[Dshield] fighting back against CodeRed

Scott Howell showell at adelphia.net
Tue Aug 7 16:06:45 GMT 2001

I agree...

You have my vote....


-----Original Message-----
From: Paul Marsh <pmarsh at nmefdn.org>
To: 'dshield at dshield.org' <dshield at dshield.org>
Date: Tuesday, August 07, 2001 11:29 AM
Subject: RE: [Dshield] fighting back against CodeRed

> I can't agree with you more, I'm really getting tired of seeing this
>stuff in my log especially from the same IP's over and over again.  I think
>this is a very proactive instead of reactive idea, good job let's do it.
>Thanx, Paul
>-----Original Message-----
>From: Josh Ballard [mailto:jballard at cloud.cc.ks.us]
>Sent: Sunday, August 05, 2001 10:38 PM
>To: dshield at dshield.org
>Subject: [Dshield] fighting back against CodeRed
>I was thinking earlier this evening of how in the heck we are going to deal
>with codered, and I have a possible solution via the backdoor we've been
>given in v2.  If anyone has an idea of how we can force Windows Update to
>run on a machine and reboot when done, then we can start shutting down
>v2 worms.  You see, we have the ability to do nearly anything we wish via
>the backdoor in coderedII.  I know this isn't the solution that everyone
>wants, and I know I don't have the skills to do this, but I do have an
>and we have to start somewhere.  I'm not proposing an anti-worm.  I'm
>proposing a program run on a series of machines that listen for coderedII
>attempts, and when they receive them, neutralize the coderedII worm on the
>attacking host via the backdoor, run a windows update, or run the patch for
>this hole on the attacker, and then reboot the system to bring it back up
>clean of the worm and protected.  It's obvious as of all this time that we
>are simply not going to get every single person in the world to patch their
>machines and disinfect, and in fact we know a lot of these are simply not
>going to be patched unless someone outside does it.  Does anyone else see
>this as a viable solution?  I know this simply isn't the answer we have
>looking for, but it may be the best option we have right now.  I know we
>don't really feel like we should start backdooring peoples machines, and we
>start looking at ethics, and I totally believe that these sorts of worms
>backdoors are completely unethical, but we have been handed the key to the
>door, and I propose we use it for this "good" purpose before someone else
>starts exploiting it for the worse and blasting us all with millions of
>ping packets or potentially something worse.
>Josh Ballard
>oofle.com Linux Firewall Center
>jballard at cloud.cc.ks.us
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:

More information about the list mailing list