CodeGreen free? // Re: Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

["Steinhart Alexander" <Steinhart () uni de>]

> Von: Jonathan Rickman [mailto:jonathan () xcorps net] 
> Gesendet: Donnerstag, 6. September 2001 04:46
> An: Blue Boar
> Cc: vuln-dev () securityfocus com
> Betreff: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
>
> Moderator: My webserver has logged CodeGreen hits, so I feel I have
the right to respond to this admittedly wasted thread. 
> If nothing else...please afford me the opportunity to speak to the
world without resorting to strange GET requests in 
> everyone's webserver logs.
>
> > Does anyone realize what a bad idea it is to release worms like this 
> > in the first place, regardless of wheatehr or nto they mean well?
>
> Obviously not...
>
> 195.224.242.248 - - [04/Sep/2001:19:00:30 -0400] "GET
/default.ida?Code_Green_<I_like_the_colour-_-><AntiCo
> deRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_by_'D
> er_HexXer'-Wuerzburg_Germany-_is_dedicated_to_my_sist
> erli_'Doro'.Save_Whale_and_visit_<www.buhaboard.de>_a
> nd_<www.buha-security.de>%u9090%u6858%ucbd3%u7801%u90
> 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9
> 090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u
> 00=a HTTP/1.0" 404 1442 "-" "-"
>
> Logs deliberately not sanitized...
> Thanks but no thanks 195.224.242.248, I don't need any help securing
this system. It is not now, nor was it ever, vulnerable to Code Red.


Can anybody confirm this? Has somebody logs, too?

> In cases where we have some pretty good statistics about the
propagation
> and saturation of a given worm, if you were going to write such a worm

> (and I'll leave that debate to others more versed in ethics and law
than myself),
> wouldn't it be the best idea to have it shut down (permanently) at
> SATURATION_TIME(target_worm)+a short time - so in this case, CodeGreen
should
> have been programmed to shut down no more than 6 days after infecting
a box.

I think the best idea, it participates to let stop the worm if it has
found x days nothing to patch and as 
a security maybe one or two months after infecting a box. 


> (and I'll leave that debate to others more versed in ethics and law
than myself)

That's no question, but if you read something like this... (sorry, it's
german)
http://groups.google.com/groups?hl=en&safe=off&th=41a4be0598ea4c6,18&see
km=3B7CDBB3.657BB0D9%40gft-solutions.de#p


> 4. Worm should send a message to admin.

And I think it's ineffectively to send emails and (broadcast) messages
to admin account accessible 
from the infected box, with a worm that he is infected. ppl like this
one above has no patch, yet!
They have contributed with the increase of the CodeReds and now with the
increase from somewhat "harmless" would push them panic, surely...

regards,
Alexander Steinhart