CodeRed Fix
John Schultz
jschultz at coin.org
Fri Aug 3 22:11:51 PDT 2001
On Fri, 3 Aug 2001, Wilfred L. Guerin wrote:
> With eeye and others releaseing codeRed src almost a month ago, has anyone
> bothered to modify the worm and bother distributing (by force) the file
> checked by the current worm which will suppress its operation?
Not that I am aware of.
> This is such an obvious fix, however noone seems to have yet had a clue to
> do it?
This is due to the possible illegality. Your "vaccine" would certainly
get investigated by any clued-in admin who noticed it. You would possibly
get attention from some LEAs, regardless of your intentions.
> If that many can be infected by using a psuedo-random sequence, this could
> be easily traced or more effectively a far more effective sequencing
> pattern for the disbersal could be utilized...
A revised version of Code Red (called Code Red v2 or CRv2) was released
shortly after eEye discovered the original Code Red. CRv2 had a much
better PRNG than the original Code Red worm, and did not attack the same
sequence of hosts.
> Moreso, if noone is competant to have yet done this, can anyone provide an
> EXTREMELY stable high-load capacity box which can accept reporting of
> infected hosts? -- This would be highly useful in the target analysis of
> the worm's progress...
The incidents at securityfocus.com list is probably tracking Code Red
infections and coordinating some soft of response to affected sites.
> Granted, this is a distributed infiltration mechanism, however, I somehow
> doubt the stateside feds and other morons would be contradicting of ceasing
> a distributed attack, even if we do not bother to stop the wh.gov
> targeting...
Ask Max Vision of whitehats.com what happened to him when he created a
program to patch vulnerable Internet software (bind, I think it was). Oh
wait, he's in prison at the moment. This probably had something to do
with him planting a backdoor along with the fix, but I wouldn't risk it.
John Schultz
jschultz at coin.org
More information about the cypherpunks-legacy
mailing list