lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <003501c365b7$454d9a00$2b02a8c0@dcopley>
From: dcopley at eeye.com (Drew Copley)
Subject: Why Fixer Worms Are A Bad Idea RE: [UPDATE] ping floods


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Sam Pointer
> Sent: Monday, August 18, 2003 9:15 AM
> To: 'Abraham, Antony (Cognizant)'; B3r3n@...osnet.com; 
> full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] [UPDATE] ping floods
> 
> 
> Antony Abraham wrote:
> >
> >http://vil.nai.com/vil/content/v_100559.htm
> >
> >New RPC worm which will generate lot of ICMP traffic.
> 
> Well I guess it would appear from this portion of NAI's 
> analysis that someone was listening to the thread on this 
> list about writing an anti-blaster worm:
> 
> "The worm carries links to various patches for the MS03-026 
> vulnerability: ... The worm attempts to download and install 
> one of these patches on the victim machine."
> 


Everytime a worm comes out, people talk about making fixer worms. It is
a natural thought. 

It is not a well thought out thought, though. 

It is very time consuming to make worms. It is very difficult to test
worm code. Most developer's do not test their worm code, as is obvious
from their work.

The problem with the "fixer" idea is that the worm will still consume
bandwidth and cause these sorts of problems. In this case, it causes
ping floods. I wonder if it downloads the right patch. If it does not
detect the OS properly and downloads the wrong patch, then it has done
nothing but act as any other virus. The reports on the worm do note that
it sends some systems into the infinite reboot loop problem. That is not
a good thing.

If someone really wants to spend four, five, twelve hours, even more...
Writing a fixer worm, their time would far be better served berating
people to upgrade their systems... And berating vendors to better
protect their users.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ