RE: Publishing Nimda Logs - Summary

From: Jim Harrison (SPG) (jmharr@microsoft.com)
Date: 05/08/02


Date: Wed, 8 May 2002 11:39:05 -0700
From: "Jim Harrison (SPG)" <jmharr@microsoft.com>
To: "Deus, Attonbitus" <Thor@HammerofGod.com>, <INCIDENTS@SECURITYFOCUS.COM>

Hi Tim,

- First, reverse-patching a Nimda-infected host will certainly build up
your futility muscles.
Simply "fixing" the IIS and code-red vulns that *may* have allowed it in
do nothing to alleviate the cancer that it spreads once it has a
foothold on the system.
- Second, if the poor sap was infected due to browsing / email / net
share habits elsewhere, it'll be back on that host in short order
anyway.

..better that you try to notify, then publicize the "offender".

* Jim Harrison
MCP(NT4, 2K), A+, Network+
Services Platform Group

The burden of proof is not satisfied by a lack of evidence to the
contrary.

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
Sent: Wednesday, May 08, 2002 07:35
To: INCIDENTS@SECURITYFOCUS.COM
Subject: Publishing Nimda Logs - Summary

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First, I would like to thank everyone who took the time to reply, both
publicly and privately. I appreciate the feedback.
Vuln-Dev has been the most interactive with this thread, so if you have
more to add, please post to vuln-dev or privately to save on moderation.

Recap:
I would say that > 90% of all the responses support publishing the
list. Many of those stipulated that I should warn people first, and
only
post them after no action was taken. Additional ideas were to post a
'history' of contacts and actions taken. Some people are already
posting
such a list, and many of you offered to post your own logs if I make it
available. Many were also exuberant about it with "Hell Yeah!" type
posts-
this speaks to the level of frustration out there.

A very small majority of people, about 4%, said it was a Very Bad Idea
as
blackhats could use the list as a source for DDoS host candidates. I
agree
with Jay Dyson and others in that this information is already easily
available to anyone with an Internet connection if that is what they are

looking for. Just last November, Dug Song published papers showing that

Nimda probes, globally, were at "roughly 5 *billion* attempts per
day." Anyone with half a clue that was looking for bots could actively
gather information in far greater quantities than what would be on my
list. I can only imagine what the aggregate waste of bandwidth is at
that
level! I do not believe that withholding the list because it could be
used
maliciously is valid.

The rest, about 6% or so, said to ignore it, spend the time securing
your
systems, or to just silently blackhole the offenders.

Things learned:
1) ARIN is reportedly a bad source, or at least, outdated source, of
contact info.
2) Jay also has a *nix product called EarlyBird, which will look up the
contact info for you to email offenders.
http://www.treachery.net/~jdyson/earlybird/
3) www.dshield.org maintains information like this, and allows you to
post
logs to them.
4) Jonathan Bloomquist and others actively connect to offenders to send
net
messages to the console. Pretty cool.

Next Step:
I will probably proceed with my project, taking into account the
suggestions of the posters. One thing now interests me more... In the
vein of JBloomquist's post and another poster who said to
reverse-patch the systems, I am willing to peek into Pandora's Box and
explore that precise option-
Waiting for an attack, and then reverse-patching the box. Please don't
tell me about the legal ramifications- I don't care about that yet.
What I
would like to know is if anyone has such an animal, or how one would go
about reverse-patching an attacking system-- I can't write that code,
but
would really like to try it out.

Thanks to all for your help.

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPNk3oIhsmyD15h5gEQKAKACg5ooNMBmtill1Pt1K4PUUrewa/d0AnjFu
Z1A93Vv4TneEr+QM6ewoRXs0
=hVJ+
-----END PGP SIGNATURE-----

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Publishing Nimda Logs - Summary
    ... or to just silently blackhole the offenders. ... suggestions of the posters. ... Waiting for an attack, and then reverse-patching the box. ...
    (Focus-Microsoft)
  • Publishing Nimda Logs - Summary
    ... or to just silently blackhole the offenders. ... suggestions of the posters. ... Waiting for an attack, and then reverse-patching the box. ...
    (Vuln-Dev)
  • Publishing Nimda Logs - Summary
    ... please post to vuln-dev or privately to save on moderation. ... or to just silently blackhole the offenders. ... suggestions of the posters. ... and then reverse-patching the box. ...
    (Incidents)