[21736] in bugtraq
Code Red worm address generator pattern
daemon@ATHENA.MIT.EDU (Ken Eichman)
Fri Jul 20 16:03:19 2001
Date: Fri, 20 Jul 2001 15:34:47 -0400 (EDT)
From: Ken Eichman <keichman@cas.org>
Message-Id: <0107201534.AA17730@cas.org>
To: bugtraq@securityfocus.com, incidents@securityfocus.com
I posted this chart before showing non-legitimate http syn scans
targeting my class-b address space on 07/19 broken down by hour (EDT,
GMT-4); probable code red probes. However I did some further
crunching and added an additional column showing the number of
destination addresses within my class-b address space being targeted
by non-legitimate http syn scans during that 60 minute timeframe.
Note that the number of addresses being targeted held steady and then
suddenly jumped until it covered nearly the entire class-b range.
This jump coincides with the increase in source addresses scanning.
Worm variant? Or sudden increase in efficiency?
# Unique Source # Unique Dest
Hour # Code Red Worm Scans Addresses Scanning Addresses being
EDT Scanned
----- --------------------- -------------------- ---------------
00 12699 2450 562
01 13059 2577 562
02 13272 2590 541
03 13056 2564 525
04 13283 2632 507
05 13229 2612 502
06 13554 2601 468
07 13517 2608 506
08 13746 2685 612
09 16819 3325 1724
10 36589 7838 8338
11 116083 26823 28462
12 295348 68085 51459
13 466542 103522 59699
14 520973 113451 60881
15 513513 115124 60814
16 513894 90931 60900
17 499642 111175 60469
18 480850 106215 59987
19 449712 97699 58908
20 26687 7319 8507
21 9197 2181 3046
22 7782 1814 2570
23 7056 1648 2343
Ken Eichman Senior Security Engineer
Chemical Abstracts Service Tel: (614) 447-3838 ext 3230
2540 Olentangy River Road Fax: (614) 447-3855
Columbus, OH 43210 Email: keichman@cas.org
