[Dshield] fighting back against CodeRed

Paul Marsh pmarsh at nmefdn.org
Mon Aug 6 19:55:08 GMT 2001


Josh:

	I can't agree with you more, I'm really getting tired of seeing this
stuff in my log especially from the same IP's over and over again.  I think
this is a very proactive instead of reactive idea, good job let's do it.

Thanx, Paul


-----Original Message-----
From: Josh Ballard [mailto:jballard at cloud.cc.ks.us]
Sent: Sunday, August 05, 2001 10:38 PM
To: dshield at dshield.org
Subject: [Dshield] fighting back against CodeRed


I was thinking earlier this evening of how in the heck we are going to deal
with codered, and I have a possible solution via the backdoor we've been
given in v2.  If anyone has an idea of how we can force Windows Update to
run on a machine and reboot when done, then we can start shutting down these
v2 worms.  You see, we have the ability to do nearly anything we wish via
the backdoor in coderedII.  I know this isn't the solution that everyone
wants, and I know I don't have the skills to do this, but I do have an idea,
and we have to start somewhere.  I'm not proposing an anti-worm.  I'm
proposing a program run on a series of machines that listen for coderedII
attempts, and when they receive them, neutralize the coderedII worm on the
attacking host via the backdoor, run a windows update, or run the patch for
this hole on the attacker, and then reboot the system to bring it back up
clean of the worm and protected.  It's obvious as of all this time that we
are simply not going to get every single person in the world to patch their
machines and disinfect, and in fact we know a lot of these are simply not
going to be patched unless someone outside does it.  Does anyone else see
this as a viable solution?  I know this simply isn't the answer we have been
looking for, but it may be the best option we have right now.  I know we
don't really feel like we should start backdooring peoples machines, and we
start looking at ethics, and I totally believe that these sorts of worms and
backdoors are completely unethical, but we have been handed the key to the
door, and I propose we use it for this "good" purpose before someone else
starts exploiting it for the worse and blasting us all with millions of huge
ping packets or potentially something worse.

Josh Ballard
oofle.com Linux Firewall Center
http://www.oofle.com/
jballard at cloud.cc.ks.us

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list