[39699] in North American Network Operators' Group
RE: Code Red : Any whitehouse.gov people around?
daemon@ATHENA.MIT.EDU (Laurence Berland)
Fri Jul 20 11:44:25 2001
Date: Fri, 20 Jul 2001 08:43:16 -0700 (PDT)
From: Laurence Berland <stuyman@confusion.net>
To: Dave Stewart <dbs@ntrnet.net>
Cc: nanog@merit.edu
In-Reply-To: <5.1.0.14.2.20010720112904.04fcc990@mail.ntrnet.net>
Message-ID: <Pine.NEB.3.96.1010720084238.2764B-100000@euphoria.confusion.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
If you read through eEye's disasm dump, you can find that it's hardcoded
to the ip of www1.whitehouse.gov, which I don't remember but ends in .91
On Fri, 20 Jul 2001, Dave Stewart wrote:
>
> At 10:04 AM 7/20/2001, Mike Najarian wrote:
>
> >Has anyone gutted an infected box to determine whether it's going to go for
> > whitehouse.gov
> > www.whitehouse.gov
> >or a hardcoded IP?
>
> While there's incomplete information available in the standard places, it
> appears to be a hardcoded IP.
>
> I, along with many others, have null routed it.... Symantec's site claims
> the IP address is no longer active at any rate.
>
> It *appears* that from xx-20-xxxx through xx-28-xxxx, this thing will
> attack that IP address... meaning that measures already in place will
> minimize damage from the portion of the code that attempts to flood
> 198.137.240.91. Networks where 198.137.240.91 isn't blocked could see
> network congestion, I suppose, if they host a large number of infected
> machines.
>
> I've seen a claim that if the date is greater than 28, the threads just go
> into an infinite sleep.
>
> From what I can see, I would expect another round of probes to take place
> starting on 01-August-2001...
>
>
>
Laurence Berland
http://www.isp.northwestern.edu
