RE: Publishing Nimda Logs

[brossini () csc com au]

I agree, these machines NEED to be cleaned and secured, OR removed from the
network.

It would, however,  be pretty niave of us to think that attackers couldn't
find lists of infected machines by other means.
After all, we promote full disclosure of software vulnerabilities, so why
not full disclosure of machines infected by worms and trojans that should
have been cleaned up long ago ?
If (and only if) the users and ISP of the problematic machines have been
notified, then I don't see why lists of this kind shouldn't be published,
so that network admins can block the offending traffic.

my (considerably less than) $0.02......

- Ben



|---------+---------------------------------->
|         |           "Silcock, Stephen"     |
|         |           <stephen_silcock@cleana|
|         |           way.com.au>            |
|         |                                  |
|         |           08/05/2002 10:35 AM    |
|         |                                  |
|---------+---------------------------------->
  
> -------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                     
          |
  |        To:      vuln-dev () securityfocus com                                                                       
             |
  |        cc:                                                                                                          
          |
  |        Subject: RE: Publishing Nimda Logs                                                                           
          |
  
> -------------------------------------------------------------------------------------------------------------------------------|





I think many people are underestimating the potential for damage these
machines hold...

Eli. K. Breen. put his (small, personal) list of infected hosts on a web
page and posted the address to the list.

I now have as a result a list of about 2000 infected, and therefore
trivially exploitable hosts.  While some may be dynamic IP's and some may
not be as trivially exploitable as it seems; 2000 is a good ballpark
figure.

I could; if I had the time and the inclination knock up a DDoS network
within the space of a day or two using that information - 2000 hosts is no
small number.

Add to that any other Nimda lists I can lay my hands on, not to mention the
even-more-trivially exploitable CodeRed backdoored machines and you have a
ready made DDoS network just waiting for someone to use it.

The machines need to be cleaned and set up securely.  If the people running
them can't do it they have no business having an internet connection;
they're a liabiltiy to the rest of the internet community...

Unfortunately there are only two ways I can see this happening; ISP's being
made accountable for allowing these hosts to remain connected, or
compromising the machines and patching/shutting them down in an automated
fashion, which is illegal pretty much everywhere I would assume and
probably
not very effective as the machines would probably just be rebuilt or
restored insecurely as before.

So (resisting the urge to rant about Microsoft's buggy mass marketed
bloatware) it comes down to ISP's having to disconnect their own
customers...

My $0.02

S.   :)


PLEASE NOTE:

This email transmission is confidential and intended solely for the
addressee.  If you are not the intended addressee, you must not use,
disclose or print this transmission and you should delete it from your
system.