On Fri, 19 Apr 2002, Ron DuFresne wrote: We caught NIMDA extrememly early because one of our malcode researchers put up a worm catcher to track Code Red variants and we had it deployed in several places (~14 countries) "New" worms get mailed and analyzed pretty quickly, old ones get counted for statistical purposes.
I called it as viral about the same time all the AV guys did based on some early cleaning attempts (they were disassembling initial samples, I was playing with client-side infection.) > dramatic psread over short time for both. I just think the survey is > flawed, perhaps due to a limited data set <respondents>. The normal sampling is (AFAIR) 1000 companies with >=1000 computers. Don't quote me though, I tend to forget those things shortly after reading them. The methodology is definitely in the survey though, and I'm pretty sure there's a NIMDA section. > I still track both on a very small network, and still see signs of both on > systems throughout the US and various other countries in the world: Almost all of the NIMDA probes I still get come from .kr. What I see from the US is generally from home systems, not companies. I feel that state and local governements got hit harder than corporations, but don't have any data to back that up. > The numbers might well be small in the survey conducted due to also so > many still lacking a clue they are in fact infested <smile>. I can't remember if we went out and sampled the Internet randomly for NIMDA, it certainly wouldn't be all that difficult to do. I just double-checked the numbers, and we had a 2.4% verified incidet rate in our customer base (multiple hundreds of customers.) The 78% number still stands in everything I have here. If you're aware of someone who has conflicting data, I'd like to see it. > > I'll have to check something before I theorize why the general rate wasn't > > significantly higher. MS01-044 was a rollup patch put out in August, and a fair number of companies applied it to at least external facing sites, I think the "real" fix was prior to that (MS00-078?), and that probably helped. I also seem to recall some resiliancy in some versions of IIS- but I can't find any notes. There were also several companies who took proactive shutdown action based on their Code Red experiences. I have data suggesting that NIMDA went throgh 14 countries worth of address space in less than 25 minutes. So, I doubt that our NIMDA specific alerts had much to do with mitigation (better than a 30x decrease is significant IMO.) We did make sure that our customer base didn't have ../ issues several times in months prior, and in doing so, ensured that CR didn't get a foothold for NIMDA to exploit as well. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
