Interesting People mailing list archives
IP: Cyanide for Code Red: [risks] Risks Digest 21.57
From: David Farber <dave () farber net>
Date: Tue, 07 Aug 2001 14:22:25 -0400
Sounds like a Sci-Fi book I have read djf
Date: Mon, 6 Aug 2001 10:55:07 +0800 From: "Jeremy" <jeremy () electrosilk net> Subject: Cyanide for Code Red Code Red may or may not be the major disaster that CERT predicted. It is certainly present and apparently mutating already. What does not seem to have happened is the production of an effective stopper for the Code Red. Present prophylactic activities involve getting as many systems as possible updated with 'the fix'. This of course will not work as a large number of systems are run out of the box by people with little to no technical training. They won't even know how to recognise they have the worm, let alone fix it. One simple fix is a passive worm that sits on a target machine and when a Code Red attack arrives, infects the attacker using the same technique that Code-Red uses (by definition, an attacking machine must be vulnerable to the attack). The passive worm could disinfect the attacker, and then sit waiting for further attacks on the original machine plus on the newly disinfected attacker. The rate of spread of the passive worm would be directly proportional to the spread of Code-Red. The passive worm cannot spread at all unless Code-Red is operating. The passive worm would almost certainly disable the IIS service, in fact it might be a good idea to have it produce a default web page stating so, together with instructions on how to download the security fix. An improved version may even apply the fix itself. The question arises as to whether a passive worm is illegal in any way. The arguments for a passive worm are that the system it is defending is under attack and it is taking steps to stop that attack. As a by-product, the attacker is unable to attack any other systems. The attacker does not suffer any damage as a result of the disinfection. The argument against it is that the defender places and executes code on the hostile machine. This may well breach any number of anti-virus laws. The real test of the argument will be when a very dangerous worm, say like Code-Red but 100 times as potent, is unleashed. The various Governments will be left in the serious dilemma as to whether to allow a vital national resource be destroyed, or to unleash a probably illegal antidote. The time scale to make such a decision could be a matter of hours from first discovery to Internet meltdown. Governments (and Microsoft) must have a contingency plan in place. I wonder what it is? Jeremy
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Cyanide for Code Red: [risks] Risks Digest 21.57 David Farber (Aug 07)