[Dshield] fighting back against CodeRed - with hacking?

shilor shilor at optonline.net
Tue Aug 7 13:37:31 GMT 2001


A. This is not the last time we are going to encounter such a serious
security problem. 
To fight hackers with hacking is a too short term solution, which will
hit us back sooner or later. In addition, it can damage Dshield
reputation to discuss such back fights in this forum.

B. My understanding of the problem is that the owners of most of the
still affected machines have win2000 with IIS5 automatically installed.
The don't know what IIS is, neither they have websites and logs, and
most of them don't know what Windows Update or a warms are. Also, they
are not really affected (yet).

I can think of 3 possible ways that may help with ending up this
situation:
1. Microsoft would do some marketing to reach these people and make some
of them use a one click button to install the patch.
2. Microsoft would provide ISPs with a program that identifies outbound
and inbound redcode's signature, eliminates it and provides a log for
ISPs to help them address their affected customers to use Windows
Updates.  
3. If the hackers will escalate their attacks, and use the backdoor for
affecting the win2000 system, than the owners will have to take an
action (probably a support call to their computer seller), since their
system won't function. Microsoft better address this situation before it
becomes a reality.

Regards,
Zeev Shilor
www.shilor.com
shilor at optonline.net



From: "Quibell, Marc" <Marc.Quibell at icn.state.ia.us>
To: "'dshield at dshield.org'" <dshield at dshield.org>
Subject: RE: [Dshield] 
Date: Mon, 6 Aug 2001 14:31:38 -0500 
Reply-To: dshield at dshield.org

Good idea. I was just thinking on how we can turn this code-red worm
back and neutralize the infected machine. But first we must have a way
of automatically identifying a code-red attack and then injection of the
"Code Red patch code". Or we'll have to do it manually. If any
programmer would be kind enough to develop an .exe that would expose the
'backdoor', get in and have the server run the patch via a script file,
I'm all for it... In the meantime I'll be concentrating on how to get
the routers to drop packets and maybe the code-red, not getting a return
reply, will drop its' attempts...

-----Original Message-----
From: Josh Ballard [mailto:jballard at cloud.cc.ks.us]
Sent: Sunday, August 05, 2001 9:38 PM
To: dshield at dshield.org
Subject: [Dshield] fighting back against CodeRed


I was thinking earlier this evening of how in the heck we are going to
deal with codered, and I have a possible solution via the backdoor we've
been given in v2.  If anyone has an idea of how we can force Windows
Update to run on a machine and reboot when done, then we can start
shutting down these v2 worms.  You see, we have the ability to do nearly
anything we wish via the backdoor in coderedII.  I know this isn't the
solution that everyone wants, and I know I don't have the skills to do
this, but I do have an idea, and we have to start somewhere.  I'm not
proposing an anti-worm.  I'm proposing a program run on a series of
machines that listen for coderedII attempts, and when they receive them,
neutralize the coderedII worm on the attacking host via the backdoor,
run a windows update, or run the patch for this hole on the attacker,
and then reboot the system to bring it back up clean of the worm and
protected.  It's obvious as of all this time that we are simply not
going to get every single person in the world to patch their machines
and disinfect, and in fact we know a lot of these are simply not going
to be patched unless someone outside does it.  Does anyone else see this
as a viable solution?  I know this simply isn't the answer we have been
looking for, but it may be the best option we have right now.  I know we
don't really feel like we should start backdooring peoples machines, and
we start looking at ethics, and I totally believe that these sorts of
worms and backdoors are completely unethical, but we have been handed
the key to the door, and I propose we use it for this "good" purpose
before someone else starts exploiting it for the worse and blasting us
all with millions of huge ping packets or potentially something worse.

Josh Ballard
oofle.com Linux Firewall Center
http://www.oofle.com/
jballard at cloud.cc.ks.us





More information about the list mailing list