On Fri, 3 Aug 2001, Wilfred L. Guerin wrote:
With eeye and others releaseing codeRed src almost a month ago, has anyone bothered to modify the worm and bother distributing (by force) the file checked by the current worm which will suppress its operation?
Not that I am aware of.
This is such an obvious fix, however noone seems to have yet had a clue to do it?
This is due to the possible illegality. Your "vaccine" would certainly get investigated by any clued-in admin who noticed it. You would possibly get attention from some LEAs, regardless of your intentions.
If that many can be infected by using a psuedo-random sequence, this could be easily traced or more effectively a far more effective sequencing pattern for the disbersal could be utilized...
A revised version of Code Red (called Code Red v2 or CRv2) was released shortly after eEye discovered the original Code Red. CRv2 had a much better PRNG than the original Code Red worm, and did not attack the same sequence of hosts.
Moreso, if noone is competant to have yet done this, can anyone provide an EXTREMELY stable high-load capacity box which can accept reporting of infected hosts? -- This would be highly useful in the target analysis of the worm's progress...
The incidents@securityfocus.com list is probably tracking Code Red infections and coordinating some soft of response to affected sites.
Granted, this is a distributed infiltration mechanism, however, I somehow doubt the stateside feds and other morons would be contradicting of ceasing a distributed attack, even if we do not bother to stop the wh.gov targeting...
Ask Max Vision of whitehats.com what happened to him when he created a program to patch vulnerable Internet software (bind, I think it was). Oh wait, he's in prison at the moment. This probably had something to do with him planting a backdoor along with the fix, but I wouldn't risk it. John Schultz jschultz@coin.org