IP: Cyanide for Code Red: [risks] Risks Digest 21.57

[David Farber <dave () farber net>]

Sounds like a Sci-Fi book I have read djf


> Date: Mon, 6 Aug 2001 10:55:07 +0800
> From: "Jeremy" <jeremy () electrosilk net>
> Subject: Cyanide for Code Red
>
> Code Red may or may not be the major disaster that CERT predicted.  It is
> certainly present and apparently mutating already.
>
> What does not seem to have happened is the production of an effective
> stopper for the Code Red.  Present prophylactic activities involve getting
> as many systems as possible updated with 'the fix'.  This of course will not
> work as a large number of systems are run out of the box by people with
> little to no technical training.  They won't even know how to recognise they
> have the worm, let alone fix it.
>
> One simple fix is a passive worm that sits on a target machine and when a
> Code Red attack arrives, infects the attacker using the same technique that
> Code-Red uses (by definition, an attacking machine must be vulnerable to the
> attack).  The passive worm could disinfect the attacker, and then sit
> waiting for further attacks on the original machine plus on the newly
> disinfected attacker.  The rate of spread of the passive worm would be
> directly proportional to the spread of Code-Red.  The passive worm cannot
> spread at all unless Code-Red is operating.
>
> The passive worm would almost certainly disable the IIS service, in fact it
> might be a good idea to have it produce a default web page stating so,
> together with instructions on how to download the security fix.  An improved
> version may even apply the fix itself.
>
> The question arises as to whether a passive worm is illegal in any way.
>
> The arguments for a passive worm are that the system it is defending is
> under attack and it is taking steps to stop that attack.  As a by-product,
> the attacker is unable to attack any other systems.  The attacker does not
> suffer any damage as a result of the disinfection.
>
> The argument against it is that the defender places and executes code on the
> hostile machine.  This may well breach any number of anti-virus laws.
>
> The real test of the argument will be when a very dangerous worm, say like
> Code-Red but 100 times as potent, is unleashed.  The various Governments
> will be left in the serious dilemma as to whether to allow a vital national
> resource be destroyed, or to unleash a probably illegal antidote.
>
> The time scale to make such a decision could be a matter of hours from first
> discovery to Internet meltdown.  Governments (and Microsoft) must have a
> contingency plan in place.  I wonder what it is?
>
> Jeremy



For archives see: http://www.interesting-people.org/