Code Red statistics at TRIUMF

Infection Period #2. Starting at 8pm EST on July 31 2001, the worm shows exponential growth; see these PNG plots:

• Port 80 Source Address Scatterplot (last hour)
• Source Address Scatterplot (last hour)
• scan rate (logarithmic, since October) *updating hourly*
• scan rate (logarithmic) *updating hourly*
• scan rate (linear) *updating hourly*
• cumulative (linear, July/August 2001)
• cumulative (logarithmic, July/August 2001)
• cumulative July-October) (logarithmic)
• Code Red the movie MPEG
• Code Red the sequel MPEG
• July-November scatterplot (29Mb MPEG)
• daily scatterplot MPEGs
• cumulative July-August (logarithmic)
• August 1-13, probes + exploits
• August 1 rise (logarithmic + fit)
• August 1 rise (fit to Silicon Defense formula a = Exp(K * (t-T))/ (1 + Exp(K * (t-T))))
• August 1 rise (logarithmic, fit to Silicon Defense formula)
• August 1-12 (logarithmic + fit to exponential rise,decay)
• August 1 animated scatterplot (GIF)
• Sept 5th scatterplot - sources in IPv4 address space
• Sept 5th 3-D plot

Infection Period #1, Attack Period #1

During the day of July 19th, 2001, TRIUMF experienced an unprecedented number of probes from the Internet for port 80 HTTP service (Webserver). These are attributed to the Code Red worm, which attacks unpatched Microsoft IIS webservers.

At this time, the SANS incident handling centre set the Internet Threat Level to "Orange" (on a scale green, yellow, orange,red). On July 20th, the Threat Level was downgraded to Yellow.

Check out this page at CAIDA. It has some cool animations of the geographic spread of the worm.

For more information on the Code Red worm, please see:

• Incidents.org Handler's Diary
• eEye Advisory
• eEye Analysis (zipfile)
• Microsoft bulletin
• Newsbytes article
• Newsbytes update
• Code Red II @ incidents.org
• Code Red FAQ @ incide nts.org
• Infection Simulation by Todd Heberlein
• Warhol Worms theoretical study by Nicholas C Weaver
• Flash Worm study
• hackbusters.net - fight back against worms and scanners.

The graph shows the number of probes to port 80 to addresses within the TRIUMF domain where a webserver is not running. These mostly represent scanning activity by the Code Red worm.

For a logarithmic plot, showing tailing off of the numbers of scans since July 20, see codered.log.png (since 13 July), codered.log2.png (since 31 July). At 9am PDT on August 1, the log plot shows a straight line (exponential growth)

For a linear plot of probes since July 24, see codered3.png

Source Domains

61.132 106643
168.160 19249
61.218 14414
211.233 12789
202.108 12433
209.11 11974
61.216 11611
211.23 11369
211.174 9554
209.61 9485
61.13 9240
62.110 8903
63.111 8882
211.21 8726
217.80 8377
213.122 8328
61.219 8295
211.20 8039
66.12 7956
161.7 7870
211.22 7820
209.235 7713

com 125131    .COM commercial
cn 84495      China
net 78041     .NET commercial
edu 14214     .EDU Academic
jp 12326      Japan
tw 9805       Taiwan
nl 8007       Netherlands
uk 7468       United Kingdom
de 7144       Germany
us 6812       US regional, e.g. High Schools
fr 6001       France
it 5701       Italy
ca 5582       Canada
org 5085      .ORG  commercial and non-profit
se 4321       Sweden
dk 4124       Denmark
at 3795       Austria
es 3554       Spain
be 3140       Belgium
ch 2407       Switzerland
za 2069       South Africa
fi 2054       Finland
no 1836       Norway
au 1831       Australia
nu 1754     
ru 1667       
is 1621       
gr 1492       Greece
hr 1404       Hungary
kr 1043       Korea
pl 936        Poland
arpa 922
cz 702        Czech Republic
si 696
hk 585        Hong Kong
id 534
mx 531        Mexico
ee 522
br 517
tr 503