[40015] in North American Network Operators' Group
Re: Hard data on network impact of the "Code Red" worm?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Jul 31 10:22:22 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Larry Sheldon <lsheldon@creighton.edu>
Cc: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 31 Jul 2001 10:16:22 -0400
Message-Id: <20010731141623.EAEAC7B4B@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <200107310341.WAA01723@bluejay.creighton.edu>, Larry Sheldon writes:
>
>> On Mon, 30 July 2001, k claffy wrote:
>> > so, 1 aug midnite GMT (tomorrow 17:00 in california),
>> > codered goes back into 'spread' mode.
>> > within a few hours, we'll have 100,000-300,000
>> > globally infected machines again.
>
>NTBUGTRAQ is carrying informatiion that says that is not right.
>
>They say that currently extant copies of the thing will sleep forever,
>or until the host is re-booted--at which time the thing ceases to exist.
There seems to be some disagreement about this point. CERT, in fact,
notes that explicitly (http://www.cert.org/advisories/CA-2001-23.html).
They also claim that enough infected machines have their clocks set
wrong that there may be a new outbreak tonight (EDT) -- that one
strikes me as less plausible.
>
>The hazard tomorrow is the introduction of new copies of the thing.
>
That hazard isn't specific to August 1.
--Steve Bellovin, http://www.research.att.com/~smb
