[Dshield] Re: Dshield digest, Vol 1 #185 - 11 msgs

Mark Martin wolf at bescape.com
Wed Aug 8 03:56:55 GMT 2001


While in agreement with you on quashing the notion of the anti-worm, I'm
still pondering how such a thing would even work, technically.  I mean, how
would it spread?  Once it "cleaned" a system, there wouldn't be the
malicious spreading function left, so it would never propogate itself.  Am I
totally missing how that would even work?  The only way I could see it
working is if the anti-worm, the cleaning worm, actually continued acting
like the original worm in some way.  Then, instead of the inundation of
firewall logs with getting /default.ida and some wormy malicious code, you'd
get the /default.ida access and seeming non-malicious code.  What's the
diff?

(I ask this more to the group :)

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Dustin Decker
Sent: Tuesday, August 07, 2001 12:13 PM
To: dshield at dshield.org
Subject: [Dshield] Re: Dshield digest, Vol 1 #185 - 11 msgs



Let's all agree right now however, to quash any such discussion of using
the worm itself to kill the worm.  This may indeed seem noble, and on many
merits I would agree... however, one simply cannot forget that we are
without the services and companionship of our beloved own - Max Vision.  I
don't think I have to remind you why.  (Although I would also interject
that the FBI gave him a royal screwing on that whole mess.)  The law,
flawed or not, is still in full effect.  It would be most unwise to cross
those lines, and is additionally poor form to support such measures in
this forum.

Dustin




More information about the list mailing list