[Dshield] Notes from the field about CR going into Hibernation ?

Kida, John john.kida at unisys.com
Thu Aug 9 15:17:31 GMT 2001


It's true...
some progress has been made to eradicate the CodeRed3 virus in many
companies and 
it seems (KNOCK ON ROUTER) that the Internet is starting to stabilize. A
hopeful note is 
that several major corporations have privately reported that their
situations are starting
to improve as offices have contained the problem. 

I am told to understand the latest version of the virus is set to
"hibernate" shortly and
it will be interesting to see, if and when it happens. However, it will
leave many systems 
in an infected or still exposed state for re-infection. If these systems go
unpatched and virus detection is not implemented in the near future, we
stand to see a fractional repeat of this 
incident in the future.

Surprisingly, there are still quite a few Sys-Admins who have not taken the
steps, issued
by MS, SANS, Unisys and others, to apply the necessary patches and
anti-virus software.

As a public effort, I have had my security team collect about 1800+
attacking IP's, of which
only 300 were "traceable" HARD IP address servers (non-DHCP). In our spare
time, the team
has started trying to contact these sites to warn them and point them to the
patches and 
support URL's. 

One of the biggest issues the team is faced with is that we are finding the
point of contact information for about 25% of the sites is an ISP block of
addresses, invalid, or wrong.  
Of those, we can trace, about 1/4 or so have never replied to calls or email
in 2+ days. 
About 1/2 or so have auto-bots asking for more info, despite us providing
trace logs with DNS-NAME, IP, System Name, Traceroute, Group ID, and etc..
There is hope, we are able to contact 
about 1/4 and speak to a human voice. 

As a bonus, we have collected some real funny stories along the way, in
trying to help.

Sincerely,

____________
John Kida
North America Director of Enterprise Security Solutions
Unisys, Corp. 

"Security & Trust are things that must be reassessed on a regular basis" 




More information about the list mailing list