Re: Fwd: Re: Code Red variants

[Marius Strom <marius () marius org>]

Odd thing: from a Sprint connected network, he seess the most attempts
from Sprint's Class A.

On my cable-modem connected box through Cox Internet, I see 248 out of
256 attempts coming from *.cox-internet.com.

Does the new variant perhaps try to "stick to it's own domain"?  I do
see some non-localdomain stuff as well, so it's not 100% definite, and I
can't say whether or not the providers are proactively filtering inbound
to prevent other providers from getting in.

On Sun, Aug 05, 2001 at 10:18:56AM -0400, Jeff Ogden wrote:
> FYI
>  
> > Date: Sat, 04 Aug 2001 20:16:55 -0700
> > To: Jeff Ogden <jogden () merit edu>
> > From: John Moore <misclists () tinyvital com>
> > Subject: Re: Code Red variants
> >
> > At 07:48 PM 8/4/2001, you wrote:
> >
> > > Do we know if anyone has looked at the code for variants of the 
> > > worn in detail recently?  I've seen announcements about new 
> > > versions with better random IP address generation.  Does anyone 
> > > know if other aspects of the worm are the same?  Is it still set to 
> > > spread itself until the 19th and then switch to attacking the IP 
> > > address that was once www1.whitehouse.gov or are their variants 
> > > with different dates and different IP address or attack scenarios?
> >
> >
> > Jeff,
> >        I tried sending info to the list but may not have posting 
> > priveleges. Anyway, you can relay this.
> >
> > I have a home system on Sprint Broadband, with a little sniffer on 
> > port 80 to see the full payload of what is coming in. Starting this 
> > morning a new variant of CodeRed started hitting, with a lot more 
> > frequency than I ever saw from the original.
> >
> > This variant has the text "CodeRedII" in the payload. It also has 
> > the names of the windows registry entries you would want to hit to 
> > install a rebootable trojan. It does not have any domain name in it, 
> > and nothing about "Hacked by Chinese." It has XXXXXXXXXXXXXXXXXXX in 
> > the payload instead of NNNNNNNNNNNNNNn
> >
> > The class A domain with by far the greatest number of hits belongs to Sprint.
> >
> > I dumped some statistics on which class A prefixes had at least 
> > three hits. I also dumped the total number of CodeRedII hits by hour.
> >
> > I don't have time to disassemble it - I am just watching out of 
> > curiousity, so I don't know what else it is doing.
> >
> > here are my hourly stats so far. Time is GMT.
> >
> > 08040113    1
> > 08040114    4
> > 08040115   10
> > 08040116    5
> > 08040117   13
> > 08040118   10
> > 08040119   12
> > 08040120    9
> > 08040121   18
> > 08040122   15
> > 08040123   16
> > 08050100   18
> > 08050101   20
> > 08050102   26
> >
> > Here is the domain breakdown:
> > Class A    #
> >    168    3
> >    112    3
> >    249    3
> >      ?    21
> >    221   80
> >     43    3
> >    190    4
> >
> > Feel free to mention this to the list if you want, since my mail is 
> > not getting through.
> >
> > Thanks
> >
> > John
> >
> >
> >
> >
> > John Moore
> >
> > john () tinyvital com  -  http://www.tinyvital.com/
> > Tiny Vital Software, Inc
> >
> > The only good weather is bad weather!
> > Storm Chasing - the Best extreme sport!
> >
> > (SKYWARN,ARRL,AZ AMS,AZTC,NJ7E)

-- 
Marius Strom <marius () marius org>
Professional Geek/Unix System Administrator
URL: http://www.marius.org/
http://www.marius.org/marius.pgp 0xF5D89089 *updated 2001-02-26*
 
It is a natural law. Physics tells us that for every action, there must be an
equal and opposite reaction. They hate us, we hate them, they hate us back and
so, here we are, victims of mathematics.
-- Londo, "A Voice in the Wilderness I"