RE: The 'good worm' from HP

["joe" <mvp () joeware net>]

> Allan is right. I didn't notice people calling it a worm. 


> From the article at InfoWorld...

<SNIP>
We've been working with (customers) for the last month now," said Tony
Redmond, vice president and chief technology officer with HP Services in an
interview. 
<SNIP>
"This is a good worm," said Redmond. "It's turning the techniques (of the
attackers) back on them."
<SNIP>

Possibly he used a bad choice of words. 



I definitely agree though that you probably shouldn't be "infecting"
machines to patch them. In order to patch through a hole like that you are
running code through that hole and that is the same as infecting in my book,
you just aren't propogating. You could still make the machine unstable or
cause other issues. I think my preference would be something along the lines
of what the NetSquid project is doing mentioned previously but be more
aggressive. Sure have the feed from SNORT to actively go out and pop the
machines currently sending bad traffic, but also scan for machines that
*could* get infected and shut them down as well. That would be a good use of
this tech HP is working on, simply identify the machines. However others
have done the similar in terms of detection so that wouldn't be nearly as
new and daring. They could do a good thing by making it fully supported by a
big name, stable, quick, and part of an overall framework for protecting the
network environment. 

  joe

 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Todd Towles
Sent: Saturday, August 21, 2004 8:58 PM
To: fulldisclosure () wateraxe demon nl; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] The 'good worm' from HP

<SNIP>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html