Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Code Red RetroVirus Request said by Erik the Awful:
I have an idea
Putting aside legal/ethical issues, this probably wouldn't be terribly effective. When a Code Red II machine is infected, it has at least three hundred worker threads pounding away looking for other victims. This is a sufficiently large number of threads that even if many of them are blocked, the machine will still be totally swamped.
At some level of system load, IIS starts handing back "Server too busy" pages, and eventually simply refused to answer at all even while accepting connections on port 80. So in practice the back door would be there, but too many partygoers would be in the way.
Patching IIS "for real" is also problematic. Anybody who's actually done this has found that sometimes it requires Service Pack 2, and I find it hard to imagine what would happen to the internet if a worm started causing 100 megabyte downloads automatically.
On a strictly technical basis, assuming one could "get in" to the system via the back door, it would be possible to unwind the back door (delete the copies of cmd.exe, reverse the registry entries), and it could install a tiny service that ran at startup. This service would create the notworm file (CRv1) and create the CodeRedII atom to prevent future infections, but this would not really solve the problem.
These machines would then still be open to the actual exploit, but since the symptoms all went away, the box owners would find no reason to patch their machines. This is not good for the internet.
The only way to really solve this problem is to get the box owners to patch them, and the most effective way to do this will be a worm that rings the console bell every sixty seconds until patched. 
This will never cease to be a very seductive idea, but it's best to make it an intellectual exercise only.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
