This new CodeRedII is moving way faster than the previous

• Previous message (by thread): The Death of TCP/IP
• Next message (by thread): CodeRedII worm..
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This thing is hitting hard!  I got bored and thought I'd through some 
stats/info together...

So far, since 9:16am on 7/19, I've seen 485 CRv1 attacks from 257 unique 
IPs on my cable modem.  
Since 6:49am today, I've been hit 472 times from 133 unique IPs with this 
new "CRv2" worm.  

-  All infected systems seem to try each scanned IP twice whereas the 
original only tried once, which probably will help its infection rate.  
Seems odd though as both tries use the same source port.  Could just be 
my snort rules...

-  It has the word "CodeRedII" hard coded in the packet, so its obviously 
a copycat or at least  a fairly recent revision.

-  *Appears* to be hardcoded to use the d:\inetpub\scripts and d:\progra~1
\common~1\system\MSADC directories.  Assuming you are not using this 
path, are you still vulnerable?

-  Either copies cmd.exe or creates a new file named root.exe in those 
directories.

-  I'm seeing almost only cable modem systems now.  Appears businesses 
may have finally gotten their acts together.


chris

• Previous message (by thread): The Death of TCP/IP
• Next message (by thread): CodeRedII worm..
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]