North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Fwd: Re: Code Red variants
- From: Jeff Ogden
- Date: Sun Aug 05 10:21:18 2001
FYI
Date: Sat, 04 Aug 2001 20:16:55 -0700
To: Jeff Ogden <[email protected]>
From: John Moore <[email protected]>
Subject: Re: Code Red variants
At 07:48 PM 8/4/2001, you wrote:
Do we know if anyone has looked at the code for variants of the
worn in detail recently? I've seen announcements about new
versions with better random IP address generation. Does anyone
know if other aspects of the worm are the same? Is it still set to
spread itself until the 19th and then switch to attacking the IP
address that was once www1.whitehouse.gov or are their variants
with different dates and different IP address or attack scenarios?
Jeff,
I tried sending info to the list but may not have posting
priveleges. Anyway, you can relay this.
I have a home system on Sprint Broadband, with a little sniffer on
port 80 to see the full payload of what is coming in. Starting this
morning a new variant of CodeRed started hitting, with a lot more
frequency than I ever saw from the original.
This variant has the text "CodeRedII" in the payload. It also has
the names of the windows registry entries you would want to hit to
install a rebootable trojan. It does not have any domain name in it,
and nothing about "Hacked by Chinese." It has XXXXXXXXXXXXXXXXXXX in
the payload instead of NNNNNNNNNNNNNNn
The class A domain with by far the greatest number of hits belongs to Sprint.
I dumped some statistics on which class A prefixes had at least
three hits. I also dumped the total number of CodeRedII hits by hour.
I don't have time to disassemble it - I am just watching out of
curiousity, so I don't know what else it is doing.
here are my hourly stats so far. Time is GMT.
08040113 1
08040114 4
08040115 10
08040116 5
08040117 13
08040118 10
08040119 12
08040120 9
08040121 18
08040122 15
08040123 16
08050100 18
08050101 20
08050102 26
Here is the domain breakdown:
Class A #
168 3
112 3
249 3
? 21
221 80
43 3
190 4
Feel free to mention this to the list if you want, since my mail is
not getting through.
Thanks
John
John Moore
[email protected] - http://www.tinyvital.com/
Tiny Vital Software, Inc
The only good weather is bad weather!
Storm Chasing - the Best extreme sport!
(SKYWARN,ARRL,AZ AMS,AZTC,NJ7E)
|