SANS Internet Storm Center; Cooperative Network Security Community - Internet Security

Infocon

The intent of the 'Infocon' is to reflect changes in malicious traffic and the possibility of disrupted connectivity. In particular important is the concept of "Change". Every host connected to the Internet is subject to some amount of traffic caused by worms and viruses. However, once a worm has been identified and the number of infected machines is no longer increasing, this traffic is not likely to cause any disruptions.

The Infocon is intended to apply to the condition of the Internet infrastructure. We do not monitor particular nations or companies.

Tom Liston of Intelguardians wrote a little systray application which you can use to monitor the infocon. See ISCAlert.zip. ( Portuguese version ISCAlert_Portuguese.zip.

  MD5 sums (for the .exe files, not the .zip files!):

6c7d9b02641da9e89cfaab775f004cce ISCAlert.zip

61cd31e36f87864bd9e23161cef413ef ISCAlert_Portuguese.zip

Neil Fryer wrote an Apple OS X SANS Internet Storm Center Widget (by Neil Fryer)

Jörn Ahrens wrote an Infocon monitor for KDE ("infokon"). See http://www.jokele.de/infokon/.

You may use the following html code to link to the current Infocon status:

<a href="http://isc.sans.org"> <img alt="Internet Storm Center Infocon Status" src="http://isc.sans.org/images/status.gif"> </a>

In addition to the graphic, we offer two text feeds:

http://isc.sans.org/infocon.txt: The infocon color. Just one word in plain text
http://isc.sans.org/daily_alert.html: The daily alert. Infocon and handlers diary headline as minmal HTML feed for inclusion in web sites

For fans of RSS newsfeeds, check our RSS feed at http://images.dshield.org/rssfeed.xml

INFOCon Definition

	Everything is normal. No significant new threat known.
	We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: 'MSBlaster' worm outbreak.
	A major disruption in connectivity is imminent or in progress. Examples: Code Red on its return, and SQL Slammer worm during its first half day
	Loss of connectivity across a large part of the internet.

(Partial) INFOCon History

This table summarizes past infocon changes. Not every single event is covered. (Eg. Code Red was our first event that caused us to go to 'Yellow' and later briefly to 'Orange')

Date	Status	Reason
Mar 23-24 2006	Yellow	createTextRange exploit
Dec 31st 2005-Jan 5th 2006	Yellow	WMF flaw
Dec 27th 2005	Yellow	WMF flaw
Nov 21-22 2005	Yellow	Window() MSIE 0-day
Oct 19-20 2005	Yellow	Snort Exploit
Aug 12-18 2005	Yellow	PnP Bot/Worm (Zotob)
May 1-4 2004	Yellow	Sasser Worm
Mar 20-22 2004	Yellow	Witty Worm
Sep 10-12 2003	Yellow	RPC exploit
Aug 11-15 2003	Yellow	MSFT Blaster
Mar 17-20 2003	Yellow	IIS WebDav Exploit
Jan 25-28 2003	Yellow	SQL Slammer
Sep 19 2002	Yellow	Slapper Worm

Handler's Diary: Thunderbird 2.0.0.14 is out!;

Infocon

INFOCon Definition

(Partial) INFOCon History