[Dshield] fighting back against CodeRed

Samuel Samuel at socal.rr.com
Tue Aug 7 04:47:06 GMT 2001

This afternoon I received a message from my ISP (Road Runner) that says
they, "like many other ISPs and indeed the entire Internet, has today
experienced an attack on its network which is apparently attributable to the
Code Red virus". It is quite unusual for them to send such a message. I
think they are wrong, whether intentionally or not, in the implication that
the attack began today.

I am attempting to upload my ZoneAlarm log but I am attempting to do so
using the CvtZone utility to simplify the process to increase the likelyhood
that I will continue to keep the data current in the future. I am having
problems with it. I have seen a previous message in this mailing list
explaining that the return email address must match my userid email address
so that is probably why I never received a response to my previous test
submissions. I corrected that problem and I am still waiting for a response.
It has been at least an hour, so if I do not get results soon I will
investigate further. In my opinion there is room for improvement of the
CvtZone utility.

----- Original Message -----
From: "Josh Ballard" <jballard at cloud.cc.ks.us>
To: <dshield at dshield.org>
Sent: Sunday, August 05, 2001 7:38 PM
Subject: [Dshield] fighting back against CodeRed

> I was thinking earlier this evening of how in the heck we are going to
> with codered, and I have a possible solution via the backdoor we've been
> given in v2.  If anyone has an idea of how we can force Windows Update to
> run on a machine and reboot when done, then we can start shutting down
> v2 worms.  You see, we have the ability to do nearly anything we wish via
> the backdoor in coderedII.  I know this isn't the solution that everyone
> wants, and I know I don't have the skills to do this, but I do have an
> and we have to start somewhere.  I'm not proposing an anti-worm.  I'm
> proposing a program run on a series of machines that listen for coderedII
> attempts, and when they receive them, neutralize the coderedII worm on the
> attacking host via the backdoor, run a windows update, or run the patch
> this hole on the attacker, and then reboot the system to bring it back up
> clean of the worm and protected.  It's obvious as of all this time that we
> are simply not going to get every single person in the world to patch
> machines and disinfect, and in fact we know a lot of these are simply not
> going to be patched unless someone outside does it.  Does anyone else see
> this as a viable solution?  I know this simply isn't the answer we have
> looking for, but it may be the best option we have right now.  I know we
> don't really feel like we should start backdooring peoples machines, and
> start looking at ethics, and I totally believe that these sorts of worms
> backdoors are completely unethical, but we have been handed the key to the
> door, and I propose we use it for this "good" purpose before someone else
> starts exploiting it for the worse and blasting us all with millions of
> ping packets or potentially something worse.
> Josh Ballard
> oofle.com Linux Firewall Center
> http://www.oofle.com/
> jballard at cloud.cc.ks.us
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list