rchandra
Stargate S G-1 And Atlantis Fan
Premium
join:2000-11-09
14225-2105
clubs:
| reply to Steve
Re: Code Red RetroVirus Request
I'll second that emotion. Releasing a retrovirus is putting a BandAid(tm) on a gunshot wound. What really needs to happen is for sysadmins to keep on top of security patches (or not to use IIS in the first place, as the case may be  ).
I would have to say that even though you think you're helping, I don't think you can know with too much certainty that you wouldn't affect operations in some other way. Consequences can hide themselves quite well until you poke them the right way. As good as your intentions might be, it really would be just as much of an invasion as the original.
--
Benjamin Franklin: Those who sacrifice freedom for a sense of security deserve neither.
English is a hard enough language to interpret correctly when its rules are followed, let alone when a writer doesn't follow those rules. |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Anon
said by Erik the Awful:
I have an idea
Putting aside legal/ethical issues, this probably wouldn't be terribly effective. When a Code Red II machine is infected, it has at least three hundred worker threads pounding away looking for other victims. This is a sufficiently large number of threads that even if many of them are blocked, the machine will still be totally swamped.
At some level of system load, IIS starts handing back "Server too busy" pages, and eventually simply refused to answer at all even while accepting connections on port 80. So in practice the back door would be there, but too many partygoers would be in the way.
Patching IIS "for real" is also problematic. Anybody who's actually done this has found that sometimes it requires Service Pack 2, and I find it hard to imagine what would happen to the internet if a worm started causing 100 megabyte downloads automatically.
On a strictly technical basis, assuming one could "get in" to the system via the back door, it would be possible to unwind the back door (delete the copies of cmd.exe, reverse the registry entries), and it could install a tiny service that ran at startup. This service would create the notworm file (CRv1) and create the CodeRedII atom to prevent future infections, but this would not really solve the problem.
These machines would then still be open to the actual exploit, but since the symptoms all went away, the box owners would find no reason to patch their machines. This is not good for the internet.
The only way to really solve this problem is to get the box owners to patch them, and the most effective way to do this will be a worm that rings the console bell every sixty seconds until patched.
This will never cease to be a very seductive idea, but it's best to make it an intellectual exercise only.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
