[Dshield] fighting back against CodeRed

Quibell, Marc Marc.Quibell at icn.state.ia.us
Mon Aug 6 19:31:38 GMT 2001

Good idea. I was just thinking on how we can turn this code-red worm back
and neutralize the infected machine. But first we must have a way of
automatically identifying a code-red attack and then injection of the "Code
Red patch code". Or we'll have to do it manually. If any programmer would be
kind enough to develop an .exe that would expose the 'backdoor', get in and
have the server run the patch via a script file, I'm all for it... In the
meantime I'll be concentrating on how to get the routers to drop packets and
maybe the code-red, not getting a return reply, will drop its' attempts...

-----Original Message-----
From: Josh Ballard [mailto:jballard at cloud.cc.ks.us]
Sent: Sunday, August 05, 2001 9:38 PM
To: dshield at dshield.org
Subject: [Dshield] fighting back against CodeRed

I was thinking earlier this evening of how in the heck we are going to deal
with codered, and I have a possible solution via the backdoor we've been
given in v2.  If anyone has an idea of how we can force Windows Update to
run on a machine and reboot when done, then we can start shutting down these
v2 worms.  You see, we have the ability to do nearly anything we wish via
the backdoor in coderedII.  I know this isn't the solution that everyone
wants, and I know I don't have the skills to do this, but I do have an idea,
and we have to start somewhere.  I'm not proposing an anti-worm.  I'm
proposing a program run on a series of machines that listen for coderedII
attempts, and when they receive them, neutralize the coderedII worm on the
attacking host via the backdoor, run a windows update, or run the patch for
this hole on the attacker, and then reboot the system to bring it back up
clean of the worm and protected.  It's obvious as of all this time that we
are simply not going to get every single person in the world to patch their
machines and disinfect, and in fact we know a lot of these are simply not
going to be patched unless someone outside does it.  Does anyone else see
this as a viable solution?  I know this simply isn't the answer we have been
looking for, but it may be the best option we have right now.  I know we
don't really feel like we should start backdooring peoples machines, and we
start looking at ethics, and I totally believe that these sorts of worms and
backdoors are completely unethical, but we have been handed the key to the
door, and I propose we use it for this "good" purpose before someone else
starts exploiting it for the worse and blasting us all with millions of huge
ping packets or potentially something worse.

Josh Ballard
oofle.com Linux Firewall Center
jballard at cloud.cc.ks.us

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list