RE: Mitigating some of the effects of the Code Red worm

["Bragg Michael (npl1mcb)" <npl1mcb () ups com>]

Also, let's not forget that Max Vision got sent up the river for something
similar.  Plain and simple, there's no such thing as a "beneficial" worm --
besides, how would *you* like it if you received a message saying, "Hi.  You
don't know me from Adam, but I just patched your webserver against the
latest vulnerability.  I didn't throw in any trapdoors or any other bad
stuff.  Scout's honor."

Besides, even the best of intentions sometimes goes straight to crap.  Sure,
the code you wrote may have tested just fine on your box, but Alice's
webserver crashes instantly upon exposure, and Bob's starts to BSoD at
random times afterwards.  Legally it's a violation of (I think -- please
correct me if I'm wrong) 18 USC 1030, the Computer Fraud and Abuse Act 1986.
That's assuming it works as planned.  If it starts to DoS webservers, you
could be held civilly liable for the business impact.

Ethically, it's pretty much unconscionable. Just because we *can* take
advantage of vulnerabilities, it doesn't necessarily follow that we
*should*.  The possible for damage or misuse far outweighs any potential
benefits.

Just my $0.02, as always, I welcome any comments/flames/voodoo curses...

Mike

-----Original Message-----
From: LARD BENJAMIN LEE [mailto:Benjamin.Lard () Colorado EDU]
Sent: Thursday, July 19, 2001 7:11 PM
To: BUGTRAQ
Subject: Mitigating some of the effects of the Code Red worm


I'm not sure of the ethical or legal aspects of this, but I don't see why
we can't take advantage of three facts:

1) There is something of an ongoing log of affected machines that can be
obtained from boxes earlier in the IP list.
2) Machines which have been compromised can STILL be compromised.
3) The worm has a "lysine deficiency" which can be remotely introduced.

What I'm getting at, is for someone to create another exploit that creates
the C:\notworm file in infected machines and does something to
notify whoever is in charge of a particular box (even something as simple
as placing you_are_hacked.txt and a link to the patch on the desktop could
be beneficial). Even better, an exploit to patch a machine (through
removing the .ida and .idq extensions) would prevent the inevitable wave
of post-attacks (both from this worm and future attacks).

Of course, I'm guessing this is illegal, although I highly doubt you'd be
prosecuted. If someone has the expertise to create a "white hack" such as
this, I'm sure there are daring admins out there who would happily attempt
to stem the flow. If we don't do something, you know it's just a (very
short) matter of time before script kiddies, armed with a modified worm
and a log of infected machines, do something more sinister.

Ben Lard
University of Colorado, Boulder