The CAIDA Dataset on the Code-Red Worms ---------- Background: ---------- The first incarnation of the Code-Red worm (CRv1) began to infect hosts running unpatched versions of Microsoft's IIS webserver on July 12th, 2001. The first version of the worm uses a static seed for it's random number generator. Then, around 10:00 UTC in the morning of July 19th, 2001, a random seed variant of the Code-Red worm (CRv2) appeared and spread. This second version shared almost all of its code with the first version, but spread much more rapidly. Next, on August 4th, a new worm began to infect machines exploiting the same vulnerability in Microsoft's IIS webserver as the original Code-Red virus. Although the new worm had no relationship to the first one outside of exploiting the same vulnerability, it contained in its source code the string "CodeRedII" and was thus named CodeRed II. Finally, on September 18, 2001, the Nimda worm began to spread via backdoors left by CodeRedII, as well as via email, open network shares, and compromised web sites. This dataset contains information useful for studying the spread of the Code-Red version 2, and CodeRedII worms. The dataset consists of a publicly available set of files that contain summarized information that does not individually identify infected computers. ---- Data: ---- Data included in the Code-Red Dataset includes: Publicly Available: Code-Red July: the first Code-Red version 2 outbreak (July 19-20, 2001) - distribution of start and end times of hosts performing port 80 TCP SYN scanning - distribution of durations of time code-redv2-infected computers were observed to be scanning - country distribution of code-redv2-infected computers - a file containing a table with the following eight tab-separated fields for each observed IP address: start time, end time, top-level domain, country, latitude, longitude, AS number, and AS name Code-Red August: the second Code-Red version 2 outbreak and beginning of the spread of the CodeRedII worm (August 1-20, 2001) - distribution of start and end times of hosts performing port 80 TCP SYN scanning - distribution of durations of time code-redv2-infected computers were observed to be scanning - country distribution of code-redv2-infected computers - a file containing a table with the following seven tab-separated fields for each observed IP address: start time, end time, top-level domain, country, latitude, longitude, AS number *** No portion of the CAIDA Dataset on the Code-Red Worms may be redistributed. ------------------------ Acceptable Use Agreement ------------------------ https://www.caida.org/about/legal/aua/public_aua/ When referencing this data (as required by the AUA), please use: The CAIDA Dataset on the Code-Red Worms - July and August 2001, https://catalog.caida.org/details/dataset/telescope_codered_worm. Also please report your publication to CAIDA (https://www.caida.org/catalog/datasets/publications/report-publication) ---------------- More Information: ---------------- For more information on the Code-Red-related worms (Code-Redv1, Code-Redv2, CodeRedII), see: .ida Vulnerability: http://www.eeye.com/html/Research/Advisories/AD20010618.html Code-Red Worms o https://www.caida.org/analysis/security/code-red/#crv1 o https://www.caida.org/analysis/security/code-red/#crv2 o https://www.caida.org/analysis/security/code-red/#crii Code-Red version 2 Spread Analysis https://www.caida.org/analysis/security/code-red/coderedv2_analysis For more information on the UCSD Network Telescope, see: https://www.caida.org/projects/network_telescope/#worm https://www.caida.org/analysis/security/telescope/ --------------- Acknowledgments: --------------- The CAIDA Dataset on the Code-Red Worms was sponsored by: Cisco Systems, Inc The US Department of Homeland Security The National Science Foundation The Defense Advanced Research Projects Agency CAIDA Members Special thanks to Brian Kantor, Jim Madden, and Pat Wilson at UCSD and Barry Greene at Cisco for support of the UCSD Network Telescope Project. Rapid coordination of all of these folks in the face of a network crisis, along with an equally rapid and incredibly generous equipment donation from Cisco, allowed the collection of this unique dataset.