Code Red growth stats

Roeland Meyer rmeyer at mhsc.com
Thu Aug 2 06:39:04 UTC 2001


> From: Petr Swedock [mailto:petr at ai.mit.edu]
> Sent: Wednesday, August 01, 2001 9:38 PM

>  : From: "Steven M. Bellovin" <smb at research.att.com>
>  : Date: Wed, 01 Aug 2001 23:15:50 -0400

>  : In message 
> <EA9368A5B1010140ADBF534E4D32C728025AB1 at condor.mhsc.com>, Roeland Me
>  : yer writes:
>  : >> From: Steven M. Bellovin [mailto:smb at research.att.com]
>  : >> Sent: Wednesday, August 01, 2001 7:36 PM
>  : >
>  : >> If it has indeed turned up again, I'm at a loss to 
> explain it.  While 
>  : >> I'm sure there are some IIS servers on home machines, I doubt 
>  : >> there are 
>  : >> that many.  But I don't have another explanation to offer.
>  : >
>  : >Are you taking into account that every copy of Win2K 
> comes with IIS? I had
>  : >to quickly run around and do upgrades yesterday. I clean 
> forgot about the
>  : >workstations. I bet that I'm not the only one either.

> I think it is NOT on by default for IIS 4.0 but IS on by default
> for IIS 5.0... In any event, we had a machine that was freshly
> installed with the very latest W2k on July 18, in the evening. That
> machine was worm ridden within 12 hours. The grad student who
> installed didn't specifically add IIS and didn't have any reason 
> to do so.

I've just been staring at
www.caida.org/analysis/security/code-red/aug1-live-hosts.gif (yeah, I know
... not enough to do). We have a nice little camel here. It occurs to me
that the time coincide with info workers leaving work, eating dinner, and
firing up the workstation at home, in the US. Do we have any location data
on these infected hosts? What would be interesting is, if we have another
tail-off starting at about 0400 (we do) UTC and picking up again about 10-12
hours later. UTC midnight is about 2100 EDT and 1700 PDT. That's when it
starts to pick up again. The second peak corresponds to 0000EDT/0800PDT.

This supposes that the super-majority of Win2K machines are in the US. There
are also a bunch of WinXP beta machines out there. Is XP vulnerable?



More information about the NANOG mailing list