ThreadBoard ArchivesSite FeaturesActiveworlds SupportHistoric Archives |
Win2K security: Code Red worm defense (General Discussion)
Win2K security: Code Red worm defense // General DiscussiondabartenderAug 31, 2001, 6:54am
http://www.dynwebdev.com/codered/
"Code Red Vigilante." It's actually a harmless bait-type program that simulates an IIS server. When it receives the buffer overflow string that Code Red sends out, it attempts to pop a message window up on the offending computer, using the internal messaging service in NT4/2K. If it's successful, it informs the person that they are indeed infected, and directs them to a web page detailing their problem. It's written completely in Java, and thus requires the Java Runtime Environment (http://java.sun.com/j2se/1.3/jre/) to operate. The only caveat is that you can't be running another service on port 80. I run it on 3 of the 4 machines in the house, and get several confirmed "decaffeinations" (you'll have to read the web site) per day. Just a lil' something you might want to try, and help get as many of these infected machines off the 'net as we can. builderzAug 31, 2001, 1:26pm
This was mentioned in Steve Gibson's GRC newsgroups
(news://news.grc.com/) several weeks ago. Although I don't personally see anything wrong with the program, many users in the GRC newsgroups were debating whether or not it it ethical to have the program "modify" something on the infected computer. Builderz Stuff-X - Bot & World Hosting Services http://aw.stuff-x.com/ PGP Key ID: 0xAC0E7073 (for non-commercial use) [View Quote] agent1Aug 31, 2001, 3:44pm
Well, if all it did was execute a program to popup a message warning the administrator, I doubt it could be called intrusive.
-Agent1 [View Quote] builderzAug 31, 2001, 4:48pm
I agree with you, Agent. I was just stating a fact that other users on
the GRC newsgroups thought that it was unethical to run because they believe that no one else should modify another person's computer system without their knowledge, whether the action has a positive or negative effect. In another forum (I think it was somewhere on DSLreports.com), some were even questioning if the program was legal. I'm just passing along what I've read. Builderz Stuff-X - Bot & World Hosting Services http://aw.stuff-x.com/ PGP Key ID: 0xAC0E7073 (for non-commercial use) [View Quote] sw chrisAug 31, 2001, 5:56pm
Well if they knew it was modifying their computer and still chose to run it
anyways, wouldnt' that be an ethical use? -- Chris Eagle Scout, Philosopher, Peacemaker, and... Kung Fu Master? http://www.winternet.com/~mikelr/flame1.html [View Quote] dabartenderAug 31, 2001, 9:02pm
I'm trying to figure out why those people think it's "modifying" the
infected computer...all it does is send a message back to inform the user that their machine is infected with the worm. No more, no less. It utilizes the Alerter service that's built right into Windows. I generally like GRC, and I think ol' Steve does some pretty good programming. But there are lot of people who think Steve Gibson speaks out of his fundamental orifice when it comes to security matters :-) http://www.grcsucks.com/ [View Quote] builderzAug 31, 2001, 9:07pm
Yes. Go to http://www.dynwebdev.com/codered/#discussions and read what
others think about the program. All I was saying is that *some* people did not want to run the program because it modifies certain things on the infected computer's system when trying to alert the admin of the worm. They did not want to run the program because of this fact. Others were debating whether or not it was even legal for an average user to download the program and run it. Another group of people installed it on as many computers as they could. The point I was trying to convey is that it is up to the indivual user to decide if they want to run it, and it has been called an "iffy" program by some. I was just trying to give a little "heads up." Some users won't touch it, some think it is illegal, while others support it very much. Just trying to give the different point of views. Builderz Stuff-X - Bot & World Hosting Services http://aw.stuff-x.com/ PGP Key ID: 0xAC0E7073 (for non-commercial use) [View Quote] dabartenderSep 1, 2001, 1:24am
Addendum to that: it also has the infected machine's computer contact the
dynwebdev.com server through Internet Explorer. Still no modification there though...the "script" command doesn't actually run a script of any sort, it runs IE and sends it to a simple hit counter page. The modification has already been done by the worm - otherwise, the particular command that triggers IE wouldn't work at all. Sorry if it sounds like I'm trying to start a big to-do about this, because that's not my intention at all. I'm just trying to figure out how anyone can consider a literally harmless program "iffy" or "illegal." [View Quote] builderzSep 1, 2001, 11:08am
Okay, here are some quotes from a discussion on the program from
http://www.dslreports.com/forum/remark,1253119;root=security,1;mode=flat: o "But if this application doesn't come with source code, you'd be out of your mind to run it." o "And if you run this from your personal machine, you will undoubtedly be violating your Terms Of Service set forth by your ISP. You may also find yourself accused of interference by the owners of the infected machines. If you run this from where you work, you could be exposing your employer to legal risks, too." o "I am much too paranoid to get involved with this kind of crusade by putting my own or my company's resources into the fray." o "The program no doubt has to actually enter the computer and place a file or modify something to bring the warning up. That by itself could be considered illegal no matter how good your intentions are." o "Sometimes you'll find out that some users won't appreciate the notification even if it serves them well and you may find a few new enemies." o "The program can actually cause you harm by opening your port 80 if it's not written properly." o "If you're getting hit, why not just grab the IP from your logs and notify the ISP owner of the IP? Let them deal with it." o "But it runs code on the other machine. This is certainly tampering, and would be prohibited by your ISP's TOS and open you and/or your employer to liability." o "I don't know how it works in Canada, but in the USA hacking into another person's computer without permission regardless of your intentions is a crime." o "Well actually the script you linked to, does copy things to the hard drive. The first line creates a net send alert. The second line creates an Internet shortcut and puts it on your drive C:. the third line writes in to the shortcut file and the forth line creates another file on your hard drive and puts the text 'lysine deficiency' in it. Why? Beats me." Those are just a few quotes of people's opinions regarding the program. I am not saying that I agree with anything or everything being said, I am just trying to show different people's perspectives on the program from an ethical viewpoint. The types of users quoted above believe that it is against some good standing computer science principals to not modify anything system that doesn't belong to them, even if the modification does something good (like patch a hole or fix a security flaw). I'm just passing along what I have read and each individual user can make up their own mind if they want to run and use the program or not. Builderz Stuff-X - Bot & World Hosting Services http://aw.stuff-x.com/ PGP Key ID: 0xAC0E7073 (for non-commercial use) [View Quote] dabartenderSep 3, 2001, 6:56am
I can see the other side of the argument on this one, points conceded and
accepted :) I don't really have anything else to add to this thread, but I wanted to thank you for being civilized and unbiased about the whole thing. It's not often that a potentially volatile subject can be discussed in such a calm fashion - and even if it sounds corny, I'm gonna say thanks for upholding the "spirit" of Usenet :-) -DB [View Quote] |