CodeRed Fix ~ Logistics

Wilfred L. Guerin Wilfred at Cryogen.com
Sat Aug 4 08:13:23 PDT 2001



Valid points, though I open for discussion the following logistic issues:

Though the various new policies of various political bodies may have
fluctuated recently, historicly there has been a loophole for which an
attacked entity can respond with due intent to cease the attack via
appropriate means.

In this case, I see random IIS servers "attacking" my server, as do others.

With this being the case, and their initiation of transaction, it should be
appropriate to cease their inappropriate activities.

This would dictate a mechanism capable of ceasing the origin of the attack,
in this case, defective code in the IIS servers.

My impression, is that direct isolation of an attacking facility for
disabling purposes only, with intent to maintain the stability of the
attacked host/subnet is well within historic legal bounds.

Inversely, has there been any alteration of this policy recently? What is
the current situation?

... 

On the other hand, I wouldnt be contrary to the development of a
breach-utilizing derivative of the TSADBot systems and their fed-protected
recon capabilities and transparent m$ security, combined with various inlet
portals in typical security faults, and capable of directed and automated
"Cleaning" of dysfunctional machines. Basicly, the ultimate breach system
with intent of eliminating future braches. (We've done this for high
security networks, server arrays, etc,) however a mass implementation with
intent to fix or replace defective product code would be highly effective.

What say the world to doing things right for once? "Baaah."

Oh well.

Again, response regarding policy issues would be appreciated.

-Wilfred
Wilfred at Cryogen.com




At 12:11 AM 8/4/2001 -0500, you wrote:
>On Fri, 3 Aug 2001, Wilfred L. Guerin wrote:
>> With eeye and others releaseing codeRed src almost a month ago, has anyone
>> bothered to modify the worm and bother distributing (by force) the file
>> checked by the current worm which will suppress its operation?
>
>Not that I am aware of.
>
>> This is such an obvious fix, however noone seems to have yet had a clue to
>> do it?
>
>This is due to the possible illegality.  Your "vaccine" would certainly
>get investigated by any clued-in admin who noticed it.  You would possibly
>get attention from some LEAs, regardless of your intentions.
>
>> If that many can be infected by using a psuedo-random sequence, this could
>> be easily traced or more effectively a far more effective sequencing
>> pattern for the disbersal could be utilized... 
>
>A revised version of Code Red (called Code Red v2 or CRv2) was released
>shortly after eEye discovered the original Code Red.  CRv2 had a much
>better PRNG than the original Code Red worm, and did not attack the same
>sequence of hosts.
>
>> Moreso, if noone is competant to have yet done this, can anyone provide an
>> EXTREMELY stable high-load capacity box which can accept reporting of
>> infected hosts? -- This would be highly useful in the target analysis of
>> the worm's progress... 
>
>The incidents at securityfocus.com list is probably tracking Code Red
>infections and coordinating some soft of response to affected sites.
>
>> Granted, this is a distributed infiltration mechanism, however, I somehow
>> doubt the stateside feds and other morons would be contradicting of ceasing
>> a distributed attack, even if we do not bother to stop the wh.gov
>> targeting... 
>
>Ask Max Vision of whitehats.com what happened to him when he created a
>program to patch vulnerable Internet software (bind, I think it was).  Oh
>wait, he's in prison at the moment.  This probably had something to do
>with him planting a backdoor along with the fix, but I wouldn't risk it.
>
>John Schultz
>jschultz at coin.org
>
>
>
>





More information about the cypherpunks-legacy mailing list