[40261] in North American Network Operators' Group
Fwd: Re: Code Red variants
daemon@ATHENA.MIT.EDU (Jeff Ogden)
Sun Aug 5 10:19:39 2001
Mime-Version: 1.0
Message-Id: <v04210101b79306323e27@[198.108.90.150]>
Date: Sun, 5 Aug 2001 10:18:56 -0400
To: nanog@merit.edu
From: Jeff Ogden <jogden@merit.edu>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Errors-To: owner-nanog-outgoing@merit.edu
FYI
>Date: Sat, 04 Aug 2001 20:16:55 -0700
>To: Jeff Ogden <jogden@merit.edu>
>From: John Moore <misclists@tinyvital.com>
>Subject: Re: Code Red variants
>
>At 07:48 PM 8/4/2001, you wrote:
>
>>Do we know if anyone has looked at the code for variants of the
>>worn in detail recently? I've seen announcements about new
>>versions with better random IP address generation. Does anyone
>>know if other aspects of the worm are the same? Is it still set to
>>spread itself until the 19th and then switch to attacking the IP
>>address that was once www1.whitehouse.gov or are their variants
>>with different dates and different IP address or attack scenarios?
>
>
>Jeff,
> I tried sending info to the list but may not have posting
>priveleges. Anyway, you can relay this.
>
>I have a home system on Sprint Broadband, with a little sniffer on
>port 80 to see the full payload of what is coming in. Starting this
>morning a new variant of CodeRed started hitting, with a lot more
>frequency than I ever saw from the original.
>
>This variant has the text "CodeRedII" in the payload. It also has
>the names of the windows registry entries you would want to hit to
>install a rebootable trojan. It does not have any domain name in it,
>and nothing about "Hacked by Chinese." It has XXXXXXXXXXXXXXXXXXX in
>the payload instead of NNNNNNNNNNNNNNn
>
>The class A domain with by far the greatest number of hits belongs to Sprint.
>
>I dumped some statistics on which class A prefixes had at least
>three hits. I also dumped the total number of CodeRedII hits by hour.
>
>I don't have time to disassemble it - I am just watching out of
>curiousity, so I don't know what else it is doing.
>
>here are my hourly stats so far. Time is GMT.
>
>08040113 1
>08040114 4
>08040115 10
>08040116 5
>08040117 13
>08040118 10
>08040119 12
>08040120 9
>08040121 18
>08040122 15
>08040123 16
>08050100 18
>08050101 20
>08050102 26
>
>Here is the domain breakdown:
>Class A #
> 168 3
> 112 3
> 249 3
> ? 21
> 221 80
> 43 3
> 190 4
>
>Feel free to mention this to the list if you want, since my mail is
>not getting through.
>
>Thanks
>
>John
>
>
>
>
>John Moore
>
>john@tinyvital.com - http://www.tinyvital.com/
>Tiny Vital Software, Inc
>
>The only good weather is bad weather!
>Storm Chasing - the Best extreme sport!
>
>(SKYWARN,ARRL,AZ AMS,AZTC,NJ7E)
