Bugtraq mailing list archives
Mitigating some of the effects of the Code Red worm
From: LARD BENJAMIN LEE <Benjamin.Lard () Colorado EDU>
Date: Thu, 19 Jul 2001 18:11:12 -0600 (MDT)
I'm not sure of the ethical or legal aspects of this, but I don't see why we can't take advantage of three facts: 1) There is something of an ongoing log of affected machines that can be obtained from boxes earlier in the IP list. 2) Machines which have been compromised can STILL be compromised. 3) The worm has a "lysine deficiency" which can be remotely introduced. What I'm getting at, is for someone to create another exploit that creates the C:\notworm file in infected machines and does something to notify whoever is in charge of a particular box (even something as simple as placing you_are_hacked.txt and a link to the patch on the desktop could be beneficial). Even better, an exploit to patch a machine (through removing the .ida and .idq extensions) would prevent the inevitable wave of post-attacks (both from this worm and future attacks). Of course, I'm guessing this is illegal, although I highly doubt you'd be prosecuted. If someone has the expertise to create a "white hack" such as this, I'm sure there are daring admins out there who would happily attempt to stem the flow. If we don't do something, you know it's just a (very short) matter of time before script kiddies, armed with a modified worm and a log of infected machines, do something more sinister. Ben Lard University of Colorado, Boulder
Current thread:
- Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 18)
- Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm. Joe Harris (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Laurence Hand (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Marc Maiffret (Jul 19)
- RE: Full analysis of the .ida "Code Red" worm. Eric Chien (Jul 20)
- Re: Full analysis of the .ida "Code Red" worm. Ryan Russell (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. Pierre Vandevenne (Jul 19)
- Re: Full analysis of the .ida "Code Red" worm. JNJ (Jul 20)
- Timely Patching (was: Full analysis of the .ida "Code Red" worm.) Crispin Cowan (Jul 23)
- Re: Mitigating some of the effects of the Code Red worm Vincas Ciziunas (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Johannes B. Ullrich (Jul 19)
- Re: Mitigating some of the effects of the Code Red worm Ryan Russell (Jul 20)
- RE: Mitigating some of the effects of the Code Red worm Linda Custer (Jul 20)