[Dshield] Re: fighting back against CodeRed
Coxe, John B.
JOHN.B.COXE at saic.com
Wed Aug 8 21:53:49 GMT 2001
Two other points:
(1) Some of these servers are on residential broadband dhcp. With all the
hoopla, it would not be unlikely that a good many of the targetted addresses
now represent entirely different hosts. All other ethical considerations
aside, attempted infiltrations into hosts by ip address is not reliable
enough. And in this case even against the correct host, at best you could
waste an already drained administrator's time and resources chasing down
what is, in fact, an intrusion on their system.
(2)Regarding the delayed response, I'd like to point out that both Trend and
Symantec were nto easy to alert to this threat directly as they are looking
for direct submissions of suspected live viruses, and not reliable server
log evidence of a seriosu problem. For that reason, Symantec was at least
12 hours late out the gate and Trend was a day away. I would think a lot of
people running IIS servers depend on their notifications. A lot of the
blame for the extent of the spread might be fairly directed at them for
wasting away too much of the weekend without advising people. In fairness,
all the AV vendors have had some advisories related to the MicroS**t patch
for a month. So the real blame is on the micromoonies who trust the apps as
installed and never look back.
From: Bruce Lilly [mailto:blilly at erols.com]
Sent: Wednesday, August 08, 2001 12:59 PM
To: dshield at dshield.org
Subject: [Dshield] Re: fighting back against CodeRed
Here's my $0.02 worth:
1. A third party infiltrating the attacker is wrong, and two wrongs
don't make a right.
3. The problem is Microsoft's responsibility to deal with, as they are
responsible for the gaping security hole in their buggy IIS software.
Sending out a copy of the joint notice a week after CERT and SANS
sent out their copies, and only to the tiny fraction of Microsoft's
customers that have signed up for their security mailings is woefully
inadequate. Microsoft is about the only entity that could
legitimately set up one or more servers that would use some
mechanism to patch infected systems that contact those servers.
It would probably suffice to announce in advance that a
patching service would be installed for the convenience of any
customer who wants an automatic update, and that the update will be
installed if the user or his machine contacts a Microsoft server
using a certain type of default.ida request. This is a slight
extension of MS' Windows Update, which installs upgrades downloaded
from MS servers. Whether or not MS could implement such a system
that would actually work and would not install more bugs than
it fixes is another matter.
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list