Re: CodeRedII worm..

["Nick FitzGerald" <nick () virus-l demon co uk>]

Valdis.Kletnieks () vt edu wrote:

> Given that initial analysis of the CodeRedII worm indicates that it leaves
> a backdoor laying around, I hereby request that those people who made
> lists of infected hosts available last time *NOT* do so again.

Hear, hear...

(I already expressed this opinion privately to the list moderator 
well before Valdis' post appeared.)

> Although said lists *were* helpful in the analysis and study of the worm's
> tactics, the benefits are certainly outweighted by the fact that the new
> worm creates a known backdoor.  I'm certain that both the CodeRedII author
> and other black hats would love for us to compile a list of afflicted hosts
> for them to use.

Indeed!

I'd say there is a high probability that the writers of this new worm
almost expected such detailed lists, or at least enough information
for where fertile hunting would be ("we are seeing lots of probes
from ShonkyISP.net" tells the bad guys to scan IP blocks belonging to
that provider...) would be publicly posted by people "trying to
help".  And, if not publicly posted such information may be "leaked"
as in DShield's break-down of "most commonly seen domains" for the
earlier CodeRed variants).

> So please everybody - if you're sending IP's in to be added to a table,
> make sure you're sending them to a white hat, not to a black hat who's
> managed to social-engineer you.  If you're a white had compiling a list,
> make sure the guy's hat is at least a light grey before you give them
> a copy. ;)

8-)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com