[Dshield] Re: fighting back against CodeRed

Bruce Lilly blilly at erols.com
Wed Aug 8 19:59:25 GMT 2001

Here's my $0.02 worth:

1. A third party infiltrating the attacker is wrong, and two wrongs
   don't make a right.

2. Trying to contact the attacker's administrator may fail even if the
   system owner isn't a hacker: in the case of dialup or broadband
   connections, the NIC records are likely to point to the ISP's
   contact information.  While as noted on this list, some ISPs have
   taken the initiative of informing their customers, other ISPs may
   not be so inclined.  Note that professionally managed systems have
   have probably already been patched, and most of the remaining
   infected systems are probably home machines. There are other
   issues with the email approach: some have suggested emailing
   abuse at domain -- while standardized names for administrative
   mailboxes are recommended by RFC 2142, that is only a
   recommendation; one which is infrequently adhered to.  The only
   mailbox that is supposed to be universally valid is "postmaster"
   (it's in the Host Requirements RFC, 1123, section 5.2.7); the reality
   is that there are many misconfigured system that either do not
   support "postmaster" or have other problems (e.g. returning a
   ludicrous "relaying not permitted" error) with it. (Guess whose
   software seems to be worst in that regard).  And systems which have
   not been patched for a widely known issue are not likely to be so
   well administered that they adhere to the Host Requirements. 

3. The problem is Microsoft's responsibility to deal with, as they are
   responsible for the gaping security hole in their buggy IIS software.
   Sending out a copy of the joint notice a week after CERT and SANS
   sent out their copies, and only to the tiny fraction of Microsoft's
   customers that have signed up for their security mailings is woefully
   inadequate.  Microsoft is about the only entity that could
   legitimately set up one or more servers that would use some
   mechanism to patch infected systems that contact those servers.
   It would probably suffice to announce in advance that a
   patching service would be installed for the convenience of any
   customer who wants an automatic update, and that the update will be
   installed if the user or his machine contacts a Microsoft server
   using a certain type of default.ida request.  This is a slight
   extension of MS' Windows Update, which installs upgrades downloaded
   from MS servers.  Whether or not MS could implement such a system
   that would actually work and would not install more bugs than
   it fixes is another matter.

More information about the list mailing list