Re: Mitigating some of the effects of the Code Red worm

[Ryan Russell <ryan () securityfocus com>]

On Thu, 19 Jul 2001, LARD BENJAMIN LEE wrote:

> I'm not sure of the ethical or legal aspects of this, but I don't see why
> we can't take advantage of three facts:
>
> 1) There is something of an ongoing log of affected machines that can be
> obtained from boxes earlier in the IP list.

The victim boxes won't tend to have a lot of logs lying around, but there
are such lists.

> 2) Machines which have been compromised can STILL be compromised.

Yes.

> 3) The worm has a "lysine deficiency" which can be remotely introduced.

Yes... I can also change what it is with a hex editor in about 20
seconds...

> What I'm getting at, is for someone to create another exploit that creates
> the C:\notworm file in infected machines

Uh oh.


> and does something to
> notify whoever is in charge of a particular box (even something as simple
> as placing you_are_hacked.txt and a link to the patch on the desktop could
> be beneficial).

If a "you've been hacked by the Chinese" page doesn't do it, why should a
file on the desktop?

> Even better, an exploit to patch a machine (through
> removing the .ida and .idq extensions) would prevent the inevitable wave
> of post-attacks (both from this worm and future attacks).

You'd never get 100% success rate.

> Of course, I'm guessing this is illegal, although I highly doubt you'd be
> prosecuted.

You're kidding, right?  We just threw a Russian citizen in jail for
cracking ROT13.  Anyone who tries such a stunt had better make sure they
launch it anonymously.

> If someone has the expertise to create a "white hack" such as
> this, I'm sure there are daring admins out there who would happily attempt
> to stem the flow. If we don't do something, you know it's just a (very
> short) matter of time before script kiddies, armed with a modified worm
> and a log of infected machines, do something more sinister.

Let's be very specific:
They only people who would thank anyone for such a stunt would be the
clueless admin who can't install the patch on their own.  Now, obviously,
there are lots of those.

OK, cut to the chase, here's my list of reasons hy this is bad, to be
trotted out whenever someone suggests a "nice" worm:

-What about the traffic it takes up?
-What about the boxes that don't patch properly, don't make it back after
reboot, or took down etrade in the middle of a trading day?
-How does your worm know when it's done?
-Maybe I don't want my box patched, the patch broke my app
-How do I tell your good worm apart from the original bad worm, or the
other worm which looks like the good worm, but is really a bad worm?
-How about people like us who track attack data, and you just skewed the
heck out of it?  When does www1.whitehouse.gov get to come back?  If
there's still *A* worm around on the 1st, which one is it?
-Do we really want an Internet-sized game of corewars?
-Why stop at patching?  Don't clueless NT admins deserve to have the hard
drives reformatted until they learn how to apply patches? (and if you're
no good at spotting sarcasm, please be sure to send me flames.)

Having done my usual lecturing, I will say that this is the first time
I've even been willing to entertain the idea of a good worm... I just
don't know what else can fix a problem of this scale.  You will never,
ever come to agreement on how it should be done.  Either some government
will decide for you, or some hacker who is willing to take one for the
team.  I'm not real comfortable with either of those two setting policy
for the Internet.

                                        Ryan