RE: RE: DCOM RPC exploit

["Steve W. Manzuik" <steve () entrenchtech com>]

> There is no such thing as a "good" worm.

That of course, depends on your perspective.  I can't remember who but I
remember someone commenting on writing a worm that exploits IIS, installs
Apache, then removes IIS.  ;-)  

What I meant by "good" was more from the interesting and wow effect.  To me,
at least the worms are forcing people to patch boxes.  Yes, I understand
that admins are busy but come on -- we have battled with patching boxes as
long as I can remember -- when are people (not just admins) going to catch
on that this is important.  No one is going to change the fact that we have
insecure code. 

> People used to make the same argument about spam.  Ah, just 
> delete it. 
> It's no big deal.  But if we have Code Red (all variants) and 
> Nimda and Slammer and Slapper and so forth and so on, do you 
> really want to argue that that has no effect on bandwidth?  
> What would the Internet be like if all that excess traffic 
> wasn't there?

I really should do some bandwidth analysis on a few networks but I never
really thought the Code Reds and Nimdas of the world were that intensive.
Sapphire for that matter, did cause bandwidth issues, especially for those
who were not patched.  So you point is well taken.

> Read what you wrote, Steve.  "The effect is pretty much 
> zero", yet this comes right after "I see a ton...."  If you 
> didn't have the crap in your logs, what could you be doing 
> with your time?  The effect isn't zero. 
> You've simply learned to live with a degraded system where 
> Internet worms are the norm and you no longer realize what it 
> was like not to have to deal with the crap.

In relation to the Code Red traffic I see a ton of -- I do believe that the
effect is at least next to zero.

> It's not scary, Steve.  It's a PITA.  It's not like admins 
> are sitting around twiddling their thumbs waiting for the 
> next worm battle.  There's plenty to do in IT without the 
> "distraction" of worms and malicious code and all the other 
> crap that idiots put out there.

I understand that admins are busy people -- I used to be one.  But in
reality are there that many boxes still out there with the ports required
for exploitation open?  Again, I should probably put my beer down (but its
almost Vegas week) and do some actual research.  I am fully aware that you
can exploit this over IIS if it is enabled.

> > Hell, maybe I will write one myself.   ;-)
> If you do, then I'll add you to my list of true assholes.  :-)

Paul, if I haven't gotten on your list of true assholes yet I am not trying
hard enough.  I would have thought that I got there years ago.  ;-)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html