in the payload instead of NNNNNNNNNNNNNNn The class A domain with by far the greatest number of hits belongs to Sprint. I dumped some statistics on which class A prefixes had at least three hits. I also dumped the total number of CodeRedII hits by hour. I don't have time to disassemble it - I am just watching out of curiousity, so I don't know what else it is doing. here are my hourly stats so far. Time is GMT. 08040113 1 08040114 4 08040115 10 08040116 5 08040117 13 08040118 10 08040119 12 08040120 9 08040121 18 08040122 15 08040123 16 08050100 18 08050101 20 08050102 26 Here is the domain breakdown: Class A # 168 3 112 3 249 3 ? 21 221 80 43 3 190 4 Feel free to mention this to the list if you want, since my mail is not getting through. Thanks John John Moore john () tinyvital com - http://www.tinyvital.com/ Tiny Vital Software, Inc The only good weather is bad weather! Storm Chasing - the Best extreme sport! (SKYWARN,ARRL,AZ AMS,AZTC,NJ7E)
-- Marius Strom <marius () marius org> Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0xF5D89089 *updated 2001-02-26* It is a natural law. Physics tells us that for every action, there must be an equal and opposite reaction. They hate us, we hate them, they hate us back and so, here we are, victims of mathematics. -- Londo, "A Voice in the Wilderness I"
Current thread:
- Code Red variants Lou Katz (Aug 04)
- Re: Code Red variants Jeff Ogden (Aug 04)
- Code Red II measl (Aug 04)
- Re: Code Red II Stephen J. Wilcox (Aug 05)
- Re: Code Red variants Andrew Barros (Aug 04)
- Re: Code Red variants mike harrison (Aug 05)
- Code Red II measl (Aug 04)
- <Possible follow-ups>
- Fwd: Re: Code Red variants Jeff Ogden (Aug 05)
- Re: Fwd: Re: Code Red variants Marius Strom (Aug 05)
- Re: Fwd: Re: Code Red variants Larry Rosenman (Aug 05)
- Re: Fwd: Re: Code Red variants Marius Strom (Aug 05)
- Re: Code Red variants Jeff Ogden (Aug 04)