Code Red : a case study on the spread and victims of an Internet Worm 

David Moore et al

NOTE : This is a fairly old paper, 2001 

General Gist : Paper attempts to follow how code red spread.

Angle : More of a report of what happened and how it was discovered

Value to me : Some activity may only show up after the actual event occurs ( Code Red 2 for example as it went inactive after in infection for 24 hours) 
			  Because IP's change due to DHCP its hard to keep an accurate count of the actual number of infected machines

My angle : I am avoiding virus history and how the virus works (except spread techniques) . Rather interested in how the spread was analysed 


Redcode stats : 

-> Over 359000 infected in less than 14 hours
-> Peaked at 2000 infected hosts per minute
-> 2.6 Billions $ of damage ( Okay...)
-> Difficult to collect global data so little analysis 

Overview : 

-> Discus infection and deactivation rate of Code Red and Code Red 2
-> Properties of infection in terms of geolocation, ISP's, TLD
-> Affected alot of businesses but mainly affected small businesses and home users
-> It was definitely a world event, has day night patterns 
-> Due to DHCP, IP isn't a sufficient measure of virus spread over say 24 hours


Background : 

-> Paper discusses how Code Red infected machines and its broken random generator for ip lists for next infection
-> Code Red 2 was a diff virus but waited a whole day after infection to propogate again. This delay added subtefuge
   as logs won't showing conns to the machine that may have infected it when it starts to show symptoms ( a day later)
-> Discusses probing mechanism for Code Red 2 ( worth rereading) 

Methodology followed : 

-> Used packet header traces of hosts sending unsolicated packets into /8 part of network 
-> There is a sort of background noise always present trying to get to /8 such as port scans 
-> Noted that same 23 hosts kept getting sent the same stuff 
-> Reversed engineered the Code Red code and found that those ips were in the range
-> Though 3 machines were intiailly seeded with the virus ( or at least they believe so) 
-> They then used regular expressions to break infected hosts into mail servers, dns servers, broadband, dialup etc
-> Used IxMappping to find location of hosts

Results : 

-> No interesting heurstics :/