Re: Code Red RetroVirus Request in http://www.dslreports.com/forum/r1240188 en Thu, 03 Dec 2009 07:12:26 EDT Thu, 03 Dec 2009 07:12:26 EDT Re: Code Red RetroVirus Request http://www.dslreports.com/forum/remark,1240188 rchandra : I'll second that emotion. Releasing a retrovirus is putting a BandAid(tm) on a gunshot wound. What really needs to happen is for sysadmins to keep on top of security patches (or not to use IIS in the first place, as the case may be :) ).

I would have to say that even though you think you're helping, I don't think you can know with too much certainty that you wouldn't affect operations in some other way. Consequences can hide themselves quite well until you poke them the right way. As good as your intentions might be, it really would be just as much of an invasion as the original.
--
Benjamin Franklin: Those who sacrifice freedom for a sense of security deserve neither.

English is a hard enough language to interpret correctly when its rules are followed, let alone when a writer doesn't follow those rules.]]> http://www.dslreports.com/forum/remark,1240188 Tue, 07 Aug 2001 08:04:24 EDT Re: Code Red RetroVirus Request http://www.dslreports.com/forum/remark,1239461 Steve :
said by Erik the Awful:
I have an idea
Putting aside legal/ethical issues, this probably wouldn't be terribly effective. When a Code Red II machine is infected, it has at least three hundred worker threads pounding away looking for other victims. This is a sufficiently large number of threads that even if many of them are blocked, the machine will still be totally swamped.

At some level of system load, IIS starts handing back "Server too busy" pages, and eventually simply refused to answer at all even while accepting connections on port 80. So in practice the back door would be there, but too many partygoers would be in the way.

Patching IIS "for real" is also problematic. Anybody who's actually done this has found that sometimes it requires Service Pack 2, and I find it hard to imagine what would happen to the internet if a worm started causing 100 megabyte downloads automatically.

On a strictly technical basis, assuming one could "get in" to the system via the back door, it would be possible to unwind the back door (delete the copies of cmd.exe, reverse the registry entries), and it could install a tiny service that ran at startup. This service would create the notworm file (CRv1) and create the CodeRedII atom to prevent future infections, but this would not really solve the problem.

These machines would then still be open to the actual exploit, but since the symptoms all went away, the box owners would find no reason to patch their machines. This is not good for the internet.

The only way to really solve this problem is to get the box owners to patch them, and the most effective way to do this will be a worm that rings the console bell every sixty seconds until patched. :-)

This will never cease to be a very seductive idea, but it's best to make it an intellectual exercise only.

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net]]> http://www.dslreports.com/forum/remark,1239461 Tue, 07 Aug 2001 01:54:18 EDT Code Red RetroVirus Request http://www.dslreports.com/forum/remark,1239394 anon : I have an idea. Someone who is willing to risk prosecution and litigation for the good of the internet should code and release a Code Red Retro Virus. May I suggest an algorithm?

LISTENER:
- watch for Code Red signature access to ida
- queue to private log

INNOCULATOR: [WHILE LISTNRLOG.LOG SIZE Zero DO]
- grab log entry
- loginto originating server, send and execute STARTER.EXE.

STARTER:
- stop IIS
- patch IIS
- enumerate and remove back door
- reboot and start LISTENER:

I'd enjoy your comments. If you send me non complied VBS and give me a few pointers for starting it off, I might even be willing to put up a web server and throw some proverbial water at the fire... :)

edasher@null.n_t (Spam Foil Fix: null.net)]]> http://www.dslreports.com/forum/remark,1239394 Tue, 07 Aug 2001 01:39:43 EDT