-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven, Robert T. Morris did not send what he created onto arpanet, if I recall correctly. Someone else made that mistake. Hence the reason he got the light 20 punishment (community service) he did instead of the severe incarceration many *demanded* that he get. Intent is everything in the US courts! Try as they might, the FBI could not prove Robert "intended" to do harm. That aside. You conjecture that if code-red were your worm, you would have let it run in "stealth" mode for some time and collect stuff. How do you (we) not know that this is what has been done and that what we all have seen in the past few weeks wasn't the/a visible part of the "silent running" activities? Just a test of what is potentially to come? Just a thought. At any rate. I was never content to let what I called "ShareAware" malware run rampant on my organization's network and created scanning tools to search for vulnerable systems and malware on exposed systems. I'm curious how many of you are doing likewise? I have my take on this on my web page if you need more insight before answering. Pete Sherwood PGP and Thawte digital keys available @ http://members.home.net/petersherwood/ NOTE: when I first replied to the message from Sven, somehow it got converted to MIME and I am now resending this in plain text. Sorry if you get any double receipts. - - - ----- Original Message ----- From: Sven van =B4t Veer To: Pete Sherwood Cc: Dom De Vitto ; Patrick Smallwood ; SECURITY-BASICSat_private ; vuln-devat_private Sent: Thursday, July 26, 2001 2:24 PM Subject: Re: A code red that could bring down the net? Although the explanation is correct, the fact that it caused "geometric explosion of copies" was due to a bug in the code. RTM did not test his worm before sending it onto the arpanet. It was not his intention to bring down arpanet, but just to see how many hosts he would be able to infect. As I remember correctly, it was supposed to run just a couple of threads on each host, but due to some mistake in calculation it just kept replicating itself. If the worm had done what it was supposed to do It might not even have been noticed until weeks after it's release. The same could have been true for the code-red worm. Not many sysops running NT/W2K web servers would notice one or two processes that hardly use any system resources. If it where my worm I would have done it that way and let it run in the wild for a couple of months and collect data on the number of infected hosts and when satisfied, have it do whatever DOS it=B4s supposed to do. sven OK. Here is one explanation: In 1988, the ARPANET had its first automated network security incident,usually referred to as "the Morris worm" (4). A student at Cornell University (Ithaca, NY), Robert T. Morris, wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that second computer, and begin to run the copy of itself at the new location. Both the original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPANET. This"self-replicating automated network attack tool" caused a geometric explosion of copies to be started at computers all around the ARPANET. The worm used so many system resources that the attacked computers could no longer function. As a result, 10% of the U.S. computers connected to the ARPANET effectively stopped at about the same time. See:http://www.cert.org/encyc_article/tocencyc.html Dom -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO2CHKromytMtxLfsEQKYEgCg9bm0XfSTEfzGw4dpAtdPLrRkmLwAoKcX zEbGb7OMGT45Mq9c3masRczO =ArmH -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 15:04:18 PDT