Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Red Bull Worm

From: Brian Eckman <eckman () umn edu>
Date: Thu, 07 Aug 2003 13:01:47 -0500
My my, are we grumpy today :-)
You said that this "worm" that, as far as anyone can tell, exists solely as a comment, is "much more effective than Code Red ever was". Pardon me for pointing out your FUD.
A worm will likely be created. If written even fairly well, it should be more "effective" than Code Red (whatever your definition of effective is). However, what was provided to the list wasn't of much use to anyone, so I was pointing out how premature it was to start labelling it. 

I'll resist the temptation of responding to your flames.

Brian

Joel R. Helgeson wrote:

Ahem;
1) This is the list where exploits get posted. If/when a worm is released,
this is where you'll hear about it first. Its usually created by someone who
monitors the list. If early warnings are too much for you to handle, unsub
from the list and wait to hear about this stuff on CNN.
2) Code Red infected IIS servers, used those infected servers to spread
itself, and setup compromised machines to perform a massive DOS attack
against the whitehouse.gov server at a predetermined date & time. Pretty
simple.
3) RPC/DCOM is running on every single Win2k, 2k3, XP & NT4 machine on this
side of the sun. No need to look for servers that are running IIS.  If you
were to compile the code, you'll see how devastatingly efficient this code
is at providing you root access to any box you aim this thing at.
4) Once the machine is exploited, the box will establish an outbound
connection to an FTP server, or IRC server to await further instructions.
If you can't look at this fact alone and realize that this is a pretty big
f***ing hole, you need to get yerself a new line of work.
5) People think that filtering ports on the firewall will prevent the bug
from infecting them.  All you need to do is email it into someone and have
them double click. That virus would infect every server within the
enterprise within seconds.  If you think "That'll never happen" then just
look at the message.zip virus that spreads. Every village has its idiot.
6) EVEN IF the code hasn't been worm-ified yet, it is only a matter of time.
The exploit works, that much has been proven.
7) If you don't agree that this issue is MUCH LARGER than Code Red, well...
its time for a new job.

Regards,
Joel
----- Original Message ----- From: "Brian Eckman" <eckman () umn edu> 
To: <full-disclosure () lists netsys com>
Sent: Thursday, August 07, 2003 11:47 AM
Subject: Re: [Full-disclosure] Red Bull Worm




Joel R. Helgeson wrote:


Lets see, the last big worm to exploit windows was named Code Red after



the


Mountain Dew Code Red was brought to market.  Being that this worm is



much


more effective than Code Red ever was, I say worm should be named Red



Bull


as it is sure to exhibit much more energy than the Code Red worm.



Pardon me if I am just plain ignorant, but where is this worm, and how
on earth is it "more effective than Code Red ever was" already if nobody
is talking about it? The only evidence of a worm I have seen is one
person showing comments supposedly from source code of some program
calling itself a worm...

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html








--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: