Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

[".MetsyS." <stf () xtra co nz>]

ATTN: Blue Boar,

I am finding this discussion interesting, but I know the list is geard more
to the technical merits, if you don't let this thru no worries.

Thanks.
----

At 08:44 PM 5/9/01 -0400, you wrote:
> Does anyone realize what a bad idea it is to release worms like this in
> the first place, regardless of wheatehr or nto they mean well?

I sort of agree with you... but my mind is changing to pro AVV now.

> Think about it.
>
> CodeGreen from my understanding does random scanning like Code Red and is
> infecting machiens iwth another worm that degrades system performance and
> causes traffic.  This isn't a cure it's a nightmare.  Why?
>
> 1) It causes traffic that can lead to serious bandwith consumption.
>
> 2) Traffic caused by Code Red brings down routers and
> printers and it even can cause Cisco 2500 series routers (from experience,
> costly ones) to run out of memory and cease functioning until a reboot.

Passive infection / retalitory action will ease this problem.

> 3) It's illegal.  Just as Code Red gaims unauthorized access to systems,
> so does this worm.

That didn't stop anybody from releasing code red and all the other virii.

> 4) If patching fails the system is still going to be vulnerable and it
> will be propagating itself to other systems that may not be patchable.

The machine is rootable by any clown on the internet, at least an attempt
to fix the problem has been done.

> 5) Machines infected with Code Red are often times unresponsive to HTTP
> requests due to high memory and CPU of the Code Red infection so in many
> cases not only will the CodeGreen worm not fix already infected machiens
> it will most likely attempt to clean machines that are vulnerable but are
> not spreading the worm, again causing more network traffic.
> 6) People who use Concur(A billing app used by millions of sales people on
> the road in corporations all over the world) for example have IIS running
> and are often times connected via dial-up to a VPN at a corporation, the
> traffic generated by CodeGreen would most likely eat up all the bandwith
> on their dial-up connection and cause mission critical data transmissions
> to fail in the same way Code Red does.

Point taken, passive infection is the way to go.

> 7) Releasing untested code to the public who will surely unleash it into
> the wild could lead to dataloss and other problems.

Microsoft do this all the time.

This is a great way to get feedback from the security commuity about a
brilliant, interesting, challenging, cool concept, life is an adventure.

> 8) Go to hell.

As you wish.

1. Code red machines are screaming YOU CAN OWN ME.
2. Passive infection reduces bandwidth.
3. Worm should be open source.
4. Worm should send a message to admin.
5. I would format and re-install my O/S anyway, seeings as anyone could
have added more sneaky things to it.
6. The box can be owned by anyone and have anything done to it, personally
i'd be thankfull if a worm came and stopped my info leaking onto the net.

Anyway, enough of my ranting.

I estimate Code red (among many bugs AYT, Wu-FTP etc) will not be completly
eradicated for another few years anyway, ppl will reinstall the o/s and
forget the patch at some point.

Welcome to the cyberage, life is an an adventure.

Right... i'm finished my rant.

All comments, flames, suggestions, code, whatever welcome.

Have fun,
Harm none.