[Gllug] Code Red worm sleeps?
Richard Cohen
richard at vmlinuz.org
Wed Aug 1 16:35:28 UTC 2001
On Wed, 1 Aug 2001, Wulf Forrester-Barker wrote:
> Richard <richard at vmlinuz.org> mused:
>
> > I just had a thought - talking to a collegue here. What would it take to
> > write something which fit the following:
> >
> > Any machine from which an attack originates is unpatched and vunerable.
> > How about a counter-virus which would utilise the known vunerability on the
> > attacking machine to both wipe out the worm from that machine, and install
> > the patch (or something smaller and simpler, maybe) such that the machine is
> > then no longer vunerable?
> >
> > Purely a thought experiment, but still...
>
> Didn't somebody do something like this a few months ago:
>
> http://www.thestandard.com/article/0,1902,24600,00.html
>
> The problem with this is that it would then be open for somebody to take
> that as a shell and insert malicious code... so that all the sites that
> relied on it for protection would still get hit. Also, while undoing the
> damage at the other end, in order to spread, it would still have to
> proliferate itself around, thereby causing denial of service type damage.
Obviously, there's the danger of it being used as a shell.
The important point - I thought - about my idea, was to only use it
responsibly, i.e. in response, not in attack. You would run it as a handler
on your system (a CGI script called default.ida, maybe?), which would
response to attempted attacks by sanitising the attacker. It would *not* be
a propagating worm/virus.
> As the article, quoting Slashdot, says:
>
> "Someone who posted a message on Slashdot conjured up images of an arms
> race among benevolent worms. Will a mouse worm devour the Cheese worm,
> then succumb to the cat worm, and so on up the food chain? Another
> Slashdotter tutted, 'It's a cute idea, really, but it has to stop.' "
I'm not actually suggesting writing it... :-)
Are you trying to stop me from talking about something because of the
security implications? DMCA? :-)
> Wulf
Cheers
Richard
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list