Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

From: Colm MacCárthaigh (colmmacc@Redbrick.DCU.IE)
Date: 01/26/03

  • Next message: Jason Coombs: "RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!" 
    Date: Sat, 25 Jan 2003 23:37:53 +0000
From: Colm MacCárthaigh <colmmacc@Redbrick.DCU.IE>
To: Jason Coombs <jasonc@science.org>

    On Sat, Jan 25, 2003 at 11:40:48AM -1000, Jason Coombs wrote:
    > As of now we don't know who wrote the worm, but we do know that it looks
    > like a concept worm with no malicious payload.

    The payload may not have been malicious to the host, but this does
    not imply a lack of malice. It certainly caused, and is causeing
    a large ammount of grief in the network sense.

    Given the steps taken to randomise the target IP address, it is
    highly likely that this worm was targetted at networks, not hosts.

    > There is a good argument to be made in favor of such worms.

    I'm afraid that your argument doesnt hold up to scrutiny. There is no
    logical reason why the rest of the non MS-SQL using world being
    affected by an MS-SQL bug (and an inadequecy on the part of MS-SQL
    admins) should be a good thing.

    If the worm had a malicious (in your terms) payload, it would have
    caused networks just as many problems (so no gain there), and more harm
    to MS-SQL users. Using your logic, surely this much more damaging
    experience would have cause MS-SQL admins to be more responsible in
    keeping up to date ? Or rather, more fearful of future exploits.

    As it is, MS-SQL admins may feel that since this bug did not affect
    them in any serious way (if you can follow that certain line of
    thought), they may assume the same thing about future exploits.

    When viewed from that perspective, this exploit is as malicious as
    possible to general internet infrastructure. Benign to the people who
    can do something about it, malicious to those who cannot. 

    -- 
colmmacc at redbrick.dcu.ie

    Relevant Pages