CodeRed Fix

[John Schultz]

On Fri, 3 Aug 2001, Wilfred L. Guerin wrote:
> With eeye and others releaseing codeRed src almost a month ago, has anyone
> bothered to modify the worm and bother distributing (by force) the file
> checked by the current worm which will suppress its operation?

Not that I am aware of.

> This is such an obvious fix, however noone seems to have yet had a clue to
> do it?

This is due to the possible illegality.  Your "vaccine" would certainly
get investigated by any clued-in admin who noticed it.  You would possibly
get attention from some LEAs, regardless of your intentions.

> If that many can be infected by using a psuedo-random sequence, this could
> be easily traced or more effectively a far more effective sequencing
> pattern for the disbersal could be utilized... 

A revised version of Code Red (called Code Red v2 or CRv2) was released
shortly after eEye discovered the original Code Red.  CRv2 had a much
better PRNG than the original Code Red worm, and did not attack the same
sequence of hosts.

> Moreso, if noone is competant to have yet done this, can anyone provide an
> EXTREMELY stable high-load capacity box which can accept reporting of
> infected hosts? -- This would be highly useful in the target analysis of
> the worm's progress... 

The incidents at securityfocus.com list is probably tracking Code Red
infections and coordinating some soft of response to affected sites.

> Granted, this is a distributed infiltration mechanism, however, I somehow
> doubt the stateside feds and other morons would be contradicting of ceasing
> a distributed attack, even if we do not bother to stop the wh.gov
> targeting... 

Ask Max Vision of whitehats.com what happened to him when he created a
program to patch vulnerable Internet software (bind, I think it was).  Oh
wait, he's in prison at the moment.  This probably had something to do
with him planting a backdoor along with the fix, but I wouldn't risk it.

John Schultz
jschultz at coin.org