Full Disclosure mailing list archives
Re: Benign Worms
From: "Eric Paynter" <eric () arcticbears com>
Date: Sat, 14 May 2005 10:50:18 -0700 (PDT)
On Sat, May 14, 2005 9:30 am, Valdis.Kletnieks () vt edu said:
Even if you *do* manage to code the worm correctly, all it takes is for *one* person visiting your site to have plugged their laptop into the net, and you're at least potentially screwed.
Hopefully as a minimum, one would code it to be limited to certain subnets. That way, even if it does get the laptop, when the laptop goes onto the Internet, it will not scan from the NIC with a public IP. It will just go dormant.
And I posit that if your network is either small enough or run *that* fascistly that you are ready to swear on a Bible in court, under penalty of perjury, that you *know* everything that's connected to it, then you don't need a worm to fix it.
Fascistly? Well, maybe from a university point of view, where the networks tend to be more open. But for some corporate networks, the corporation owns all equipment on the network and has a legal responsibility to ensure the safety of the data on the network. That means forcing patches to all machines. With all the exploits over the years that allow users to escalate privs, it's not too uncommon in medium and large corporations (several thousand or more desktops) that some users have taken over their desktops and removed the sysadmin's privs. If the corporation has a geographically distributed wide area network, it may be cost-prohibitive to send people to every site where one of these "rogue PCs" is detected, not to mention that some can be very difficult to detect. Non-technical enforcement (determining the user and escalating to HR) can also be difficult, especially when inter-divisional politics get in the way (surprise: most large corporations have very dysfunctional relationships inter-departmentaly and especially inter-divisionally). What's the easiest and fastest way to periodically sweep the network clean of these PCs, to meet the mandate of ISD to have everything patched, to avoid the politics of disciplining user X for breaking the rules, to just make it happen without all the argument? This is the line of reasoning that leads young support jockeys to consider benign worm development... Although I would still suggest that a worm is not the way to go. Put the "hack and patch" functionality on a server and point the server at each subnet you want to target. Much safer. Much easier to control. -Eric -- arctic bears - email and dns services http://www.arcticbears.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Benign Worms k k (May 13)
- Re: Benign Worms Valdis . Kletnieks (May 13)
- Re: Benign Worms Valdis . Kletnieks (May 13)
- Re: Benign Worms Rob Lemos (May 13)
- Re: Benign Worms Michael Holstein (May 13)
- Re: Benign Worms Eric Paynter (May 13)
- Re: Benign Worms Benjamin Franz (May 13)
- Re: Benign Worms Eric Paynter (May 13)
- Re: Benign Worms Dan (May 15)
- Re: Benign Worms Valdis . Kletnieks (May 14)
- Re: Benign Worms Eric Paynter (May 14)
- Re: Benign Worms Valdis . Kletnieks (May 14)
- Re: Benign Worms Eric Paynter (May 14)
- Re: Benign Worms James Tucker (May 14)
- Re: Benign Worms Valdis . Kletnieks (May 14)
- Re: Benign Worms Brian Anderson (May 14)
- Re: Benign Worms J.A. Terranson (May 14)
- Re: Benign Worms Valdis . Kletnieks (May 15)
- Re: Benign Worms Michael Holstein (May 16)
- Re: Benign Worms Eric Paynter (May 13)
- Re: Benign Worms Mike Hoye (May 13)
- Re: Benign Worms J.A. Terranson (May 13)
(Thread continues...)