RE: Mitigating some of the effects of the Code Red worm

["Scott, Richard" <Richard.Scott () BestBuy com>]

<snip>

I'm not sure of the ethical or legal aspects of this, but I don't see why
we can't take advantage of three facts:

1) There is something of an ongoing log of affected machines that can be
obtained from boxes earlier in the IP list.
2) Machines which have been compromised can STILL be compromised.
3) The worm has a "lysine deficiency" which can be remotely introduced.

What I'm getting at, is for someone to create another exploit that creates
the C:\notworm file in infected machines and does something to
notify whoever is in charge of a particular box (even something as simple
as placing you_are_hacked.txt and a link to the patch on the desktop could
be beneficial). Even better, an exploit to patch a machine (through
removing the .ida and .idq extensions) would prevent the inevitable wave
of post-attacks (both from this worm and future attacks).

Of course, I'm guessing this is illegal, although I highly doubt you'd be
prosecuted. If someone has the expertise to create a "white hack" such as
this, I'm sure there are daring admins out there who would happily attempt
to stem the flow. If we don't do something, you know it's just a (very
short) matter of time before script kiddies, armed with a modified worm
and a log of infected machines, do something more sinister.
<snip>

Ben,

The issue has raised it's head many times, especially when Virii became
popular.  The are many issues with this question, but the real aspect of
this is introducing code that is worm-like.  Can this code itself be
exploited?  Do we really want this on a production system?

But to the real point, this code actually exists, it's called a Microsoft
hotfix/security patch!  Enough of the jokes, what essence you are describing
is an hybrid artificial intelligent IDS system... and as we all know IDS's
systems can be a pain to set up with 100% execution notofication decision
path... hence False positives et al.


cheers
r.