[Dshield] Re: fighting back against CodeRed

Coxe, John B. JOHN.B.COXE at saic.com
Wed Aug 8 21:53:49 GMT 2001

Two other points:

(1) Some of these servers are on residential broadband dhcp.  With all the
hoopla, it would not be unlikely that a good many of the targetted addresses
now represent entirely different hosts.  All other ethical considerations
aside, attempted infiltrations into hosts by ip address is not reliable
enough.  And in this case even against the correct host, at best you could
waste an already drained administrator's time and resources chasing down
what is, in fact, an intrusion on their system.

(2)Regarding the delayed response, I'd like to point out that both Trend and
Symantec were nto easy to alert to this threat directly as they are looking
for direct submissions of suspected live viruses, and not reliable server
log evidence of a seriosu problem.  For that reason, Symantec was at least
12 hours late out the gate and Trend was a day away.  I would think a lot of
people running IIS servers depend on their notifications.  A lot of the
blame for the extent of the spread might be fairly directed at them for
wasting away too much of the weekend without advising people.  In fairness,
all the AV vendors have had some advisories related to the MicroS**t patch
for a month.  So the real blame is on the micromoonies who trust the apps as
installed and never look back.

-----Original Message-----
From: Bruce Lilly [mailto:blilly at erols.com]
Sent: Wednesday, August 08, 2001 12:59 PM
To: dshield at dshield.org
Subject: [Dshield] Re: fighting back against CodeRed

Here's my $0.02 worth:

1. A third party infiltrating the attacker is wrong, and two wrongs
   don't make a right.


3. The problem is Microsoft's responsibility to deal with, as they are
   responsible for the gaping security hole in their buggy IIS software.
   Sending out a copy of the joint notice a week after CERT and SANS
   sent out their copies, and only to the tiny fraction of Microsoft's
   customers that have signed up for their security mailings is woefully
   inadequate.  Microsoft is about the only entity that could
   legitimately set up one or more servers that would use some
   mechanism to patch infected systems that contact those servers.
   It would probably suffice to announce in advance that a
   patching service would be installed for the convenience of any
   customer who wants an automatic update, and that the update will be
   installed if the user or his machine contacts a Microsoft server
   using a certain type of default.ida request.  This is a slight
   extension of MS' Windows Update, which installs upgrades downloaded
   from MS servers.  Whether or not MS could implement such a system
   that would actually work and would not install more bugs than
   it fixes is another matter.

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list