Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: more Code Red analysis

From: "Ralph Mellor" <ralph () dimp com>
Date: Tue, 7 Aug 2001 14:42:00 -0500
Great analysis.



... Too many users are connected". ... This prevents people
from exploiting the /scripts/root.exe backdoor


Which would suggest that black hats would have been hampered
in any attempts to remodel. (By remodel I mean to invisibly remove
the known backdoor and replace it with a new one.)



I think this will become an important algorithm for future worms.


Regularity and locality of ip allocation is a godsend to worm writers
regarding both public and private ip spaces. For example, as I
posted to a local linux user group yesterday:

    Use 10.x.x.x even for small private nets?
    .
    .
    4. It's reasonable to surmise that many future worms will adopt
    this local bias philosophy.
    .
    .
    So, my tentative (but remember clueless) conclusion, is that,
    even on tiny private nets, it would probably be smart to use
    as sparse an ip space as possible, right?



the Morris Worm injected the community with a lot of knowledge
about worms. ... When the next IIS exploit is announced, we've got
two weeks to patch a million systems before that next worm takes
down the Internet.


I disagree with the 2 weeks and the take down the Internet.

Neither Code Red nor Code Red II took down the Internet.
It could clearly happen, but one can't absolutely know.

As for the 2 weeks:


There is even a danger that a worm will be written first,
then the next exploit added to it later. Thus, the worm may
appear on the first day the next vulnerability is announced,
even though the writer didn't have 0-day knowledge.


Precisely. Soon we may no longer have the 2 week luxury.
Timely patching may come to mean doing it within hours of
announce (and in years to come, minutes).



I'm sure people have fully grasped the situation.


Did you miss a "not"?



If anybody has a large dark subnet to play with, I'd love to
install by deredoc program mentioned above. It not only
plays with the current worms, it can be used to encourage
0-day worms to reveal themselves.


Simple and beautiful.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: