Full Disclosure mailing list archives
Why Fixer Worms Are A Bad Idea RE: [UPDATE] ping floods
From: "Drew Copley" <dcopley () eeye com>
Date: Mon, 18 Aug 2003 11:33:48 -0700
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Sam Pointer Sent: Monday, August 18, 2003 9:15 AM To: 'Abraham, Antony (Cognizant)'; B3r3n () argosnet com; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] [UPDATE] ping floods Antony Abraham wrote:http://vil.nai.com/vil/content/v_100559.htm New RPC worm which will generate lot of ICMP traffic.Well I guess it would appear from this portion of NAI's analysis that someone was listening to the thread on this list about writing an anti-blaster worm: "The worm carries links to various patches for the MS03-026 vulnerability: ... The worm attempts to download and install one of these patches on the victim machine."
Everytime a worm comes out, people talk about making fixer worms. It is a natural thought. It is not a well thought out thought, though. It is very time consuming to make worms. It is very difficult to test worm code. Most developer's do not test their worm code, as is obvious from their work. The problem with the "fixer" idea is that the worm will still consume bandwidth and cause these sorts of problems. In this case, it causes ping floods. I wonder if it downloads the right patch. If it does not detect the OS properly and downloads the wrong patch, then it has done nothing but act as any other virus. The reports on the worm do note that it sends some systems into the infinite reboot loop problem. That is not a good thing. If someone really wants to spend four, five, twelve hours, even more... Writing a fixer worm, their time would far be better served berating people to upgrade their systems... And berating vendors to better protect their users. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [UPDATE] ping floods, (continued)
- RE: [UPDATE] ping floods Stahlkrantz, Mats (Mats) (Aug 18)
- RE: [UPDATE] ping floods Jerry Heidtke (Aug 18)
- Re: [UPDATE] ping floods Andreas Gietl (Aug 18)
- Re: [UPDATE] ping floods Chris G. Turner (Aug 18)
- Re: [UPDATE] ping floods Andreas Gietl (Aug 18)
- RE: [UPDATE] ping floods Dolinar, Jon (Aug 18)
- RE: [UPDATE] ping floods Abraham, Antony (Cognizant) (Aug 18)
- RE: [UPDATE] ping floods Sam Pointer (Aug 18)
- Re: [UPDATE] ping floods benjurry (Aug 18)
- RE: [UPDATE] ping floods Drew Copley (Aug 18)
- RE: [UPDATE] ping floods B3r3n (Aug 18)
- Why Fixer Worms Are A Bad Idea RE: [UPDATE] ping floods Drew Copley (Aug 18)
- Re: [UPDATE] ping floods benjurry (Aug 18)
- Re: [UPDATE] ping floods B3r3n (Aug 18)
- RE: [UPDATE] ping floods r1an (Aug 18)
- re: [UPDATE] ping floods loper (Aug 18)
- RE: re: [UPDATE] ping floods MacDougall, Shane (Aug 18)