[Dshield] fighting back against CodeRed

Neil Richardson pc_freak at cats.ucsc.edu
Mon Aug 6 20:27:05 GMT 2001

At 07:38 PM 8/5/2001, you wrote:
>I was thinking earlier this evening of how in the heck we are going to deal
>with codered, and I have a possible solution via the backdoor we've been
>given in v2.  If anyone has an idea of how we can force Windows Update to
>run on a machine and reboot when done, then we can start shutting down these
>v2 worms.  You see, we have the ability to do nearly anything we wish via

    If I understand you correctly, you are suggesting that we log into 
infected machines via the backdoor that CRII installs, force it to run 
Windows Update, and then restart the machine, in order to patch it.

    Unfortunately, from what little I understand of federal law, simply 
"gaining unauthorized access" is (in some cases) a felony, regardless of 
whether you are entering to patch holes or to damage the system.  In that 
case, you are at the mercy of "the other guy" not to have you arrested 
and/or prosecuted.

    In addition to the legal hurdles, there's the technological ones: I 
checked 3-4 machines that have attemped to access my port 80, and none of 
them responded to the telnet command (as I understand CRII-infected 
machines to).  There's also the problem of adjusting the ActiveX scripts 
and such that Windows Update uses...

    Now, if my understanding of all of the above is correct, then I already 
know a way that it *could* be done.  But it would be illegal and ethically 
questionable to actually *do* it.

-Neil R.
"It's frustrating to have the solution in the palm of your hand 
and...."  -Geordi
"...And you can't make the fist."  -Riker
ST:TNG - "Vendetta" (book)

More information about the list mailing list