Seems like Code Red or one of its little friends is back. I think breaking up Microsoft is a bad idea, but there are days it would be nice to have their Web Server and Email Worm-Propagators run by companies other than the operating system company just so fewer people would be running that dangerous dreck. :-) Somebody did a paper about a hypothetical "Andy Warhol Virus", studying how long it takes to take over a server, how many servers you can attack per minute, and what it would take to coordinate an attack that really hit everywhere. 15 minutes is about enough to hit most of the net, if you find holes in Apache and IIS that don't need manual tweaking, and if you don't alert people by scribbling their pages with "Hacked by Chinese" or "Reformatted by bin Laden" before you're done. Our chief weapons are surprise, exponential growth and dividing up target address space effectively, with quick checks to make sure you don't waste time on infected machines, and, purely optionally, an almost fanatical analysis of hosting center configs.
Date: Tue, 18 Sep 2001 16:21:35 +0200 Reply-To: Law & Policy of Computer Communications <CYBERIA-L@LISTSERV.AOL.COM> From: "[anton.raath]" <antonline@GMX.CH> Subject: Re: Net problems? Local? To: CYBERIA-L@LISTSERV.AOL.COM
Hosting companies and ISPs have been seeing Code Red-style attacks on their servers since early this morning. Pair Networks have reported receiving "over 8000 hits per second, from as many as one hundred thousand NT servers".
A.
No problem here, although our bandwidth is as the bandwidth of ten, because our hearts are pure. ;)
I'm having trouble getting NYTimes, WSJ, Amazon. Local outage?
On Tue, Sep 18, 2001 at 09:49:30AM -0700, Bill Stewart wrote: | Somebody did a paper about a hypothetical "Andy Warhol Virus", | studying how long it takes to take over a server, | how many servers you can attack per minute, and | what it would take to coordinate an attack that really hit everywhere. | 15 minutes is about enough to hit most of the net, | if you find holes in Apache and IIS that don't need manual tweaking, | and if you don't alert people by scribbling their pages with | "Hacked by Chinese" or "Reformatted by bin Laden" before you're done. | Our chief weapons are surprise, exponential growth and | dividing up target address space effectively, | with quick checks to make sure you don't waste time on infected machines, | and, purely optionally, an almost fanatical analysis of hosting center configs. Someone else (Staniford?) did a paer on flash worms, which add a pre-scan of the Internet for vulnerable machines, so that you start higher on the exponential curve. Its a good thing script kiddies don't read the literature. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
At 09:49 AM 9/18/01 -0700, Bill Stewart wrote:
Seems like Code Red or one of its little friends is back.
This one supposedly uses both http servers and email (MS of course) to propogate. Even read that visiting an infected web site can cause client infection, but we'll have to await the autopsy. In addition, it uses some fine currents-events social engineering to get you to read it.
The worm hit Cryptome at 8:43 AM EST and is now sucking at a rate of about 90% of the load. As others have noted, the bulk of the hits appear to be coming from our own ISP, either by design or by spoofing the origin. Our server is on Apache but the worm generates endless errors attempting to find holes in IIS. Pervasive DDoS attacks are reportedly underway at gov sites. We are not seeing an unusual number of that type.
On Tue, Sep 18, 2001 at 03:58:56PM -0700, John Young wrote:
The worm hit Cryptome at 8:43 AM EST and is now sucking at a rate of about 90% of the load. As others have noted, the bulk of the hits appear to be coming from our own ISP, either by design or by spoofing the origin. Our server is on Apache but the worm generates endless errors attempting to find holes in IIS.
This is NOT Code Red but another assinine E-Mail worm that also tries IIS and netbios propagation. Unfortunately, it is being VERY successful at all of the above. More like "Code Red on Steriords". Not just Grannie and her hotmail account with an MS Mail client but it's even propagating to Samba shares and other SMB connections with "guest" accounts.
Pervasive DDoS attacks are reportedly underway at gov sites. We are not seeing an unusual number of that type.
Nothing targeted like that... To paraphrase the movie "Labyrinth"... No... Just a worm... Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
More worm derivatives... And to think we could have killed off all derivatives as well as all the "harborer of incompetance" units long, long ago, but no... our wonderful feds here in the states indicate that release of a repair bot (regardless of where from) would be appropriate merit to be assholes and arrest/imprison the simpleton sheep willing to fix other moronics and prevent these horrendous antics... As my various servers are being hit at over a hundred persistant requests a second, probibing for cmd.exe/etc and related failures in basic system design... Too bad said boxes have never run faulty code. Oh well... Who is actually at fault? Possibly the feds can again raise their hands in this case, eh? ... -Wilfred Wilfred@Cryogen.com
participants (6)
-
Adam Shostack -
Bill Stewart -
David Honig -
John Young -
Michael H. Warfield -
Wilfred L. Guerin