Re: "Nimda"?

From: Greg Williamson (n120476@phaedrus.national.com.au)
Date: 02/28/02 

Date: Thu, 28 Feb 2002 14:48:26 +1100 (EST)
From: Greg Williamson <n120476@phaedrus.national.com.au>
To: jdyson@treachery.net, woods@weird.com

>> I've found that the best defense is a good offense, so I have an
>> automated notification facility in place that acts as a decoy. When
>> either Code Red or Nimda hit my servers, the owner of the netblock is
>> immediately notified that their systems are being used as an attack
>> platform against other machines.
>
>Your "best offence" is in fact a dangerous mechanism that could be
>turned into a D.o.S. tool if it were poorly implemented and then widely
>deployed through social engineering attempts (such as your message
>above).
>
>Please DO NOT EVER implement or deploy automated notification systems
>without tightly integrating into them full summarisation features and
>mechanisms to avoid sending more than one notification to a given
>address at anything frequency more often than once per day, and
>preferably no more often than once per week (esp. after the initial day
>of a widespread infection).

Summary type email (like that in ARIS) is good, but for something that leaves an
open door behind it (such as Code Red) it can be better to use that back-door to
your advantage. With CodeRed, I cobbled together an automated response that
notified the netblock administrator, but also used the root.exe hole to put a
WinPopup box on the infected machine. That was fairly effective.

Greg.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com