Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

From: Patrick Patterson (ppattersonat_private)
Date: Fri Sep 07 2001 - 06:06:50 PDT

Next message: H D Moore: "Re: Telnetd exploit for solaris"

Previous message: H D Moore: "Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
In reply to: Markus Kern: "Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
Next in thread: .MetsyS.: "Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On September 6, 2001 02:24 pm, Markus Kern wrote:
> Steinhart Alexander wrote:
> > >Clever tool with immoral, unethical and possibly illegal use.
> >
> > I would not like to discuss here the moral... It's question of the time
> > and a (Anti)Worm is free, but I don't hope this a Scriptkiddy who set a
> > beta version into the world...
> >
> > My question, whether it participates meaningful one antiworm, to let
> > stop at a certain time and not with a certain percentage (I hope
> > millionth... part) of found servers to "patch"?
>
> I don't know if I've fully understood you but I think you're asking if it
> wouldn't be better to make an anti-worm stop after a certain percentage
> of hosts have been patched than after a certain time has passed.
>
> Assuming that the malicious worm is scanning the net randomly the anti-worm
> could monitor the frequency of intrusion attempts and shut itself down if
> the rate falls below a certain threshold.
>

In cases where we have some pretty good statistics about the propagation and
saturation of a given worm, if you were going to write such a worm (and I'll
leave that debate to others more versed in ethics and law than myself),
wouldn't it be the best idea to have it shut down (permanently) at
SATURATION_TIME(target_worm)+a short time - so in this case, CodeGreen should
have been programmed to shut down no more than 6 days after infecting a box.


- --

Patrick Patterson			Tel: (514) 485-0789
Chief Security Architect		Fax: (514) 485-4737
Carillon Information Security Inc.	E-Mail: ppattersonat_private
- -----------------------------------------------------------------------
		The New Sound of Network Security
		     http://www.carillonIS.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: a6XSd99ZWIYUXIUVPGUxXG+LRY4nTE5F

iQCVAwUBO5jGbrqc3sMKNyclAQEaIwQAjsMmGV+yGi60MDEZAmJllOn5A7VJK3V1
KVQQIX5CGZ3d1nTnX+ZgpHnx+F37HUu/8d6kTajID+QjKFefX9jD3Gy/zDmvxBAf
ubk6LyQAXWE4PDwPf40LT4qeZan3D45WSonbqQen6VlHC/J4znSj4mCX53zED1Et
7RlIfbyPTG4=
=kxJa
-----END PGP SIGNATURE-----

Next message: H D Moore: "Re: Telnetd exploit for solaris"
Previous message: H D Moore: "Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
In reply to: Markus Kern: "Re: AW: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
Next in thread: .MetsyS.: "Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 11:52:04 PDT