Code Red?

[Wayne Conrad]

On Sat, 11 August 2001, Craig White wrote:
> "John (EBo) David" wrote:
> > 
> > Ok... what is the difference between CRv1/CRV2 and CRII?
> > 
> ----
> CRv1 uses NNNNNN to overflow the input string
> 
> CRv2 uses XXXXXX
> 
> CRv2 has a bigger payload which includes root exploit and results in a
> compromised box even though it has been patched and rebooted.

Correct on the details but not on which names the details go with.  It's understandable -- the names are a mess, partly because we have to give the things names before we understand their taxonomy.

CRv1 and CRv2 both use N's.  The main differences is whether in whether the pseudo-random number generator used to generate IP's uses a fixed seed.  CRv1 uses a fixed seed, causing it to not grow terribly fast; CRv2 uses a non-fixed seed, causing it to grow pretty fast.  I believe the payload of CRv1 or CRv2 is largely or entirely the same.

CRII uses X's.  It strongly prefers to probe address in the same /16, and somewhat prefers to probe IPs in the same /8, and occasionally probes a purely random IP.  This appears to be a very good strategy for spreading quickly.  It also has a completely different payload than CRv1 and CRv2.  That payload roots the box.