[Dshield] fighting back against CodeRed

Samuel Samuel at socal.rr.com
Tue Aug 7 17:40:49 GMT 2001


Every domain name is supposed to have a telephone number supplied with the
registration. It would be a lot more work to call the contacts for infected
domains but is that not a proper solution?

Are ISP's affected by infected customers? Assuming that they are, it seems
to me that it is in their best interest too to take action. They seem to not
be doing enough yet but hopefully they will do more soon.

Is this "directly relate to DShield"? There has been a lot of very useful
and important discussions in this mailing list that seem to me to be not
"directly relate to DShield". Since this mailing list is supposed to be
limited to DShield discussions,  I think it would be worthwhile to have a
separate mailing list for other discussions.


----- Original Message -----
From: "Josh Ballard" <jballard at cloud.cc.ks.us>
To: <dshield at dshield.org>
Sent: Sunday, August 05, 2001 7:38 PM
Subject: [Dshield] fighting back against CodeRed


> I was thinking earlier this evening of how in the heck we are going to
deal
> with codered, and I have a possible solution via the backdoor we've been
> given in v2.  If anyone has an idea of how we can force Windows Update to
> run on a machine and reboot when done, then we can start shutting down
these
> v2 worms.  You see, we have the ability to do nearly anything we wish via
> the backdoor in coderedII.  I know this isn't the solution that everyone
> wants, and I know I don't have the skills to do this, but I do have an
idea,
> and we have to start somewhere.  I'm not proposing an anti-worm.  I'm
> proposing a program run on a series of machines that listen for coderedII
> attempts, and when they receive them, neutralize the coderedII worm on the
> attacking host via the backdoor, run a windows update, or run the patch
for
> this hole on the attacker, and then reboot the system to bring it back up
> clean of the worm and protected.  It's obvious as of all this time that we
> are simply not going to get every single person in the world to patch
their
> machines and disinfect, and in fact we know a lot of these are simply not
> going to be patched unless someone outside does it.  Does anyone else see
> this as a viable solution?  I know this simply isn't the answer we have
been
> looking for, but it may be the best option we have right now.  I know we
> don't really feel like we should start backdooring peoples machines, and
we
> start looking at ethics, and I totally believe that these sorts of worms
and
> backdoors are completely unethical, but we have been handed the key to the
> door, and I propose we use it for this "good" purpose before someone else
> starts exploiting it for the worse and blasting us all with millions of
huge
> ping packets or potentially something worse.
>
> Josh Ballard
> oofle.com Linux Firewall Center
> http://www.oofle.com/
> jballard at cloud.cc.ks.us
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list