RE: Publishing Nimda Logs

From: Seymour, Keith (KESeymour@magellanhealth.com)
Date: 05/09/02


From: "Seymour, Keith" <KESeymour@magellanhealth.com>
To: "'Healy, S. S., CTM2'" <sshealy@nsgasg.navy.mil>, "'vuln-dev@securityfocus.com'" <vuln-dev@securityfocus.com>
Date: Thu, 9 May 2002 12:18:51 -0500 

Steve,

It was done almost immediately, those infected hosts are wide open to be
used - or patched. The consensus then was a worm is a worm, and by any other
name it will still get you jail time.

"On September 1, someone posted to BugTraq the code to Code Green. The code,
which ostensibly fixes systems that are still infected with the Code Red
virus, was left for users to assemble and use--if they wanted. The author,
Herbert HexXer, added the following: "I will not take responsibility for any
damage that might be caused by this code. Be sure to have understood the
code and it's [sic] purpose before beginning to play with it." Another post
included the code for CRclean, which was deliberately broken by its author,
Markus Kern. Both were intended to force the issue: either you patch your
system, or I will find a way to do it for you. "

Quote from this article -

http://zdnet.com.com/2100-1107-504040.html?legacy=zdnn

-----Original Message-----
From: Healy, S. S., CTM2 [mailto:sshealy@nsgasg.navy.mil]
Sent: Wednesday, May 08, 2002 10:01 AM
To: 'vuln-dev@securityfocus.com'; 'dufresne@winternet.com'
Subject: RE: Publishing Nimda Logs

I'm just waiting for the day where a sysadmin gets fed up with being scanned
by NIMDA and rewrites NIMDA to start patching the systems it infects.

What would you call such a beast, a retro-virus or an anti-virus virus?

-Steve-

-----Original Message-----
From: Ron DuFresne [mailto:dufresne@winternet.com]
Sent: Tuesday, May 07, 2002 6:48 PM
To: Chip McClure
Cc: Deus, Attonbitus; vuln-dev@securityfocus.com
Subject: Re: Publishing Nimda Logs

I've also pretty much given up on trying to clue folks to nimda issues
they still have, same with code red variants which are still plentiful.
I've started to blackhole whol IP blocks due to this problem. Some
companies, even when notified of their systems compromise and their
being used to further attack other systems don't even take the time to
either investigate, nor repair such systems. We've taken to having to
block the whole netspace for many sites, such as the City of Ashland in
Oregon, (NETBLK-SPRINT-D00150-2) SPRINT-D00150-2 208.1.80.0 -
208.1.83.255, whose systems are so infested with code-red and nimda
variants and who fail as well as Sprint, their upstream provider, in
taking any action about their systems attacks on others on the Internet
infamous highway. We tried to actually call and talk to their techs and
were rudely hung up on, this after over 6 months of notifications to them
and their upstream ISP Sprint. Although Jose Nazario does mention these
systems can be 0w3d after a publication of IP's of infected systems, I'm
at this point not caring if they get taken. They are a pain and further
spreading their problem as it is. I suspect many of these systems are at
least partially 0w3d and used as DDOS mechanisms already. The hame of
shame list should include the ISP's in question too, the upstreams have
been notified as well as the direct offender, most many times over many
months. Nothing else has worked...

Thanks,

Ron DuFresne



Relevant Pages

  • RE: Publishing Nimda Logs
    ... by NIMDA and rewrites NIMDA to start patching the systems it infects. ... this after over 6 months of notifications to them ... and their upstream ISP Sprint. ...
    (Vuln-Dev)
  • How Nimda can effect Samba users
    ... my virus scanner, ... up to date and found a few files infected by "Nimda". ... Supposedly the virus also infects html files, ... Clean up your windows box first. ...
    (FreeBSD-Security)
  • Re: [Full-Disclosure] MyDoom download info
    ... variant of the Nachi worm which attempts to cleanse computers infected by ... MyDoom and download Microsoft security patches to unprotected computers ... Once it infects target machines the worm attempts to search and ... The scanning traffic generated by the original Nachi worm in August ...
    (Full-Disclosure)
  • RE: New worm? readme.eml
    ... Subject: New worm? ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
    (Focus-IDS)
  • RE: Increasing ICMP Echo Requests
    ... This is the w32.Nachi worm. ... problem is that it causes a DOS condition looking for infected machines. ... also infects machines that never had the blaster worm. ... - Ensure Reliable Performance of Mission Critical Applications ...
    (Incidents)