[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003501c365b7$454d9a00$2b02a8c0@dcopley>
From: dcopley at eeye.com (Drew Copley)
Subject: Why Fixer Worms Are A Bad Idea RE: [UPDATE] ping floods
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> Sam Pointer
> Sent: Monday, August 18, 2003 9:15 AM
> To: 'Abraham, Antony (Cognizant)'; B3r3n@...osnet.com;
> full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] [UPDATE] ping floods
>
>
> Antony Abraham wrote:
> >
> >http://vil.nai.com/vil/content/v_100559.htm
> >
> >New RPC worm which will generate lot of ICMP traffic.
>
> Well I guess it would appear from this portion of NAI's
> analysis that someone was listening to the thread on this
> list about writing an anti-blaster worm:
>
> "The worm carries links to various patches for the MS03-026
> vulnerability: ... The worm attempts to download and install
> one of these patches on the victim machine."
>
Everytime a worm comes out, people talk about making fixer worms. It is
a natural thought.
It is not a well thought out thought, though.
It is very time consuming to make worms. It is very difficult to test
worm code. Most developer's do not test their worm code, as is obvious
from their work.
The problem with the "fixer" idea is that the worm will still consume
bandwidth and cause these sorts of problems. In this case, it causes
ping floods. I wonder if it downloads the right patch. If it does not
detect the OS properly and downloads the wrong patch, then it has done
nothing but act as any other virus. The reports on the worm do note that
it sends some systems into the infinite reboot loop problem. That is not
a good thing.
If someone really wants to spend four, five, twelve hours, even more...
Writing a fixer worm, their time would far be better served berating
people to upgrade their systems... And berating vendors to better
protect their users.
Powered by blists - more mailing lists