The Register, Vmyths & My Code Red Advisory by Steve Gibson, Gibson Research Corporation -- 2001/07/30 |
| |||
|
NOTE The following page documents my prediction of the return of the FIRST worm, which did, as we now know, come true in spades:
On Sunday, July 29th, 2001, with August 1st looming, I set aside some time to examine the programming code of the Code Red Internet worm. I then initiated a dialog with a number of agencies of the US government and private industry to share, confirm, and discuss my findings. Finally, coming to the conclusion that we have not seen the last of the Code Red Internet worm (by a long shot), and feeling that the reasons for this have not been adequately reported by the computer press, I wrote and forwarded the following advisory to a number of my friends in the press with whom I have corresponded in the past: |
The text of my press advisory:
|
To eliminate confusion, "next week" at the close of my note above refers to the week beginning July 30th and containing Wednesday, August 1st, 2001.
It was not my intention to share this note directly with the public. I hoped that the computer industry press would digest it, do their research, and write whatever they felt was best (as they have, see links below). However, a strongly-worded article appeared the following day in The Register, written by Thomas C Greene (you may click the link to send Thomas your thoughts). Thomas' article referred to my note to the press without reproducing it and without making it available. So I wanted to allow anyone who was interested to have an accurate statement from me. Since then I have been gratified to find my analysis supported by Microsoft and several leading Internet security organizations. The SANS institute sent this announcement, which was also echoed by Microsoft, calling it an "Urgent Security Announcement". Microsoft sent the announcement to their security list subscribers with the following heading:
Additionally, CERT.ORG updated their earlier page. In their report, updated July 30th, CERT states: " Different organizations who have analyzed "Code Red" have reached different conclusions about the behavior of infected machines when their system clocks roll over to the next month. Reports indicate that there are a number of systems with their clocks incorrectly set, so we believe the worm will begin propagating again on August 1, 2001 0:00 GMT. There is evidence that tens of thousands of systems are already infected or vulnerable to re-infection at that time. Because the worm propagates very quickly, it is likely that nearly all vulnerable systems will be compromised by August 2, 2001. " As you'll know from reading the analysis and advisory which I sent to the press, my analysis favors the expectation that a few "straggler worms" that have continued operating due to the dates of their clocks being incorrect will have the effect of "re-starting" the infection two days from the date of this writing. Either way, we'll soon know. Please note that neither in the above communique, nor elsewhere, have I ever made any dire predictions for the worm's effect on the Internet. Others have, but I am skeptical. I believe that the Internet can easily handle the "replication probing traffic" generated even by millions of simultaneously searching and reproducing IIS worms.
Yahoo.com: Officials Fight 'Code Red' Attack
The Second Worm:
If you have some time for an editorial:
|
|
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Oct 06, 2003 at 13:29 (7,733.09 days ago) | Viewed 5 times per day |