Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

["Steinhart Alexander" <Steinhart () uni de>]

If thousands or new servers still participate in November in the network
and attack and CRclean finishes., it's not very good. It should stop
first if it hardly still finds which with it scans; therefore the
percentage under one certain Level falls...

regards,
Alexander 

----------------
www.buhaboard.de

-----Ursprungliche Nachricht-----
Von: Markus Kern [mailto:markus-kern () gmx net] 
Gesendet: Donnerstag, 6. September 2001 20:24
An: Steinhart Alexander
Cc: vuln-dev () securityfocus com
Betreff: Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)



Steinhart Alexander wrote:
> > Clever tool with immoral, unethical and possibly illegal use.
> I would not like to discuss here the moral... It's question of the
> time and a (Anti)Worm is free, but I don't hope this a Scriptkiddy who

> set a beta version into the world...
>
> My question, whether it participates meaningful one antiworm, to let
> stop at a certain time and not with a certain percentage (I hope 
> millionth... part) of found servers to "patch"?

I don't know if I've fully understood you but I think you're asking if
it wouldn't be better to make an anti-worm stop after a certain
percentage of hosts have been patched than after a certain time has
passed.

Assuming that the malicious worm is scanning the net randomly the
anti-worm could monitor the frequency of intrusion attempts and shut
itself down if 
the rate falls below a certain threshold.

An interesting idea I didn't think of when coding CRclean.

regards,
Markus Kern