On Fri, 19 Apr 2002, Paul D. Robertson wrote:
> On Fri, 19 Apr 2002, Ron DuFresne wrote:
>
> > > [1] 68% of North American companies experienced a Nimda event.
> >
> > That has to be a dramatic and reserved understatement.
>
> I don't believe so, that's the last representation of the data that I saw.
> What I don't recall is if NIMDA was done before, after, or during the ICSA
> Labs virus prevalence survey[1]. Generally, if it's before the data is
> very accurate and the sample size very large, if it's during the the
> extrapolation is near but the size smaller, and if it's after, then the
> sample size is much smaller though the numbers are still close. In our
> customer base, the incidence was less than 1.2% (including new and
> non-certified sites.)
I remember when both nimda and the first code red variant hit sites on the
net, was one of the first to notice the increase in traffic and the
dramatic psread over short time for both. I just think the survey is
flawed, perhaps due to a limited data set <respondents>.
I still track both on a very small network, and still see signs of both on
systems throughout the US and various other countries in the world:
Nimda Worn Info
There have been - 41 - individual Nimda worm attacks on this system this
week.
There have been - 26 - Nimda worm attacks on this system,
after sorting out some repeats, so far this week.
Code Red Worm Info
There have been - 5 - total Code Red Worm attacks on this system this
week.
- 5 - Code RedI attacks in the above number are documented
- 0 - Code RedII attacks in the above number are documented
Additionally, from a paper I'm working up:
Some companies, even when notified of their systems compromise and their
being used to further attack other systems don't even take the time to
either investigate, nor repair such systems. We've taken to having to
block the whole netspace for many sites, such as the City of Ashland in
Oregon, (NETBLK-SPRINT-D00150-2) SPRINT-D00150-2 208.1.80.0 -
208.1.83.255, whose systems are so infested with code-red and nimda
variants and who fail as well as Sprint, their upstream provider,
in taking any action about their systems attacks on others on the Internet
infamous highway. And they have been notified of their 'problem' systems
for months.
The numbers might well be small in the survey conducted due to also so
many still lacking a clue they are in fact infested <smile>.
>
> We actually track and scientifically survey for virus prevalence, as well
> as get data from our customers so I'm confident the numbers are accurate.
>
> I'll have to check something before I theorize why the general rate wasn't
> significantly higher.
>
>
> Paul
> [1] It's available somewhere at www.icsalabs.com, the methodology is
> documented, I'm running late, so I can't grab a copy, you probably have to
> register to get a copy but it is otherwise free, and TruSecure pays my
> bills and owns ICSA Labs.
Cool, I will look about the site, have not been there in a few weeks.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
