Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

["Stanley G. Bubrouski" <stan () ccs neu edu>]

On Fri, 7 Sep 2001, Markus Kern wrote:

> "Stanley G. Bubrouski" wrote:
> > On Thu, 6 Sep 2001, Markus Kern wrote:
>
> <snip>
>
> > > I absolutely understand your concerns. Personally I wouldn't want
> > > anyone else to execute code on my machines either but a patch has been
> > > available for months now. Every admin who cares about her systems has
> > > already fixed them ( I'm aware that it may be difficult to apply patches
> > > in some cases because they might break other stuff but after over two
> > > months such problems should be solved).
> > > The others who didn't care about Code Red are very likely not to care
> > > about Code Green / CRclean either, yet they're still causing problems
> > > for the community.
> >
> > It's not about "well if he doesn't patch his system he doesn't care," that
> > is just ignorant.  
>
> When the patch has been available for a few months I believe this to be a
> pretty safe assumption.

NO ITS NOT.  I have contacted almost 200 people by phone and NONE of them
knew they were infected.  All the people admitted performance degredation
on their machiens amongst otehr things, but none of them knew they were
infected with any kind of worm.

> > Do you think the people at Microsoft/MSN didn't care
> > when they were infected because they didn't install a patch released
> > months before?  That is absurd. 
>
> Admittedly there may be cases where people simply miss some machines on
> their network but if this happens regularly the admin isn't doing his job
> very well IMHO.


> > Do you think people with infected machines on the internet even know they
> > are infected? Probably not.
>
> No, they obviously don't. Someone who knows that he is infected and doesn't
> fix his system or at least block the outgoing scans is irresponsible.
> Code Red generates so much traffic that it should be easily spotted by a 
> competent administrator.

THE POINT IS PEOPLE DON'T KNOW THEY ARE INFECTED!

> > Do you think they'd be overjoyed to hear they were infected with another worm
> > to remove the first? Probably not.
>
> I bet some suits would actually like the idea because they don't have to spend
> money on fixing the problem themselves. Unfortunately this creates the dangerous
> situation where people don't patch their systems because "some counter-worm
> will come along and do it for us".

Sure lots of people like the idea, but that doesn't mean it's good for the
majority.

> > Will this stop other people like you from doing similar things? Probably not?
>
> No, why should I even try to stop people from doing things I do myself?
>
> > Do you care about the dataloss a worm that reboots machines without an admins
> > permission causes? Apparently not.
>
> CRclean doesn't reboot the machine it only restarts IIS.
> I admit that I didn't think of dataloss due to IIS restarts. I even call
> ExitProcess() in the exploit code which now seems like a really bad idea to me.
> A graceful IIS shutdown would be much better and shouldn't cause any dataloss
> with a well designed data base application.

I wasn't referring to CRclean buddy.  I think CRclean is a much much safer
approach than CodeGreen, not that I particularly like either one.

> regards,
> Markus Kern


--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284