[unisog] Code Red(s) being confused with sadmind/IIS worm?

Anderson Johnston andy at umbc.edu
Thu Aug 9 22:31:52 GMT 2001

What seems to have happened here is that NT systems that had been
infected by the worm last May and *not* been cleaned out were quietly
doing whatever they did until last late June or so.  At that point,
several NTs on our campus started scanning off-campus IPs, and
getting picked up by the NIDS.

At another level, diseases ebb and flow with time as the proportion of
the population vulnerable to the disease increses and decreases.  The
worms we see now may take decades to disappear completely from the
Internet.  After an outbreak, a lot of systems will get patched and the
worm drops off the radar.  A few months pass and new (and unpatched)
systems are put into service.  When the number of new, unpatched systems
reaches a threshold level, the worm "booms" again and the cycle repeats.

I don't have the data to test this idea, but it fits some models for
biological diseases and parasite-host relationships.  In fact, the
sadmind/IIS worm is a nice example of a parasite with a two-stage life
cycle ...  Anyone out there looking for a thesis topic?  8-)

							- Andy

On Thu, 9 Aug 2001, Stephen W. Thompson wrote:

> Follow my line of thinking here.
> If I'm correct, that implies a) sadmind/IIS is more prevalent than
> we'd realized and, possibly b) that there might be a variant of
> sadmind/IIS that succeeds on non-Solaris machines unlike the original
> variant.  Any corroboration on (b) from anyone?

** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Distributed Systems Manager            * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **

More information about the unisog mailing list