LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Code Red IIS Worm Information Print E-mail
User Rating:      How can I rate this item?
Source: Marc Maiffret / LinuxSecurity - Posted by Dave Wreski   
Intrusion Detection Microsoft IIS Web servers are being infected by the "Code Red" and apparently causing some pretty serious damage, reportedly including "windowsupdate.microsoft.com" as one of its targets. Below is a great description of the potential this worm has, and its impact on the Internet.. . . Microsoft IIS Web servers are being infected by the "Code Red" and apparently causing some pretty serious damage, reportedly including "windowsupdate.microsoft.com" as one of its targets. Below is a great description of the potential this worm has, and its impact on the Internet.

 ---------- Forwarded message ---------- Date: Thu, 19 Jul 2001 13:54:43 -0700 From: Marc Maiffret  To: Vuln-Dev ,      SECURITY-BASICS  Subject: Update to "Code Red" Worm. Its a date bomb, not time.  Thanks to Eric from Symantec for tossing us a note about the worm being Date based and not Time based.  We made an error in our last analysis and said the worm would start attacking whitehouse.gov based on a certain time. In reality its based on a date (the 20th UTC) which is tomorrow.  If the worm infects your system between the 1st and the 19th it will attempt to deface the infected servers web page or try to propogate itself to other systems. On the 20th all infected threads will attempt to attack www.whitehouse.gov. This seems to continue until the worm is removed from the infected system.  Any new infection that happens between the 20th and 28th will most likely be someone "hand infecting" your system as all other worms should be attacking whitehouse.gov. If for some reason you are infected between the 20th and the 28th then the worm will begin attacking whitehouse.gov without trying to infect other systems. This attack will continue indefinitly.  The following are rough numbers, but we felt that it was important to illustrate the affects this worm can _possibly_ have.  The worm has a timeline like this:  day of the month: 1-19: infect other hosts using the worm 20-27: attack whitehouse.gov forever 28-end of month: eternal sleep  Presumably, this could restart at any point in a new month again.  Also, some stats for the attack:  Each infection has 100 threads Each thread is going to send about 100k, a byte at a time, which means you have a (40 for ip + 1 for each byte) which means you have 4.1 megs of data per thread 100 threads * 4.1megs = 410 Megabytes This will be repeated again every 4.5 hours or so  Remember, each host can be infected multiple times, meaning that a single host can send 410MB * # of infections.  We have had reports between 15 thousand and 196 thousand unique hosts infected with the "Code Red" worm. However, there has been cross infection and we have heard reports of at least 300+ thousand infections/instances (machines with multiple infections etc..) of this worm.  If there are 300 thousand infections then that means you have (300,000 * 410 megabytes) that is going to be attempted to be flooded against whitehouse.gov every 4 and a half hours. If this is true and the worm "works as advertised" then the fact that whitehouse.gov goes offline is only the begining of what _can_ possibly happen...  ----  I am actually writing this part of the eMail about 45 minutes after the first part because our Internet connection here in california has been going up and down. We have also heard reports of internet connectivity going down in parts of northern california and new york.  Signed, eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hackers From China Waste Little Time in Exploiting Heartbleed
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Why a hacker got paid for finding the Heartbleed bug
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.