[Dshield] Notes from the field about CR going into Hibernation ?
john.kida at unisys.com
Thu Aug 9 15:17:31 GMT 2001
some progress has been made to eradicate the CodeRed3 virus in many
it seems (KNOCK ON ROUTER) that the Internet is starting to stabilize. A
hopeful note is
that several major corporations have privately reported that their
situations are starting
to improve as offices have contained the problem.
I am told to understand the latest version of the virus is set to
"hibernate" shortly and
it will be interesting to see, if and when it happens. However, it will
leave many systems
in an infected or still exposed state for re-infection. If these systems go
unpatched and virus detection is not implemented in the near future, we
stand to see a fractional repeat of this
incident in the future.
Surprisingly, there are still quite a few Sys-Admins who have not taken the
by MS, SANS, Unisys and others, to apply the necessary patches and
As a public effort, I have had my security team collect about 1800+
attacking IP's, of which
only 300 were "traceable" HARD IP address servers (non-DHCP). In our spare
time, the team
has started trying to contact these sites to warn them and point them to the
One of the biggest issues the team is faced with is that we are finding the
point of contact information for about 25% of the sites is an ISP block of
addresses, invalid, or wrong.
Of those, we can trace, about 1/4 or so have never replied to calls or email
in 2+ days.
About 1/2 or so have auto-bots asking for more info, despite us providing
trace logs with DNS-NAME, IP, System Name, Traceroute, Group ID, and etc..
There is hope, we are able to contact
about 1/4 and speak to a human voice.
As a bonus, we have collected some real funny stories along the way, in
trying to help.
North America Director of Enterprise Security Solutions
"Security & Trust are things that must be reassessed on a regular basis"
More information about the list