Re: A code red that could bring down the net?
From: Meritt James (meritt_james@bah.com)Date: 07/27/01
- Previous message: Jose Nazario: "Re: A code red that could bring down the net?"
- In reply to: Pete Sherwood: "Re: A code red that could bring down the net?"
- Next in thread: emerson.c.tan@ca.andersen.com: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B6169FB.604D88C3@bah.com> Date: Fri, 27 Jul 2001 09:17:48 -0400 From: "Meritt James" <meritt_james@bah.com> To: Pete Sherwood <petersherwood@home.com> Subject: Re: A code red that could bring down the net?
He claimed it "got away from him" and he didn't intend it to get away.
The (mostly unsuccessful) attempts he took to contact folks afterward
was taken into account.
There were a number of screw-ups in the code of the RTM Worm.
Don't you love thought crimes? What you DID matters less than what you
intended, were thinking about before, your current state of regret,...
- all thoughts.
Pete Sherwood wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sven,
>
> Robert T. Morris did not send what he created onto arpanet, if I recall
> correctly.
> Someone else made that mistake. Hence the reason he got the light 20
> punishment (community service) he did instead of the severe incarceration
> many *demanded* that he get. Intent is everything in the US courts! Try as
> they might, the FBI could not prove Robert "intended" to do harm.
>
> That aside.
>
> You conjecture that if code-red were your worm, you would have let it run
> in "stealth" mode for some time and collect stuff. How do you (we) not know
> that this is what has been done and that what we all have seen in the past
> few weeks wasn't the/a visible part of the "silent running" activities?
> Just a test of what is potentially to come?
>
> Just a thought.
>
> At any rate. I was never content to let what I called "ShareAware" malware
> run rampant on my organization's network and created scanning tools to
> search for vulnerable systems and malware on exposed systems. I'm curious
> how many of you are doing likewise? I have my take on this on my web page
> if you need more insight before answering.
>
> Pete Sherwood
> PGP and Thawte digital keys available @
> http://members.home.net/petersherwood/
>
> NOTE: when I first replied to the message from Sven, somehow it got
> converted to MIME and I am now resending this in plain text. Sorry if you
> get any double receipts.
>
> - - - ----- Original Message -----
> From: Sven van =B4t Veer
> To: Pete Sherwood
> Cc: Dom De Vitto ; Patrick Smallwood ; SECURITY-BASICS@securityfocus.com
> ;
> vuln-dev@securityfocus.com
> Sent: Thursday, July 26, 2001 2:24 PM
> Subject: Re: A code red that could bring down the net?
>
> Although the explanation is correct, the fact that it caused "geometric
> explosion of copies" was due to a bug in the code. RTM did not test his
> worm before sending it onto the arpanet. It was not his intention to bring
> down arpanet, but just to see how many hosts he would be able to infect.
> As I remember correctly, it was supposed to run just a couple of threads on
> each host, but due to some mistake in calculation it just kept replicating
> itself. If the worm had done what it was supposed to do It might not even
> have been noticed until weeks after it's release.
>
> The same could have been true for the code-red worm. Not many sysops
> running NT/W2K web servers would notice one or two processes that hardly
> use any system resources.
>
> If it where my worm I would have done it that way and let it run in the
> wild for a couple of months and collect data on the number of infected
> hosts and when satisfied, have it do whatever DOS it=B4s supposed to
> do.
>
> sven
>
> OK. Here is one explanation:
>
> In 1988, the ARPANET had its first automated
> network security incident,usually referred to as "the Morris worm" (4). A
> student at Cornell University (Ithaca, NY), Robert T. Morris, wrote a
> program that would connect to another computer, find and use one of
> several vulnerabilities to copy itself to that second computer, and
> begin to run the
> copy of itself at the new location. Both the original code and the copy
> would then repeat these actions in an infinite loop to other computers on
> the ARPANET. This"self-replicating automated network attack tool" caused a
> geometric explosion of copies to be started at computers all around the
> ARPANET. The worm used so many system resources that the attacked
> computers could no longer function. As a result, 10% of the U.S. computers
> connected to the ARPANET effectively stopped at about the same time.
>
> See:http://www.cert.org/encyc_article/tocencyc.html
>
> Dom
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO2CHKromytMtxLfsEQKYEgCg9bm0XfSTEfzGw4dpAtdPLrRkmLwAoKcX
> zEbGb7OMGT45Mq9c3masRczO
> =ArmH
> -----END PGP SIGNATURE-----
-- James W. Meritt, CISSP, CISA Booz, Allen & Hamilton phone: (410) 684-6566
- Previous message: Jose Nazario: "Re: A code red that could bring down the net?"
- In reply to: Pete Sherwood: "Re: A code red that could bring down the net?"
- Next in thread: emerson.c.tan@ca.andersen.com: "RE: Update to "Code Red" Worm. Its a date bomb, not time."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
