CodeRed Fix Prepared (20 mins)

Wilfred L. Guerin Wilfred at Cryogen.com
Fri Aug 3 21:24:48 PDT 2001 

Follow-up..
[00.00 EST, 04.08.2001; 11.35 EST 03.08.2001 to now (release).]

I just spent 20-30 mins doing a basic tweak of the CodeRed worm. 

I need now a known faulty IIS server (or list thereof) preferably with
admin to track the success of the process.

The tweaked code basicly fixes a couple flow sequences, sends a packet to a
loggerbox, and then utilizes the worm's capabilities for distribution and
neutralisation... 

I would like to test this (mostly to ensure box isnt eliminated if it might
still have the capacity to do something else) on a known target quickly, so
if anyone has a suitable simulation target, please contact me directly.

Obviously, we need to confirm the successful operation, and ensure it does
indeed stall the codeRed process... 

If anything, this will merely head off any not-yet-bothered servers, but
will at least lock out the old codeRed worm from further propogation.

I may be inclined to construct a more advanced derivative (As this code is
SEVERELY horrible, CR could be done successfully in half the weight) which
would allow shutdown of targets within the faulty M$ servers and other
various hostiles, though not a high priority in any regard. Is there
value/worth for this?

...

Also, would like to allow for accurate logging, so need a target box which
can accept connections for monitoring, caida/etc as others have suggested
would be ideal, though contact is required with/from them or another party.

I have some basic scripts which can be used to clean out any originating
server, basicly 5 line pump scripts for perl to feed the cleaner worm back
to the noisy server.

This is a quick fix, but will at least quiet down the adverse and excess
traffic and noise... It is self-limiting, and will not propogate from
previously-cleaned boxes.

So, if we can have a couple targets and ensure it works, we can then help
out this hastle effectively... I wouldnt mind a controlled simulation with
mutual intent of both cleaning as well as simulation/analysis in the real
world... We need this.

Till someone's response with a target/etc :)

-Wilfred
Wilfred at Cryogen.com

More information about the cypherpunks-legacy mailing list