Valdis.Kletnieksat_private wrote: > Given that initial analysis of the CodeRedII worm indicates that it leaves > a backdoor laying around, I hereby request that those people who made > lists of infected hosts available last time *NOT* do so again. Hear, hear... (I already expressed this opinion privately to the list moderator well before Valdis' post appeared.) > Although said lists *were* helpful in the analysis and study of the worm's > tactics, the benefits are certainly outweighted by the fact that the new > worm creates a known backdoor. I'm certain that both the CodeRedII author > and other black hats would love for us to compile a list of afflicted hosts > for them to use. Indeed! I'd say there is a high probability that the writers of this new worm almost expected such detailed lists, or at least enough information for where fertile hunting would be ("we are seeing lots of probes from ShonkyISP.net" tells the bad guys to scan IP blocks belonging to that provider...) would be publicly posted by people "trying to help". And, if not publicly posted such information may be "leaked" as in DShield's break-down of "most commonly seen domains" for the earlier CodeRed variants). > So please everybody - if you're sending IP's in to be added to a table, > make sure you're sending them to a white hat, not to a black hat who's > managed to social-engineer you. If you're a white had compiling a list, > make sure the guy's hat is at least a light grey before you give them > a copy. ;) 8-) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:33:30 PDT