[Dshield] Intelligent Code Red - 45 seconds to infect and deploy

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Thu Aug 2 18:53:15 GMT 2001


Rapid infection, rapid deployment. All in 45 seconds. 

I just finished a clean install of windows2000 for our website. I had
enabled ip filtering blocking all but 137-139, and 80. Then I needed to get
to my file server to download black ice and the patch for code red. That
file copy took no more than 45 seconds. I then installed black ice and the
patch. Before I restarted, I opened black ice to set the advanced filters.
In less than 20 seconds, my machine was attacking 9 hosts before I could
pull the plug. 

****
My machine was attacked, infected, and then was attacking others during less
than a minute of connection to the network. Amazingly, this machine was the
only one attacked. My 5 other win2k servers and active web server didn't
flag a single attack. How is code red finding the vulnerable system without
touching other systems on the same network and infecting it and deploying
itself within 45 seconds???
****

Amazing.

John

------------------------------------
John Thompson
Network Administrator
Dept. of Biochemistry
University of Iowa




More information about the list mailing list