Codered was worse by the sheer number of hosts that were infected and in the end having a lot more impact than what the SQL Sapphire worm has shown. Now that is not to say this worm does not surpass CodeRed... however it still has its work cut out for it. Last I heard the number of infections ranges from 40k to 200k depending on who you ask. Now if its 200k thats definitely getting close to a CodeRed level however even then it has another few hundred thousand infections to go. The flooding aspect of this worm (it tries to re-infect so fast), it DOES NOT have a ddos engine built into it as some people have mislead, is interesting and is causing a lot of problems for networks. However, its also its downfall as it saturates bandwidth to the point of even it not being able to spread anymore. I could go into other technical details if you like... like how codered properly handled its data manipulation on the stack so that it could keep running whereas Sapphire is going to end up crapping out on itself anyways... and also it does not keep any sort of global flag to thwart off re-infection, therefore once again hindering its ability to spread whereas codered did keep a global atom allowing it to last longer, and infect more. and bla bla bla. You can read both of eEye's analysis of CodeRed and Sapphire here: CodeRed: http://www.eeye.com/html/Research/Advisories/AL20010717.html Sapphire: http://www.eeye.com/html/Research/Flash/AL20030125.html First after soda then after liquor... damn alcoholics. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities P.S. Jack and Eric you might be the only ones to get this as I was having trouble earlier posting to NANOG... feel free to forward if you think it matters. | -----Original Message----- | From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of | Jack Bates | Sent: Saturday, January 25, 2003 9:36 AM | To: Eric Gauthier; nanog@merit.edu | Subject: Re: New worm / port 1434? | | | | From: "Eric Gauthier" | | > Woot! | > | > We made the front page of CNN.com: | > | > Electronic attack slows Internet | > http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html | > | > Guess that USD10 goes to some unnamed reporter at CNN | > | And please tell me how CodeRed was worse? I'm sorry, this just | created a lot | of Internet traffic hurting performance? That's a little underrated. But | then again, it's a port that could be blocked and not cause severe damage. | Block tcp/80 and people would through a fit. | | *mental note: Block port 80 anytime another port must be blocked | just to be | sure. | | Jack Bates | Network Engineer | BrightNet Oklahoma | |