Greetings all... I ask a simple and profoundly obvious question... With eeye and others releaseing codeRed src almost a month ago, has anyone bothered to modify the worm and bother distributing (by force) the file checked by the current worm which will suppress its operation? This is such an obvious fix, however noone seems to have yet had a clue to do it? Now that some of my boxes are being bothered with CRed noise, I'm prone to creating a secondary replacement worm, mass distributing it, and using it to squelch the bullshit of this one... If that many can be infected by using a psuedo-random sequence, this could be easily traced or more effectively a far more effective sequencing pattern for the disbersal could be utilized... Moreso, if noone is competant to have yet done this, can anyone provide an EXTREMELY stable high-load capacity box which can accept reporting of infected hosts? -- This would be highly useful in the target analysis of the worm's progress... Granted, this is a distributed infiltration mechanism, however, I somehow doubt the stateside feds and other morons would be contradicting of ceasing a distributed attack, even if we do not bother to stop the wh.gov targeting... It's wasting our resources, hastling all of us, etc. So... two things: A: Has anyone bothered to do this yet. B: If I am personally gonna have to deal with this bs, can anyone offer a logging-server target to send reports to? I shall await reply to the CDR lists, or direct to "Wilfred@Cryogen.com" ... -- I dont really want to waste the time fixing the code, though will if this keeps up for long... Till the next annoyance (or the fix of this one), -Wilfred L. Guerin Wilfred@Cryogen.com ...
At 06:03 PM 8/3/2001 -0400, Wilfred L. Guerin wrote:
Moreso, if noone is competant to have yet done this, can anyone provide an EXTREMELY stable high-load capacity box which can accept reporting of infected hosts? -- This would be highly useful in the target analysis of the worm's progress...
see <http://worm-security-survey.caida.org/>, or <http://www.caida.org/dynamic/analysis/security/code-red/index.html>. -- Greg Broiles gbroiles@well.com "We have found and closed the thing you watch us with." -- New Delhi street kids
On Fri, 3 Aug 2001, Wilfred L. Guerin wrote:
With eeye and others releaseing codeRed src almost a month ago, has anyone bothered to modify the worm and bother distributing (by force) the file checked by the current worm which will suppress its operation?
Not that I am aware of.
This is such an obvious fix, however noone seems to have yet had a clue to do it?
This is due to the possible illegality. Your "vaccine" would certainly get investigated by any clued-in admin who noticed it. You would possibly get attention from some LEAs, regardless of your intentions.
If that many can be infected by using a psuedo-random sequence, this could be easily traced or more effectively a far more effective sequencing pattern for the disbersal could be utilized...
A revised version of Code Red (called Code Red v2 or CRv2) was released shortly after eEye discovered the original Code Red. CRv2 had a much better PRNG than the original Code Red worm, and did not attack the same sequence of hosts.
Moreso, if noone is competant to have yet done this, can anyone provide an EXTREMELY stable high-load capacity box which can accept reporting of infected hosts? -- This would be highly useful in the target analysis of the worm's progress...
The incidents@securityfocus.com list is probably tracking Code Red infections and coordinating some soft of response to affected sites.
Granted, this is a distributed infiltration mechanism, however, I somehow doubt the stateside feds and other morons would be contradicting of ceasing a distributed attack, even if we do not bother to stop the wh.gov targeting...
Ask Max Vision of whitehats.com what happened to him when he created a program to patch vulnerable Internet software (bind, I think it was). Oh wait, he's in prison at the moment. This probably had something to do with him planting a backdoor along with the fix, but I wouldn't risk it. John Schultz jschultz@coin.org
Valid points, though I open for discussion the following logistic issues: Though the various new policies of various political bodies may have fluctuated recently, historicly there has been a loophole for which an attacked entity can respond with due intent to cease the attack via appropriate means. In this case, I see random IIS servers "attacking" my server, as do others. With this being the case, and their initiation of transaction, it should be appropriate to cease their inappropriate activities. This would dictate a mechanism capable of ceasing the origin of the attack, in this case, defective code in the IIS servers. My impression, is that direct isolation of an attacking facility for disabling purposes only, with intent to maintain the stability of the attacked host/subnet is well within historic legal bounds. Inversely, has there been any alteration of this policy recently? What is the current situation? ... On the other hand, I wouldnt be contrary to the development of a breach-utilizing derivative of the TSADBot systems and their fed-protected recon capabilities and transparent m$ security, combined with various inlet portals in typical security faults, and capable of directed and automated "Cleaning" of dysfunctional machines. Basicly, the ultimate breach system with intent of eliminating future braches. (We've done this for high security networks, server arrays, etc,) however a mass implementation with intent to fix or replace defective product code would be highly effective. What say the world to doing things right for once? "Baaah." Oh well. Again, response regarding policy issues would be appreciated. -Wilfred Wilfred@Cryogen.com At 12:11 AM 8/4/2001 -0500, you wrote:
On Fri, 3 Aug 2001, Wilfred L. Guerin wrote:
With eeye and others releaseing codeRed src almost a month ago, has anyone bothered to modify the worm and bother distributing (by force) the file checked by the current worm which will suppress its operation?
Not that I am aware of.
This is such an obvious fix, however noone seems to have yet had a clue to do it?
This is due to the possible illegality. Your "vaccine" would certainly get investigated by any clued-in admin who noticed it. You would possibly get attention from some LEAs, regardless of your intentions.
If that many can be infected by using a psuedo-random sequence, this could be easily traced or more effectively a far more effective sequencing pattern for the disbersal could be utilized...
A revised version of Code Red (called Code Red v2 or CRv2) was released shortly after eEye discovered the original Code Red. CRv2 had a much better PRNG than the original Code Red worm, and did not attack the same sequence of hosts.
Moreso, if noone is competant to have yet done this, can anyone provide an EXTREMELY stable high-load capacity box which can accept reporting of infected hosts? -- This would be highly useful in the target analysis of the worm's progress...
The incidents@securityfocus.com list is probably tracking Code Red infections and coordinating some soft of response to affected sites.
Granted, this is a distributed infiltration mechanism, however, I somehow doubt the stateside feds and other morons would be contradicting of ceasing a distributed attack, even if we do not bother to stop the wh.gov targeting...
Ask Max Vision of whitehats.com what happened to him when he created a program to patch vulnerable Internet software (bind, I think it was). Oh wait, he's in prison at the moment. This probably had something to do with him planting a backdoor along with the fix, but I wouldn't risk it.
John Schultz jschultz@coin.org
participants (3)
-
Greg Broiles
-
John Schultz
-
Wilfred L. Guerin