OT - (sort of) Watching Code Red spread around the worldgreenspun.com : LUSENET : Current News : One Thread |
in case you are interested, here is what SANS thinks is going on.Seems like with all the press, it is still spreading like wild fire.
Sheeps
-- Anonymous, August 01, 2001
MSNBCCode Red starts to take hold Worm could result in Net slowdowns
By Bob Sullivan MSNBC
Aug. 1 — The Code Red worm is slowly gaining steam and may yet clog Web traffic, despite a slow start after it awoke from its pre-programmed slumber Tuesday night. According to one private computer security think tank, Code Red infections have jumped from about 1,000 at 5 a.m. ET to 22,000 at 11 a.m.
WHILE CODE RED created hardly a blip on the radar early Wednesday, experts caution that the malicious program might pack a serious punch later in the day, or during the next several days. Their big concern: a slow-starting, but exponentially increasing attack. And there is some evidence that Code Red is gaining serious steam.
According to Incidents.org, which is operated by computer security think tank SANS Institute, Code Red infections have sharply risen Tuesday morning, from fewer than 1,000 at 5 a.m. ET to 8,000 by 9 a.m. ET. Two hours later, at 11 a.m., there were 22,000.
The original Code Red worm took seven days to hit its stride, according to Alan Paller, director of research at SANS. And even though Net traffic currently appears to be unaffected, the worst could be yet to come.
“We don’t know yet whether we are safe and we won’t know for sure until seven days pass with no major disruptions, said Paller, who was helping the FBI monitor the Internet.
The federally-funded CERT Coordination Center, which manages computer crises in the United States, issued a statement early Wednesday saying Code Red activity has been spotted.
“Early reports of activity spanning the entire globe, including the United States, indicate that the worm has gone active and is presently spreading throughout the Internet,” CERT said in a statement. “As was the case in July with its early progression, the worm’s potential is still unknown at this time.” When Code Red first hit in July, it infected about 300,000 machines within one day. The bug was programmed to enter “sleep” mode at the end of the month, and awoke from its slumber to renew attacks at 8 p.m. ET Tuesday night.
“If you look at the attack rates, the attacks seems a lot faster than last time,” said Alfred Huger, vice president of engineering at SecurityFocus.com, which helped coordinate private-sector efforts to squash the worm. “We started seeing Code Red on the 11th last time and it took several days before it started picking up steam en masse. Today, however, the rise seems a lot more effective.”
For most of Wednesday morning, system administrators around the country reported anecdotally that Code Red was largely a no-show. Internet traffic measurement firms had yet to report any noticeable slowdown.
The worm has garnered national attention since government officials held a news conference with Microsoft Corp. on Monday and suggested the Internet was at risk of shutting down unless system administrators took immediate action. But some experts pointed out that the worm was only a nuisance for most users when it struck last month — and said they expected nothing worse from Code Red this time around.
Despite the worm’s slow start, experts still think hundreds or even thousands of computers remain unprotected and will become reinfected as Code Red enters its “spread” phase. Once infected, each machine sends out 100 simultaneous attacks aimed at random computers on the Internet. If hundreds of thousands are infected, it will generate enough traffic to clog the operations of the entire Internet, some say. NOT FROM CHINA
Meanwhile, the FBI is working with Canada, the United Kingdom and Australia to fight the worm’s spread. FBI legal attaches stationed overseas have sent the word to 46 other countries. Investigators don’t yet know who wrote Code Red or where it started.
A Chinese network safety official said the worm was probably not made in China, despite Web site defacings that said “Hacked by Chinese.”
The Code Red worm has surfaced little in China and appeared too sophisticated to be the work of Chinese hackers, the official said.
“I’ve never heard of anything so powerful in China,” said the expert at the State Office of Network and Information Safety who gave his surname as Fang. “This is not something that an ordinary person has the skill to create.”
Because it spreads uncontrollably after being transmitted, the worm would have surfaced more in China if it had been created by a Chinese person, said a technical support manager at Beijing Rising Technology Corp Ltd, a virus protection company.
GUARD AGAINST THE WORM
The officials are urging users of Microsoft Windows NT and 2000 operating systems — primarily businesses — to guard against the worm by installing a patch that’s available on Microsoft’s Web site. Code Red exploits a flaw discovered in June in Microsoft’s Internet Information Server software used on Internet servers.
Code Red is tricky. Administrators who simply reboot their machines might think they have cleaned their systems, because the suspicious outbound traffic will be stopped. But unless Microsoft’s patch is installed or other mitigating steps are taken, the machine can be reinfected.
Typical home users don’t have to worry about infection, as it doesn’t affect users of Windows 95, Windows 98 or Windows Me. Most high-end corporate users have installed the simple patch.
But there’s a third class of users — and there may be hundreds of thousands of them — who run Windows NT or Windows 2000 at home or in a small office and don’t realize they are vulnerable. It’s these systems that will form the backbone of any Code Red trouble this time around, said Russ Cooper, who manages TruSecure Corp.’s NTBugTraq mailing list.
“The vast majority of infected machines are mom-and-pop-type situations. The warnings were not getting to the right audience,” he said. That’s why Monday’s attention-getting press conference was worthwhile, he said.
“The only way we can fix this is to get people to realize whether or not they even have this (vulnerable) software on their machines.”
-- Anonymous, August 01, 2001
With all the coverage about this, anyone who fails to protect themselves deserves the hassle. Their sites are probably slow anyway, and so they'll never notice.
-- Anonymous, August 01, 2001
Sheeple, I can't quite load your link. Must be the Code Red worm...
-- Anonymous, August 01, 2001
Brooks,It is a painfully slow site to load. Not sure if they are a target of the attack, have the worm, or just bogged down by people going out there to check it.
It has the day broken down by a couple hour time slots, and shows how many machines are infected. When I had the page pulled up before, it was up to 22000, but that ended at 11am. (Not sure which time zone it was for)
Maybe give it a bit and check it later on today, tonight, or possibly in the morning.
-- Anonymous, August 01, 2001
Sheeple, finally got in. (I knew I wasn't being patient enough, just joshing you!)Now over 48,000, as of 2 pm. An extraordinarily symmetrical logorithmic progression. Worth the wait (which I assume will take longer and longer and longe...)
-- Anonymous, August 01, 2001
Oh, maybe not logarithmically after the first few hours. It seems to be adding 7,000 to 10,000 infected computers per hour for the last several hours, assuming this is a cumulative scale.
-- Anonymous, August 01, 2001
It's red, too. Clever, huh?
-- Anonymous, August 01, 2001
Another 4,000 in the subsequent hour - 52,273 as of 3 pm EDT. Maybe it's starting to slow down for the day.
-- Anonymous, August 01, 2001
53,643 as of 4 pm EDT, so still decreasing in rate.
-- Anonymous, August 01, 2001
This is just the excuse that I need to log out and go to a movie tonight. Yep, couldn't get any work done . . . inet too slow. Heheheheheheheheheheh.
-- Anonymous, August 01, 2001
Wednesday August 1 3:29 PM ETCode Red Internet Worm Disturbs Pentagon Networks
By Deborah Zabarenko
WASHINGTON (Reuters) - The reawakened ``Code Red'' worm disturbed the Pentagon's computer networks on Wednesday, and the main U.S. computer monitoring center predicted it would infect as many systems as it did in its first incarnation in July.
``The worm is an ugly thing,'' U.S. Army Major Barry Venable said in a telephone interview from Colorado Springs, where the U.S. military monitors its networks.
``Here at DoD (Department of Defense), we've observed several disturbances to our networks as a result of this thing working on the Internet, but we've seen no significant degradation to DoD yet,'' Venable said.
Code Red surreptitiously infects computers running Windows NT or 2000 operating systems and Microsoft Corp.'s IIS Web server software and then makes infected machines scan the Internet for more victims.
It reawakened at 8 p.m. EDT on Tuesday after an 11-day dormant period. First recognized by Internet security watchdogs in mid-July, the time-linked worm reached its peak virulence on July 19 before shutting down on July 20. It is designed to resume multiplying on the first of the month.
The Defense Department, which operates hundreds of Web sites, had to temporarily shut down public access to them during the July onslaught of Code Red.
Venable would not elaborate on whether Wednesday's ''disturbances'' included slow operation or whether any systems were shut down, but said of Code Red, ``We will continue to evaluate the threat that it poses.''
The FBI-led National Infrastructure Protection Center said in an online update: ``Based on preliminary analysis, we expect a level of worm activity comparable to the July 19 Code Red infection, which resulted in infection of over 250,000 systems. It should achieve that level of activity by this afternoon.''
WHITE HOUSE NOT AFFECTED
The White House, where the official Web site (http://www.whitehouse.gov) was a target of the July version of Code Red, was not affected by this latest siege, presidential spokesman Ari Fleischer told reporters.
``We have been monitoring it closely,'' Fleischer said. ``At this time there has been no impact on the White House.''
The State Department was also unaffected, a spokesman said.
By mid-afternoon on Wednesday, the U.S.-based Computer Emergency Response Team (CERT) reported increasing Code Red scanning on the Internet.
``This indicates that the worm is in the first phase of its attack cycle, in which it scans random IP addresses for systems to compromise,'' CERT said in an e-mailed update. ``These reports indicate that the number of compromised systems is increasing exponentially, and there is a potential for a large number of machines to be affected.''
By mid-afternoon, the number was in the tens of thousands, CERT said.
CERT's Chad Dougherty said in an earlier telephone interview that several Web sites had lost service because of the worm, but there were no reports of widespread outages. The overall global slowdown of the Internet had not occurred, he said.
Computers running Windows 95, 98 and ME are not vulnerable to the worm.
For infected computers, turning the machine off and then on gets rid of the worm but does not provide immunity from future infection. A free software patch is available at http://www.digitalisland.net/codered/.
A media campaign to publicize the worm and its remedies may have helped lessen the impact this time, according to Tim Belcher, chief technical officer of Riptech, an Alexandria, Virginia firm that monitors attacks on corporate networks.
``What we're seeing right now is an hourly increase (in infection) between 75 and 100 percent, but at a much slower growth rate,'' Belcher said by telephone. ``There are less vulnerable hosts out there because of the patch -- less victims, meaning slower growth.''
Code Red, named for a caffeinated soft drink favored by computer programmers, scans the Internet for other computers to infect, and as more computers are infected the scanning gets more widespread and could slow Internet traffic to a crawl.
The worm can also deface sites, though in two of the three known variants no vandalism is apparent to computer users. In last week's hits, some U.S. government sites showed the message ''Hacked by Chinese!'' but the Chinese government said the worm probably did not come from China.
-- Anonymous, August 01, 2001
Based on this morning's numbers of infected hosts posted at SANS Institute, it is not a cumulative graph, it's apparently hits per hour, holding steady at about 50,000 per hour since around 2 pm EDT yesterday. The total number of infected hosts must be incorrect. It looks to be several times the previous (July?) period already, as of 9 am EDT. Internet traffic not too shabby, though.
-- Anonymous, August 02, 2001