RE: RE: DCOM RPC exploit

[Paul Schmehl <pauls () utdallas edu>]

On Sun, 2003-07-27 at 10:54, Steve W. Manzuik wrote:
> Sure, but have there actually been any "good" worms yet? 

There is no such thing as a "good" worm.
> > Hell, we're *still* seeing Code Red traffic.  And what we've 
> > *NOT* seen in the last 2 years is a CERT advisory of this 
> > magnitude against a Microsoft product that didn't spawn a 
> > "Holy Shit" scale worm.
>
> Don't forget Nimda as well.  But seriously, does Code Red or Nimda actually
> cause you connectivity issues?  I see a ton of Code Red/Nimda like traffic
> on various logs and yet the effect is pretty much zero.
>  
People used to make the same argument about spam.  Ah, just delete it. 
It's no big deal.  But if we have Code Red (all variants) and Nimda and
Slammer and Slapper and so forth and so on, do you really want to argue
that that has no effect on bandwidth?  What would the Internet be like
if all that excess traffic wasn't there?

Read what you wrote, Steve.  "The effect is pretty much zero", yet this
comes right after "I see a ton...."  If you didn't have the crap in your
logs, what could you be doing with your time?  The effect isn't zero. 
You've simply learned to live with a degraded system where Internet
worms are the norm and you no longer realize what it was like not to
have to deal with the crap.

That's sort of like standing in the middle of a rave and claiming the
noise doesn't really affect your hearing or ability to carry on a
conversation.  It's only after you leave and realize your ears are
ringing and your hearing is degraded that you understand the impact.
> If your boxes are patched, Firewalls configured properly, IDS tuned and
> running -- why would this new worm be so scary?  The only reason that yet
> another worm is going to be scary is that people don't patch their boxes or
> configure them to be "secure".

It's not scary, Steve.  It's a PITA.  It's not like admins are sitting
around twiddling their thumbs waiting for the next worm battle.  There's
plenty to do in IT without the "distraction" of worms and malicious code
and all the other crap that idiots put out there.

>   Perhaps I am missing something but I think
> Code Red and the likes did everyone a huge favor -- forced people to patch
> systesm, put script kiddies and consultants alike out of business.
>
> Hell, maybe I will write one myself.   ;-)
If you do, then I'll add you to my list of true assholes.  :-)

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html