The CAIDA Dataset on the Code-Red Worms 

----------
Background:
----------
The first incarnation of the Code-Red worm (CRv1) began to infect
hosts running unpatched versions of Microsoft's IIS webserver on
July 12th, 2001.  The first version of the worm uses a static seed
for it's random number generator. Then, around 10:00 UTC in the
morning of July 19th, 2001, a random seed variant of the Code-Red
worm (CRv2) appeared and spread. This second version shared almost
all of its code with the first version, but spread much more rapidly.
Next, on August 4th, a new worm began to infect machines exploiting
the same vulnerability in Microsoft's IIS webserver as the original
Code-Red virus. Although the new worm had no relationship to the
first one outside of exploiting the same vulnerability, it contained
in its source code the string "CodeRedII" and was thus named CodeRed
II.  Finally, on September 18, 2001, the Nimda worm began to spread
via backdoors left by CodeRedII, as well as via email, open network
shares, and compromised web sites.

This dataset contains information useful for studying the spread
of the Code-Red version 2, and CodeRedII worms. The dataset consists
of a publicly available set of files that contain summarized
information that does not individually identify infected computers.


----
Data:
----
Data included in the Code-Red Dataset includes:

Publicly Available:
    Code-Red July: the first Code-Red version 2 outbreak (July 19-20, 2001)
	- distribution of start and end times of hosts performing port 80
	  TCP SYN scanning
	- distribution of durations of time code-redv2-infected computers
	  were observed to be scanning
	- country distribution of code-redv2-infected computers
	- a file containing a table with the following eight tab-separated
	  fields for each observed IP address: start time, end time,
	  top-level domain, country, latitude, longitude, AS number, and
	  AS name 

    Code-Red August: the second Code-Red version 2 outbreak and beginning
        of the spread of the CodeRedII worm (August 1-20, 2001)
	- distribution of start and end times of hosts performing port 80
	  TCP SYN scanning
	- distribution of durations of time code-redv2-infected computers
	  were observed to be scanning
	- country distribution of code-redv2-infected computers
	- a file containing a table with the following seven tab-separated
	  fields for each observed IP address: start time, end time,
	  top-level domain, country, latitude, longitude, AS number 


*** No portion of the CAIDA Dataset on the Code-Red Worms may be redistributed.


-----------------
Required Citations:
------------------
All users who publish a document (including web pages, and papers) using
data from this dataset must provide CAIDA with a copy of the publication
and must cite:

    The CAIDA Dataset on the Code-Red Worms - July and August 2001,
    David Moore and Colleen Shannon,
    http://www.caida.org/data/passive/codered_worms_dataset.xml.

Users are encouraged, but not required, to include the following
attribution in the acknowledgements section of their document:

    Support for the CAIDA Dataset on the Code-Red Worms was provided
    by Cisco Systems, the US Department of Homeland Security, the
    National Science Foundation, DARPA, and CAIDA Members.

All users who create a publicly available presentation using data
from this dataset must provide CAIDA with a copy of the presentation
and must use the full name of the dataset ("The CAIDA Dataset on
the Code-Red Worms") in the presentation. Users are further encouraged,
but not required, to include the url for the dataset
(http://www.caida.org/data/passive/codered_worms_dataset.xml) in
their presentation.


----------------
More Information:
----------------
For more information on the Code-Red-related worms (Code-Redv1,
    Code-Redv2, CodeRedII), see:

    .ida Vulnerability:
          http://www.eeye.com/html/Research/Advisories/AD20010618.html

    Code-Red Worms
          o http://www.caida.org/analysis/security/code-red/#crv1
          o http://www.caida.org/analysis/security/code-red/#crv2
          o http://www.caida.org/analysis/security/code-red/#crii

    Code-Red version 2 Spread Analysis
          http://www.caida.org/analysis/security/code-red/coderedv2_analysis.xml


For more information on the UCSD Network Telescope, see:
	http://www.caida.org/data/passive/network_telescope.xml#worm
	http://www.caida.org/analysis/security/telescope/


---------------
Acknowledgments:
---------------
The CAIDA Dataset on the Code-Red Worms was sponsored by:
	Cisco Systems, Inc
	The US Department of Homeland Security
	The National Science Foundation
	The Defense Advanced Research Projects Agency
	CAIDA Members


Special thanks to Brian Kantor, Jim Madden, and Pat Wilson at UCSD
and Barry Greene at Cisco for support of the UCSD Network Telescope
Project.  Rapid coordination of all of these folks in the face of
a network crisis, along with an equally rapid and incredibly generous
equipment donation from Cisco, allowed the collection of this unique
dataset.