Re: Publishing Nimda Logs - Summary

["Deus, Attonbitus" <Thor () HammerofGod com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:09 AM 5/8/2002, Jonathan Bloomquist wrote:

> I lean more to the side of shaming the admins into
> fixing them than ignoring them.  However, sending a
> message is one thing, but actually patching their box
> is going a bit too far for me even if it is to help
> them.  Warn 'em, shame 'em, scream at 'em, and mail
> bomb their ISP until they take action, but make each
> site patch themselves.
>
> "If we kill 'em they won't learn nuthin'."

Great quote...

Just so as everyone knows, I was not saying that you advocated a 
reverse-patch... I was just pointing out use of the root.exe (I know- just 
the mention of that file in text will cause me to receive many "You are 
infected!" auto-responders) was cool- from a technical standpoint.

Someone in another post actually brought up patching the box, and I was 
running with it.

Here is what I want to do- Discussing the theory and legality and all that 
is fine, but does not really get us anywhere.  I am willing to dedicate 
time to this to experiment if there is someone out there with the technical 
expertise to pull it off.  I'll even host it on hammerofgod.com to test it 
in the wild.

The first thing to do is to determine exactly what is necessary to patch 
the system, or if an actual "patch" is even necessary.  I wrote a little 
app called Mutex (in the downloads section of www.hammerofgod.com) that 
loads a named mutex that prevents Nimda from running.- something like that 
would be an easy place to start.

I know many of you are vehemently opposed to any sort of action like this, 
but we're talking 5 billion attempts per day, and something has to be done 
about it.  Let's get a working model on the table, prove it works, and then 
see what happens.

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPNljkYhsmyD15h5gEQKwUACaAslIUpSt7qbhpsTLlIMHsIk5kWoAoPZp
yjLTFCUdG3lbNPEcswGGP5lT
=ErcF
-----END PGP SIGNATURE-----