FYI
Date: Sat, 04 Aug 2001 20:16:55 -0700 To: Jeff Ogden <jogden@merit.edu> From: John Moore <misclists@tinyvital.com> Subject: Re: Code Red variants
At 07:48 PM 8/4/2001, you wrote:
Do we know if anyone has looked at the code for variants of the worn in detail recently? I've seen announcements about new versions with better random IP address generation. Does anyone know if other aspects of the worm are the same? Is it still set to spread itself until the 19th and then switch to attacking the IP address that was once www1.whitehouse.gov or are their variants with different dates and different IP address or attack scenarios?
Jeff, I tried sending info to the list but may not have posting priveleges. Anyway, you can relay this.
I have a home system on Sprint Broadband, with a little sniffer on port 80 to see the full payload of what is coming in. Starting this morning a new variant of CodeRed started hitting, with a lot more frequency than I ever saw from the original.
This variant has the text "CodeRedII" in the payload. It also has the names of the windows registry entries you would want to hit to install a rebootable trojan. It does not have any domain name in it, and nothing about "Hacked by Chinese." It has XXXXXXXXXXXXXXXXXXX in the payload instead of NNNNNNNNNNNNNNn
The class A domain with by far the greatest number of hits belongs to Sprint.
I dumped some statistics on which class A prefixes had at least three hits. I also dumped the total number of CodeRedII hits by hour.
I don't have time to disassemble it - I am just watching out of curiousity, so I don't know what else it is doing.
here are my hourly stats so far. Time is GMT.
08040113 1 08040114 4 08040115 10 08040116 5 08040117 13 08040118 10 08040119 12 08040120 9 08040121 18 08040122 15 08040123 16 08050100 18 08050101 20 08050102 26
Here is the domain breakdown: Class A # 168 3 112 3 249 3 ? 21 221 80 43 3 190 4
Feel free to mention this to the list if you want, since my mail is not getting through.
Thanks
John
John Moore
john@tinyvital.com - http://www.tinyvital.com/ Tiny Vital Software, Inc
The only good weather is bad weather! Storm Chasing - the Best extreme sport!
(SKYWARN,ARRL,AZ AMS,AZTC,NJ7E)
Odd thing: from a Sprint connected network, he seess the most attempts from Sprint's Class A. On my cable-modem connected box through Cox Internet, I see 248 out of 256 attempts coming from *.cox-internet.com. Does the new variant perhaps try to "stick to it's own domain"? I do see some non-localdomain stuff as well, so it's not 100% definite, and I can't say whether or not the providers are proactively filtering inbound to prevent other providers from getting in. On Sun, Aug 05, 2001 at 10:18:56AM -0400, Jeff Ogden wrote:
FYI
Date: Sat, 04 Aug 2001 20:16:55 -0700 To: Jeff Ogden <jogden@merit.edu> From: John Moore <misclists@tinyvital.com> Subject: Re: Code Red variants
At 07:48 PM 8/4/2001, you wrote:
Do we know if anyone has looked at the code for variants of the worn in detail recently? I've seen announcements about new versions with better random IP address generation. Does anyone know if other aspects of the worm are the same? Is it still set to spread itself until the 19th and then switch to attacking the IP address that was once www1.whitehouse.gov or are their variants with different dates and different IP address or attack scenarios?
Jeff, I tried sending info to the list but may not have posting priveleges. Anyway, you can relay this.
I have a home system on Sprint Broadband, with a little sniffer on port 80 to see the full payload of what is coming in. Starting this morning a new variant of CodeRed started hitting, with a lot more frequency than I ever saw from the original.
This variant has the text "CodeRedII" in the payload. It also has the names of the windows registry entries you would want to hit to install a rebootable trojan. It does not have any domain name in it, and nothing about "Hacked by Chinese." It has XXXXXXXXXXXXXXXXXXX in the payload instead of NNNNNNNNNNNNNNn
The class A domain with by far the greatest number of hits belongs to Sprint.
I dumped some statistics on which class A prefixes had at least three hits. I also dumped the total number of CodeRedII hits by hour.
I don't have time to disassemble it - I am just watching out of curiousity, so I don't know what else it is doing.
here are my hourly stats so far. Time is GMT.
08040113 1 08040114 4 08040115 10 08040116 5 08040117 13 08040118 10 08040119 12 08040120 9 08040121 18 08040122 15 08040123 16 08050100 18 08050101 20 08050102 26
Here is the domain breakdown: Class A # 168 3 112 3 249 3 ? 21 221 80 43 3 190 4
Feel free to mention this to the list if you want, since my mail is not getting through.
Thanks
John
John Moore
john@tinyvital.com - http://www.tinyvital.com/ Tiny Vital Software, Inc
The only good weather is bad weather! Storm Chasing - the Best extreme sport!
(SKYWARN,ARRL,AZ AMS,AZTC,NJ7E)
-- Marius Strom <marius@marius.org> Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0xF5D89089 *updated 2001-02-26* It is a natural law. Physics tells us that for every action, there must be an equal and opposite reaction. They hate us, we hate them, they hate us back and so, here we are, victims of mathematics. -- Londo, "A Voice in the Wilderness I"
* Marius Strom <marius@marius.org> [010805 10:38]:
Odd thing: from a Sprint connected network, he seess the most attempts from Sprint's Class A.
On my cable-modem connected box through Cox Internet, I see 248 out of 256 attempts coming from *.cox-internet.com.
Does the new variant perhaps try to "stick to it's own domain"? I do see some non-localdomain stuff as well, so it's not 100% definite, and I can't say whether or not the providers are proactively filtering inbound to prevent other providers from getting in.
According to another post, it wants to stay in the same /8, /16, and /24. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
participants (3)
-
Jeff Ogden -
Larry Rosenman -
Marius Strom