Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) (fwd)

["Stanley G. Bubrouski" <stan () ccs neu edu>]

On Wed, 5 Sep 2001, Michael R. Rudel wrote:

> On Wed, 5 Sep 2001, Stanley G. Bubrouski wrote:
>
> > Does anyone realize what a bad idea it is to release worms like this in
> > the first place, regardless of wheatehr or nto they mean well?
> >
> > Think about it.
> >
> > CodeGreen from my understanding does random scanning like Code Red and is
> > infecting machiens iwth another worm that degrades system performance and
> > causes traffic.  This isn't a cure it's a nightmare.  Why?
>
> Wrong. IT doesn't activley scan. It only 'attacks' other machines that are
> running Code Red that attack it first.. i.e., it's a COUNTER-measure.

Umm yes it does.

> > 1) It causes traffic that can lead to serious bandwith consumption.
>
> See above. By disabling code red on the attacking machine, it actually
> cuts down overall traffic.

How so? It attacks vulnerable machines and uses them as a platform to scan
for others.

> > 2) Traffic caused by Code Red brings down routers and
> > printers and it even can cause Cisco 2500 series routers (from experience,
> > costly ones) to run out of memory and cease functioning until a reboot.
>
> See above. It doesn't activley scan.
> >

Wrong.  Yes it does.

> > 3) It's illegal.  Just as Code Red gaims unauthorized access to systems,
> > so does this worm.
>
> Yes. But it prevents other Code Red machines from gaining unauthorized
> access to additional systems. I'm not arguging that it isn't illegal.

+1 for acknowledging the illegality of it.

> > 4) If patching fails the system is still going to be vulnerable and it
> > will be propagating itself to other systems that may not be patchable.
>
> As opposed to when you don't try and patch it, how the machine will be
> vulnerable and will be propagating itself to other systems that may not be
> patchable? :P

There are other methods to inform people of this problem rather than
infecting them with another worm to cure another.

> > 5) Machines infected with Code Red are often times unresponsive to HTTP
> > requests due to high memory and CPU of the Code Red infection so in many
> > cases not only will the CodeGreen worm not fix already infected machiens
> > it will most likely attempt to clean machines that are vulnerable but are
> > not spreading the worm, again causing more network traffic.
>
> This is due to the active scanning that Code Red does. Once again, Code
> Green does not do this.

It must, how else are people with apache getting hit?

> > 6) People who use Concur(A billing app used by millions of sales people on
> > the road in corporations all over the world) for example have IIS running
> > and are often times connected via dial-up to a VPN at a corporation, the
> > traffic generated by CodeGreen would most likely eat up all the bandwith
> > on their dial-up connection and cause mission critical data transmissions
> > to fail in the same way Code Red does.
>
> See above.

I see the ceiling can you be more specific? :P

> > 7) Releasing untested code to the public who will surely unleash it into
> > the wild could lead to dataloss and other problems.
>
> Yes, don't release untested code, lest someone might try and improve it or
> something. :P

Or it might be unleashed into the wild and lead to dataloss.

> In the future, please read up on things before talking about them. :P

Why should I read up when you don't?

> From the CodeGreen Readme.txt file:
"what the initial code does:
A) sends one version to local iis (debug purposes)
B) starts randomly (?) searching for hosts with port 80 open
C) posts found IP to other threads
D) threads will scan IPs, increasing by one
E) every 30 seconds, main thread will post to propagation
        threads to start random scanning again

what CodeGreen does:
A) loads needed function via msvcrt.dll's import table
B) checks for local atom "CodeGreen"
        B1) will go to infinite wait loop if found
        B2) will set up CodeGreen atom if not found
C) sets up "CodeRedII" global atom; your iis should not get reinfected
with CRII
D) renames existing explorer.exe in drive C:\ and D:\
E) writes new explorer to drive C:\ and D:\ [AntiCodeRed.asm]
        (this one will try to erase root.exe and mapping backdoors)
F) determines system language
G) builds download url and downloads patch
H) builds new copy of CodeGreen
I) starts 50 propagation threads (in preassembled version)
J) tries to apply the patch (works on german systems; only tested there)
K) propagation threads will try to find new systems"

> > 8) Go to hell.

See above, it almost always applies =)

Looking at the above text in the readme file I don't see how this worm is
classified as passive at all.  It looks as though it does the same
propogation as Code Red with 50 less threads.  Mind you I'm only assuming
this from what the Readme.txt explicitly says.  50 threads attacking
anything with port 80 open is still a lot of traffic and it will still
crash the web interface on printers and old cisco routers that aren't
updated.

Regards,

Stan


--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284