Re: A code red that could bring down the net?

["Pete Sherwood" <petersherwood () home com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sven,

Robert T. Morris  did not send what he created onto arpanet, if I recall
correctly.
Someone else made that mistake. Hence the reason he got the light 20
punishment (community service) he did instead of the severe incarceration
many *demanded* that he get. Intent is everything in the US courts! Try as
they might, the FBI could not prove Robert "intended" to do harm.

That aside.

You conjecture that if code-red were your worm, you would have let it run
in "stealth" mode for some time and collect stuff. How do you (we) not know
that this is what has been done and that what we all have seen in the past
few weeks wasn't the/a visible part of the "silent running" activities?
Just a test of what is potentially to come?

Just a thought.

At any rate. I was never content to let what I called "ShareAware" malware
run rampant on my organization's network and created scanning tools to
search for vulnerable systems and malware on exposed systems. I'm curious
how many of you are doing likewise? I have my take on this on my web page
if you need more insight before answering.

Pete Sherwood
PGP and Thawte digital keys available @
http://members.home.net/petersherwood/

NOTE: when I first replied to the message from Sven, somehow it got
converted to MIME and I am now resending this in plain text. Sorry if you
get any double receipts.

- - - ----- Original Message -----
From: Sven van =B4t Veer
To: Pete Sherwood
Cc: Dom De Vitto ; Patrick Smallwood ; SECURITY-BASICS () securityfocus com
;
vuln-dev () securityfocus com
Sent: Thursday, July 26, 2001 2:24 PM
Subject: Re: A code red that could bring down the net?


Although the explanation is correct, the fact that it caused "geometric
explosion of copies" was due to a bug in the code. RTM did not test his
worm before sending it onto the arpanet. It was not his intention to bring
down arpanet, but just to see how many hosts he would be able to infect.
As I remember correctly, it was supposed to run just a couple of threads on
each host, but due to some mistake in calculation it just kept replicating
itself. If the worm had done what it was supposed to do It might not even
have been noticed until weeks after it's release.

The same could have been true for the code-red worm. Not many sysops
running NT/W2K web servers would notice one or two processes that hardly
use any system resources.

If it where my worm I would have done it that way and let it run in the
wild for a couple of months and collect data on the number of infected
hosts and when satisfied, have it  do whatever DOS it=B4s supposed to
do.

sven

OK. Here is one explanation:

In 1988, the ARPANET had its first automated
network security incident,usually referred to as "the Morris worm" (4). A
student at Cornell University (Ithaca, NY), Robert T. Morris, wrote a
program that would connect to another computer, find and use one of
several vulnerabilities to copy itself to that second computer, and
begin to run the
copy of itself at the new location. Both the original code and the copy
would then repeat these actions in an infinite loop to other computers on
the ARPANET. This"self-replicating automated network attack tool" caused a
geometric explosion of copies to be started at computers all around the
ARPANET. The worm used so many system resources that the attacked
computers could no longer function. As a result, 10% of the U.S. computers
connected to the ARPANET effectively stopped at about the same time.

See:http://www.cert.org/encyc_article/tocencyc.html

Dom

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO2CHKromytMtxLfsEQKYEgCg9bm0XfSTEfzGw4dpAtdPLrRkmLwAoKcX
zEbGb7OMGT45Mq9c3masRczO
=ArmH
-----END PGP SIGNATURE-----