Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

[Ron DuFresne <dufresne () winternet com>]

What scares me about how folks are reacting to this code, and to the idea
of tactical internet measures to counter viri with viri, is how those in
positions to deal with the threats involved are failing to understand the
process, and how the process, of efectively combatting these 'exploits' is
done out here.  Perhaps in many cases it is not a failure to uderstand the
process, but the frustration upon discovering how broken the process is.
Let me define the issue:


Those folks with a clue, know how to deal with servers and workstations
that are compromised, they are isolated, wiped clean and updated with
current patches, and proper system security measures so as to prevent the
same compromise from infesting it again, then opening up access again.


The process of dealing with internet smap, abuse, virus attacks, etc, is
to contact the offending site, hand then a clue, and hope they deal with
it in a timely manner.  Ah, but, how does one go about making conact?  Not
many sites with gaping code red infections have clued folks that have
setup abuse accounts, or security accounts to receive e-mails like this,
many of the sites have disabled root from getting any e-mails realted to
such offences and so alerts to these folks yeilds far less affect then
dust in the wind.  When all else fails, one is advised to go to the
upstream or 'prime' provider of the offensive system, hoping they have
more clued staff with proper accounts setup for abuse and or security
complaints, and that those accounts are monitored and action is taken in
an appropriate ammount of time to minimize such assaults upon the internet
as a whole.  The problem and frustration comes from understanding how
broken this process is even if there is someone at the other end catching
all the abuse/security complaints coming their way.  Take for instance
this automated reply from the home.com folks:

        From: AUP Enforcement Team <abuse () home com>
        Subject: !!!!   CODE RED ABUSE   !!!!!
        Date: Wed, 05 Sep 2001 19:27:40 -0700


        **DO NOT REPLY DIRECTLY TO THIS MESSAGE**
        ***EXCITE@HOME WILL NOT SEE ANY REPLY TO THIS MESSAGE***

        Dear R. DuFresne",

        It appears that you are reporting receiving traffic that is related to
        the Code Red virus.

...


        The @Home Network is currently working on proactive measures to respond
        to this situation.  You should see this activity cease from @Home
        subscribers in the near future.  Thank you for your report.

        The @Home Network Policy Management Team

        Tracking ID #1000


It seems the home.com folks have some problem understanding how to be
effective here in isolating their offenders, yet, they are not alone, this
is a prevalent issue with most the major providers and vast majority of
ISP's, an unwillingness to close of access points of those with abusive
systems venting their attack payloads upon others.  

While discussion of techniques involving the writting of dangerous code
like this might be instructive, and benificial if only to help devise ways
to defend against such code, the use of such is illegal and morally
incorrect as others have and will argue now for days, but the real issue
here is a bug in the processes in place to take action that actually
accomplishes something to minimize as well as eliminate destructive
payloads unleashed against the collective whole of the internet.

Thanks,

Ron DuFresne



On Thu, 6 Sep 2001, .MetsyS. wrote:

> ATTN: Blue Boar,
>
> I am finding this discussion interesting, but I know the list is geard more
> to the technical merits, if you don't let this thru no worries.
>
> Thanks.
> ----
>
> At 08:44 PM 5/9/01 -0400, you wrote:
> > Does anyone realize what a bad idea it is to release worms like this in
> > the first place, regardless of wheatehr or nto they mean well?
>
> I sort of agree with you... but my mind is changing to pro AVV now.
>
> > Think about it.
> >
> > CodeGreen from my understanding does random scanning like Code Red and is
> > infecting machiens iwth another worm that degrades system performance and
> > causes traffic.  This isn't a cure it's a nightmare.  Why?
> >
> > 1) It causes traffic that can lead to serious bandwith consumption.
> >
> > 2) Traffic caused by Code Red brings down routers and
> > printers and it even can cause Cisco 2500 series routers (from experience,
> > costly ones) to run out of memory and cease functioning until a reboot.
>
> Passive infection / retalitory action will ease this problem.
>
> > 3) It's illegal.  Just as Code Red gaims unauthorized access to systems,
> > so does this worm.
>
> That didn't stop anybody from releasing code red and all the other virii.
>
> > 4) If patching fails the system is still going to be vulnerable and it
> > will be propagating itself to other systems that may not be patchable.
>
> The machine is rootable by any clown on the internet, at least an attempt
> to fix the problem has been done.
>
> > 5) Machines infected with Code Red are often times unresponsive to HTTP
> > requests due to high memory and CPU of the Code Red infection so in many
> > cases not only will the CodeGreen worm not fix already infected machiens
> > it will most likely attempt to clean machines that are vulnerable but are
> > not spreading the worm, again causing more network traffic.
> > 6) People who use Concur(A billing app used by millions of sales people on
> > the road in corporations all over the world) for example have IIS running
> > and are often times connected via dial-up to a VPN at a corporation, the
> > traffic generated by CodeGreen would most likely eat up all the bandwith
> > on their dial-up connection and cause mission critical data transmissions
> > to fail in the same way Code Red does.
>
> Point taken, passive infection is the way to go.
>
> > 7) Releasing untested code to the public who will surely unleash it into
> > the wild could lead to dataloss and other problems.
>
> Microsoft do this all the time.
>
> This is a great way to get feedback from the security commuity about a
> brilliant, interesting, challenging, cool concept, life is an adventure.
>
> > 8) Go to hell.
>
> As you wish.
>
> 1. Code red machines are screaming YOU CAN OWN ME.
> 2. Passive infection reduces bandwidth.
> 3. Worm should be open source.
> 4. Worm should send a message to admin.
> 5. I would format and re-install my O/S anyway, seeings as anyone could
> have added more sneaky things to it.
> 6. The box can be owned by anyone and have anything done to it, personally
> i'd be thankfull if a worm came and stopped my info leaking onto the net.
>
> Anyway, enough of my ranting.
>
> I estimate Code red (among many bugs AYT, Wu-FTP etc) will not be completly
> eradicated for another few years anyway, ppl will reinstall the o/s and
> forget the patch at some point.
>
> Welcome to the cyberage, life is an an adventure.
>
> Right... i'm finished my rant.
>
> All comments, flames, suggestions, code, whatever welcome.
>
> Have fun,
> Harm none.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.