New worm / port 1434?

• Previous message (by thread): New worm / port 1434?
• Next message (by thread): New worm / port 1434?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Codered was worse by the sheer number of hosts that were infected and in the
end having a lot more impact than what the SQL Sapphire worm has shown. Now
that is not to say this worm does not surpass CodeRed... however it still
has its work cut out for it.

Last I heard the number of infections ranges from 40k to 200k depending on
who you ask. Now if its 200k thats definitely getting close to a CodeRed
level however even then it has another few hundred thousand infections to
go.

The flooding aspect of this worm (it tries to re-infect so fast), it DOES
NOT have a ddos engine built into it as some people have mislead, is
interesting and is causing a lot of problems for networks. However, its also
its downfall as it saturates bandwidth to the point of even it not being
able to spread anymore.

I could go into other technical details if you like... like how codered
properly handled its data manipulation on the stack so that it could keep
running whereas Sapphire is going to end up crapping out on itself
anyways... and also it does not keep any sort of global flag to thwart off
re-infection, therefore once again hindering its ability to spread whereas
codered did keep a global atom allowing it to last longer, and infect more.
and bla bla bla.

You can read both of eEye's analysis of CodeRed and Sapphire here:
CodeRed: http://www.eeye.com/html/Research/Advisories/AL20010717.html
Sapphire: http://www.eeye.com/html/Research/Flash/AL20030125.html

First after soda then after liquor... damn alcoholics.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

P.S. Jack and Eric you might be the only ones to get this as I was having
trouble earlier posting to NANOG... feel free to forward if you think it
matters.

| -----Original Message-----
| From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
| Jack Bates
| Sent: Saturday, January 25, 2003 9:36 AM
| To: Eric Gauthier; nanog at merit.edu
| Subject: Re: New worm / port 1434?
|
|
|
| From: "Eric Gauthier"
|
| > Woot!
| >
| > We made the front page of CNN.com:
| >
| > Electronic attack slows Internet
| > http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html
| >
| > Guess that USD10 goes to some unnamed reporter at CNN
| >
| And please tell me how CodeRed was worse? I'm sorry, this just
| created a lot
| of Internet traffic hurting performance? That's a little underrated. But
| then again, it's a port that could be blocked and not cause severe damage.
| Block tcp/80 and people would through a fit.
|
| *mental note: Block port 80 anytime another port must be blocked
| just to be
| sure.
|
| Jack Bates
| Network Engineer
| BrightNet Oklahoma
|
|

• Previous message (by thread): New worm / port 1434?
• Next message (by thread): New worm / port 1434?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]