Code Red Goes The Way Of Y2K

beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?

Not Quite

[espo812]

incidents.org is tracking the spread. It still looks to be on its exponental path to death and destruction of the Internet (sarcasm included.) As of this post, incidents reports 22,000 infected (up from ~13500 an hour earlier.) It's too early yet to tell how this will pan out.

Misunderstanding of the behavior of the worm...

[igjeff]

The trick is that so many of the so-called experts mis-understood the nature of the worm.

Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.

What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.

So Cringley was somewhat right...while the systems with their clocks set wrong aren't inherently any greater of a danger than any other...they did allow the worm to go back into spread mode and become widespread again.

Jeff

Increase in HTTP hits on my firewall

[AndroidCat]

After a few weeks with none, I'm starting to see an increasing number of attempts on my HTTP port. I believe this is the port Code Red goes after on unpatched MS IIS boxes

date,time,source,transport
2001/08/01,00:39:43 EDT,64.224.192.128:4482,80,TCP (flags:S)
2001/08/01,09:29:53 EDT,203.239.44.55:2464,80,TCP (flags:S)
2001/08/01,09:43:29 EDT,61.157.184.52:4273,80,TCP (flags:S)
2001/08/01,11:25:13 EDT,217.126.188.106:53726,80,TCP (flags:S)
2001/08/01,11:54:00 EDT,193.70.29.42:2668,80,TCP (flags:S)
2001/08/01,11:56:41 EDT,210.119.9.196:4754,80,TCP (flags:S)
2001/08/01,12:22:11 EDT,64.81.148.7:3924,80,TCP (flags:S)
2001/08/01,12:29:15 EDT,61.144.181.223:1319,80,TCP (flags:S)

I admit that's it's not exactly Internet-stopping volume, but if everyone is getting this, that's bound to be a lot of traffic. And note that if I was running an unpatched IIS, I'd be Code Red's bitch by now. (Or somebody's bitch if my ports 111, 139, 515, 31337, etc were open to exploits.)

NEW DATA [was Re:Geometric growth.]

[baptiste]

Finally got Incidents.org to respond, they posted new data (looks like the hours shifted though):

• 11AM - 22,001
• 12PM - 32,502
• 1PM - 41,968

SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same

Re:No, let it blow!

Sorry to see you can't read *or* count!!!

The post said, "most web servers on the internet run Windows." He's absolutely correct.

Re:The Reason Why...

Virus writers don't name viruses, the AV companies do.

More graphs

[Mike+Hicks]

For those of you who like pretty graphs, look at caida's nearly-live graphs: [normal scale] [logarithmic scale]

Re:I don't know about you

[LinuxHam]

At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there

This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!

During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.

Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post. :)

Re:It's only just started!

[jamesdood]

Yeah, on the securityfocus incidents list there are people gettting probed every few seconds on class B subnets.. My single webserver has been probed 6 times so far this morning, I think it is ramping up. Hopefully most people have patched their boxes (or even better installed Apache!) I don't think this will have a huge impact but it is going to infect more machines over the next few days (Seeing how it only started showing up on July 11th and then wasn't a "big" deal until the 19th!) .

Re:Billions of dollars spent...

[Lizard_King]

this means it was a waste of time/money patching up the servers then?

I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.