Re: Want to write a disinfection tool?

From: aleph1@securityfocus.com
Date: 08/06/01

• Previous message: L. Christopher Paul: "Re: Want to write a disinfection tool?"
• In reply to: L. Christopher Paul: "Re: Want to write a disinfection tool?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 5 Aug 2001 20:28:35 -0600
From: aleph1@securityfocus.com
To: "L. Christopher Paul" <lcp@bofh.sh>
Subject: Re: Want to write a disinfection tool?
Message-ID: <20010805202835.B9857@securityfocus.com>

* L. Christopher Paul (lcp@bofh.sh) [010806 02:21]:
> One question ... Mighten this lead to a false sense of security?
>
> With the CRv1 or CRv2 I can see this as being appropriate, but with CRII
> creating backdoors and then broadcasting the vulnerability, the incidence
> of compromises beyond the initial worm infestation is incredibly high.
>
> By automating a 'fix', and not rebuilding the box, there is no guarantee
> that the box is safe to be re-connected to the network; only that the worm
> is gone and that it can't be re-infected.
>
> If such a tool is built (which isn't all bad), it needs to be shipped with
> a big 'ole warning to that effect.

Agreed. If anyone developed such tool and if we decided to point people
to it from our warning message to administrators of possible infected
machines we would add such warning. But realistically speaking we are
talking about the same folks who have failed to patch their systems
after two highly publicized worms. The changes of them going through
the trouble of reinstalling the whole system are not very good. Its
good to give them an easy option that at the very least closes the
hole and hope that the machine had not yet been found by an attacker
and modified further.

> --lcp

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: L. Christopher Paul: "Re: Want to write a disinfection tool?"
• In reply to: L. Christopher Paul: "Re: Want to write a disinfection tool?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22] ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ... (microsoft.public.security) Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22] ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ... (microsoft.public.inetserver.iis.security) Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22] ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ... (microsoft.public.windowsxp.security_admin) Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22] ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ... (microsoft.public.win2000.security) CERT Advisory CA-2001-20 ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ... (Cert)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)