North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Sobig.f surprise attack today

  • From: Owen DeLong
  • Date: Thu Aug 28 12:35:12 2003

Again, I am not proposing a worm. Simply a cleaner that would neuter the
worm that connected. What I am proposing would _ONLY_ provide software that,
if the connecting client chose to execute it, would neuter the worm on the
connecting client that executed it. Nothing that would worm to other
computers from there. That's high risk.

Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist
based on such connections to a honeypot. Any system which made the correct
request could then have it's address published via BGP or DNS for ISPs and
the like to do as they wish.

Again, I don't propose or advocate actively tampering with other peoples
systems. However, if someone comes to my website and asks for executable
code, then executes it, I do not feel that it is my responsibility to
provide them code which will not alter the contents of their system.
I also don't feel it is my responsibility to determine if their request
came from a human authorized to use the computer or a worm.

Owen


--On Friday, August 22, 2003 4:54 PM -0700 Doug Barton <[email protected]> wrote:

On Fri, 22 Aug 2003, Owen DeLong wrote:


Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.

I seriously doubt that most (any?) ISP would be willing to accept the
legal liability for altering anything on the computer of a third party
that just happened to connect to an IP in a netblock they are
responsible for. White worms are an elegant engineering concept, but
have little practical value (and huge risk) outside of networks that you
control directly.

Doug

--
"You're walkin' the wire, pain and desire. Looking for love in between."

    - The Eagles, "Victim of Love"