Sobig.f surprise attack today

Owen DeLong owen at delong.com
Thu Aug 28 15:18:34 UTC 2003


Again, I am not proposing a worm.  Simply a cleaner that would neuter the
worm that connected.  What I am proposing would _ONLY_ provide software 
that,
if the connecting client chose to execute it, would neuter the worm on the
connecting client that executed it.  Nothing that would worm to other
computers from there.  That's high risk.

Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS 
blacklist
based on such connections to a honeypot.  Any system which made the correct
request could then have it's address published via BGP or DNS for ISPs and
the like to do as they wish.

Again, I don't propose or advocate actively tampering with other peoples
systems.  However, if someone comes to my website and asks for executable
code, then executes it, I do not feel that it is my responsibility to
provide them code which will not alter the contents of their system.
I also don't feel it is my responsibility to determine if their request
came from a human authorized to use the computer or a worm.

Owen


--On Friday, August 22, 2003 4:54 PM -0700 Doug Barton 
<DougB at dougbarton.net> wrote:

>
> On Fri, 22 Aug 2003, Owen DeLong wrote:
>
>> Sure, it won't happen in 30 minutes, but, I don't understand why this
>> wasn't started when F-Secure first noticed the situation.
>
> I seriously doubt that most (any?) ISP would be willing to accept the
> legal liability for altering anything on the computer of a third party
> that just happened to connect to an IP in a netblock they are
> responsible for. White worms are an elegant engineering concept, but
> have little practical value (and huge risk) outside of networks that you
> control directly.
>
> Doug
>
> --
> "You're walkin' the wire, pain and desire. Looking for love in between."
>
>     - The Eagles, "Victim of Love"





More information about the NANOG mailing list