Is it possible to return something, so Nimda would crash?
People just never install patches. It seems the only way to shut the virus up. _____ < http://members.home.com/asolofnenko/ > Alexey N. Solofnenko < http://www.inventigo.com/ Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
You can sort of crash the system running the virus if you return something v-e-r-y s-l-o-w-l-y.... Basically you can force their TCP stacks to timeout connections to your box. And if their TCP stack is badly implemented, sometimes crash. See hackbusters.net for details -- the application is called LaBrea. On Fri, 21 Sep 2001, Alexey N. Solofnenko wrote:
People just never install patches. It seems the only way to shut the virus up.
_____
< http://members.home.com/asolofnenko/ > Alexey N. Solofnenko < http://www.inventigo.com/ Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
This Labrea thing is basically a pile of poop. So the system crashes. The admin reboots it, and life goes on (sans patch, with infection). Plus there is the legal issue, you are intentionally trying to mess up a remote systems ability to work, and while yes the "attacker" is liable you are now taking actions that also make you potentially liable (not a good thing if it can be avoided). Attacking back is often a very bad idea. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
On Fri, 21 Sep 2001, Kurt Seifried wrote:
This Labrea thing is basically a pile of poop. So the system crashes. The admin reboots it, and life goes on (sans patch, with infection). Plus there is the legal issue, you are intentionally trying to mess up a remote systems ability to work, and while yes the "attacker" is liable you are now taking actions that also make you potentially liable (not a good thing if it can be avoided). Attacking back is often a very bad idea.
Actually, I think the idea is to keep the infected system busy for as long as possible, so that it wastes time dealing with one box that it would otherwise spend messing with thousands and thousands of other systems. And it does zero configuration changes to the machine that hits it. If the infected machine does happen to crash, one can always hope that the admin will take it as a prompt to scan for virii and worms. For the admin of the infected machine, he can come in in the morning and thank god his box hit somebody running LaBrea, because that means his machine only hit a hundred other systems instead of ten thousand. Bear
Actually, I think the idea is to keep the infected system busy for as long as possible, so that it wastes time dealing with one box that it would otherwise spend messing with thousands and thousands of other systems. And it does zero configuration changes to the machine that hits it. If the infected machine does happen to crash, one can always hope that the admin will take it as a prompt to scan for virii and worms.
This may or may not work for existing worms, and newer worms will probably take it into account.
For the admin of the infected machine, he can come in in the morning and thank god his box hit somebody running LaBrea, because that means his machine only hit a hundred other systems instead of ten thousand.
Er. yeah. Potentially the box has now crashed. Because of your system. Not something I wanna get be potentially liable for.
Bear
-Kurt
On Saturday 22 September 2001 09:33 am, you wrote:
Actually, I think the idea is to keep the infected system busy for as long as possible, so that it wastes time dealing with one box that it would otherwise spend messing with thousands and thousands of other systems. And it does zero configuration changes to the machine that hits it. If the infected machine does happen to crash, one can always hope that the admin will take it as a prompt to scan for virii and worms.
This may or may not work for existing worms, and newer worms will probably take it into account.
For the admin of the infected machine, he can come in in the morning and thank god his box hit somebody running LaBrea, because that means his machine only hit a hundred other systems instead of ten thousand.
Er. yeah. Potentially the box has now crashed. Because of your system. Not something I wanna get be potentially liable for.
No, his box crashed because he was allowing it to engage in illegal activity. I have a right to do anything I want with a malicious connection made to my machine, EVEN sending it a ton of viri, but Labrea does not do that, it just keeps on hanging on. You have perhaps a more effective solution? -- __________________________________________ J.Andersen
No, his box crashed because he was allowing it to engage in illegal activity.
You may want to take a business class that deals with liability.
I have a right to do anything I want with a malicious connection made to my machine, EVEN sending it a ton of viri, but Labrea does not do that, it just keeps on hanging on.
No, no you do not. While there are laws regarding things like home intruders and the use of deadly force for example in some countries there are no laws AFAIK making it ok to attack people back online. IF you know of laws allowing such behaviour in a country I would love to know about it.
You have perhaps a more effective solution?
Yes. firewall it. Do not send anything back.
J.Andersen
-Kurt
Hi, On 23 Sep 2001, at 1:49, Kurt Seifried wrote:
While there are laws regarding things like home intruders and the use of deadly force for example in some countries there are no laws AFAIK making it ok to attack people back online. IF you know of laws allowing such behaviour in a country I would love to know about it.
actually you must assume, that the owner of the attacking machine is not aware of it but a victim himself. If he did it on purpose, a back- attack could be seen as selfdefense, but it is hardly possible to proof that at court. Some cable providers here in Austria cut down customers access because they were (believed) infected by code red, actually we have no judication by now, if that was legal or not. I got such warnings too and I have only a NetBSD box without any server daemons running connected, and a friend of mine with a win98 box without servers was actually cut off! So you can be shure these machines were not infected. But with such unprecise laws people are not likely to take this to court. BUT: If i correctly understood the technology behind the system, all you do is to keep hold of the attacker. If his system crashes it is for a bad implemented TCP/IP stack. I would see this like someone wants to send you a fax to your (vice) telephone line and you pick up the phone, and do not hang up anymore. He has to pay the telephone cost. And I do not think there are laws that prohibt that. Simplified the program says: "Hi, I am here, please send only very small packets" and then does not answer anymore until his TCP/IP stack times out or crashes (whatever happens first). mike
On Sun, 23 Sep 2001, Kurt Seifried wrote:
I have a right to do anything I want with a malicious connection made to my machine, EVEN sending it a ton of viri, but Labrea does not do that, it just keeps on hanging on.
Any you want to fix your broken mailer do not break quoting with senseless line wraps.
While there are laws regarding things like home intruders and the use of deadly force for example in some countries there are no laws AFAIK making it ok to attack people back online. IF you know of laws allowing such behaviour in a country I would love to know about it.
Heck, if his systems are in the process of flooding mine, I can hold them. Assuming the LaBrea.README is true, all the thing does is set up tarpits on unused IPs via ARP spoofing on "request". These tarpits supposedly send a SYN|ACK packet in response to a SYN packet, and ignore the rest of the conversation until it times out.
You have perhaps a more effective solution?
Yes. firewall it. Do not send anything back.
Oh. Very effective if you don't know who's the next to toss out the worm again. Very useful if you have a web server up and running. </IRONY> Seriously, LaBrea does not send spamloads back or something, it just accepts the connection from the scanner. I cannot see how that would be illegal. No-one says you must not lie to the scanner. BTW, for Germany, see §§ 32, 34, 35 (Title IV) of the Strafgesetzbuch (Penal Code), a translation of which is available at http://wings.buffalo.edu/law/bclc/germind.htm - German text (claimed up-to date) for example at http://dejure.org/gesetze/StGB/32.html I cannot see how LaBrea would be unlawful in Germany. The "attacker" is free to abort the connection at any time and advance to the next "victim". However, sending things back may be considered sabotage if it breaks the box, and this breakage may outweigh the gain, particularly if the own systems are not susceptible to the virus that is replied to with "crash code".
Yup, On 23-Sep-01 Kurt Seifried wrote:
No, his box crashed because he was allowing it to engage in illegal activity.
You may want to take a business class that deals with liability.
I have a right to do anything I want with a malicious connection made to my machine, EVEN sending it a ton of viri, but Labrea does not do that, it just keeps on hanging on.
No, no you do not.
While there are laws regarding things like home intruders and the use of deadly force for example in some countries there are no laws AFAIK making it ok to attack people back online. IF you know of laws allowing such behaviour in a country I would love to know about it.
You have perhaps a more effective solution?
Yes. firewall it. Do not send anything back.
$0.02: if I may jump in here - without any intention to prolong the discussion about paragraphs and legit/illicit active responses to attacks - Nimda exploits bugs in an operating system (Win), and its effectiveness stems from bugs brought to you by Microsoft, from things like ignorance, misinformation or just laziness from admins and/or from home users who don't care much for their system's health. Patches are available, antivirus tools are available, too, people running vulnerable Win installations just need to read a thing or two and can then proceed to update their systems in order to be safe from Nimda, Code Red and its relatives. A matter of information, as usual. By counterattacking Nimda/Code Red-infected boxen you will gain nothing, just another down'ed box, several aggravated admins/users, a possible law suit and more bits of fun. The key is information about Nimda, about MS bugs and how to plug these holes; counterattacking is counter-productive, as it may put the focus on your attacks, not the very problem itself: The virus/worm. Counterattacks are like Aspirine - they cure your personal headaches, but do nothing good to the system. It's protection of systems we're talking about in here, not destruction.
J.Andersen
-Kurt
Boris Lorenz <bolo@lupa.de> ---
Yup,
On 23-Sep-01 Kurt Seifried wrote:
No, his box crashed because he was allowing it to engage in illegal activity.
You may want to take a business class that deals with liability.
I have a right to do anything I want with a malicious connection made to my machine, EVEN sending it a ton of viri, but Labrea does not do that, it just keeps on hanging on.
No, no you do not.
While there are laws regarding things like home intruders and the use of deadly force for example in some countries there are no laws AFAIK making it ok to attack people back online. IF you know of laws allowing such behaviour in a country I would love to know about it.
You have perhaps a more effective solution?
Yes. firewall it. Do not send anything back.
$0.02:
if I may jump in here - without any intention to prolong the discussion about paragraphs and legit/illicit active responses to attacks - Nimda exploits bugs in an operating system (Win), and its effectiveness stems from bugs brought to you by Microsoft, from things like ignorance, misinformation or just laziness from admins and/or from home users who don't care much for their system's health. Patches are available, antivirus tools are available, too, people running vulnerable Win installations just need to read a thing or two and can then proceed to update their systems in order to be safe from Nimda, Code Red and its relatives. A matter of information, as usual.
By counterattacking Nimda/Code Red-infected boxen you will gain nothing, just another down'ed box, several aggravated admins/users, a possible law suit and more bits of fun. The key is information about Nimda, about MS bugs and how to plug these holes; counterattacking is counter-productive, as it may put
I have to agree with Boris. I also have to add that it really isn't a counter strike, but just a net bogger. If it were to be a counter attack one would at least have to attack. Since nobody knows who wrote the virus and nobody knows anyone who is helping the person(s) who wrote the virus at this moment unless they have been caught already; then any measure against an organization who has been comprimised is not the honorable thing to do. If the organization wrote the virus or had something to do with the fact that it exists, this is a different story. Hince the reason my nation is going to retaliate against those who have caused unjust pain and death, or those that have supported the agenda of those who have. Don't attack the perpetrated. Attack the perpetrators. The authorities will take care of these individuals. Attacking other people that are not criminals is not the answer. May God Be With America. USA! Wade Chandler Metro IT Solutions Lead Programmer http://www.metrotriad.com/wchan http://www.metrois.com wade.chandler@metrois.com 336-725-1621 Ext. 1015 ----- Original Message ----- From: "Boris Lorenz" <bolo@lupa.de> To: <suse-security@suse.com> Sent: Monday, September 24, 2001 3:55 AM Subject: Re: [suse-security] Is it possible to return something, so Nimda the
focus on your attacks, not the very problem itself: The virus/worm.
Counterattacks are like Aspirine - they cure your personal headaches, but do nothing good to the system. It's protection of systems we're talking about in here, not destruction.
J.Andersen
-Kurt
Boris Lorenz <bolo@lupa.de> ---
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
crash a box is never a good thing. but there is a simpler (?) way I'm very newbie in firewall use and an't do that myself, but I beg it's easy to get the firewall send a message to the offending machine administrator "you are sending worms" I sometime do that manually, but it's a pain. I think if an admin receive thousands of such letters, he must feel concerned? and such mail seems perfectly legal. jdd -- <http://www.dodin.net> <mailto:jdanield@dodin.net> WHO'S THAT GUY ? Help me found it Russia & South america help needed http://www.dodin.net/serge/index.html
Maybe this is the best way to handle it, because usually people do not know if their computers are infected. I think it is possible to write root.exe or default.ida script that will send increasingly rude messages back to webadmin every week the script gets a hit. Sincerely, Alexey Solofnenko. _____ < http://members.home.com/asolofnenko/ > Alexey N. Solofnenko < http://www.inventigo.com/ Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
It is clearly stated in American law at least that "Self Defense" is only applicable in circumstances where there is a "Reasonable cause for bodily injury". This doesn't mean injury of personal possessions. Therefore, if you had to go to court over this, you wouldn't have much legal ground to stand on. So I'd be very careful before implementing any type of script to exploit Nimda's vulnerabilities. Especially considering that, under American law, you could be prosecuted just as equally as the person that wrote the virus originally. Just some thoughts. -Mike Reaves ----- Original Message ----- From: "Alexey N. Solofnenko" <alexeys@citechlabs.com> To: <suse-security@suse.com> Sent: Sunday, September 23, 2001 2:06 PM Subject: RE: [suse-security] Is it possible to return something, so Nimda would crash?
Maybe this is the best way to handle it, because usually people do not know if their computers are infected. I think it is possible to write root.exe or default.ida script that will send increasingly rude messages back to webadmin every week the script gets a hit.
Sincerely, Alexey Solofnenko. _____
< http://members.home.com/asolofnenko/ > Alexey N. Solofnenko < http://www.inventigo.com/ Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, first in other countries you may prevent any illegal action against yourself and others with *reasonable* meassures under the "selfdefense" regulations. But in the case of LaBrea you do not do anything against the other computer. It is more like your neighbour allways parks his car in your garage and you make the entrance smaller so that your car will still fit in but his car will not. I do not think you have to pay for the demages on his car if he again tries to illegally park his car in your garage. mike On 23 Sep 2001, at 14:21, Mike Reaves wrote:
It is clearly stated in American law at least that "Self Defense" is only applicable in circumstances where there is a "Reasonable cause for bodily injury". This doesn't mean injury of personal possessions. Therefore, if you had to go to court over this, you wouldn't have much legal ground to stand on. So I'd be very careful before implementing any type of script to exploit Nimda's vulnerabilities. Especially considering that, under American law, you could be prosecuted just as equally as the person that wrote the virus originally.
Just some thoughts. -Mike Reaves
----- Original Message ----- From: "Alexey N. Solofnenko" <alexeys@citechlabs.com> To: <suse-security@suse.com> Sent: Sunday, September 23, 2001 2:06 PM Subject: RE: [suse-security] Is it possible to return something, so Nimda would crash?
Maybe this is the best way to handle it, because usually people do not know if their computers are infected. I think it is possible to write root.exe or default.ida script that will send increasingly rude messages back to webadmin every week the script gets a hit.
Sincerely, Alexey Solofnenko. _____
< http://members.home.com/asolofnenko/ > Alexey N. Solofnenko < http://www.inventigo.com/ Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi,
first in other countries you may prevent any illegal action against yourself and others with *reasonable* meassures under the "selfdefense" regulations.
But in the case of LaBrea you do not do anything against the other computer. It is more like your neighbour allways parks his car in your garage and you make the entrance smaller so that your car will still fit in but his car will not. I do not think you have to pay for the demages on his car if he again tries to illegally park his car in your garage.
Claiming ignorance ("I didn't know Labrea would crash his PC") will be tricky as in many courts with a civil suit you have to prove your innocence. None of this "beyond a reasonable doubt" stuff/etc as with a criminal case. I wouldn't want to be on the receiving end of a fortune 500 companies lawsuit after all their web servers or whatever got hosed by my machine. Try to remember here, these attacks are NOT intentional. This is a Socual/Policy issue, NOT really a technology issue. Anyways I'm done on this topic for now. BTW analogies suck. This is nothing like car parking/trespassing.
mike
-Kurt
* Kurt Seifried wrote on Sun, Sep 23, 2001 at 14:10 -0600:
But in the case of LaBrea you do not do anything against the other computer. It is more like your neighbour allways parks his car in your garage and you make the entrance smaller so that your car will still fit in but his car will not.
I think it's more likely to put a red traffic light before with a sign telling "please wait for green before enter". I see no attack when sending very small windows; I cannot see why it's an attack telling someone "please wait - I have no time to talk with you at the moment". Well, I think me or someone other has misunderstood the thing...
Claiming ignorance ("I didn't know Labrea would crash his PC") will be tricky as in many courts with a civil suit you have to prove your innocence.
Why should a PC crash when receiving small windows? Probably it was just a power fail. And if someone means to run a PC which crashs on some packets, it's herselfs fault; and keep in mind that this is not meant as an attack. If some machine crashed if I accidently try telnet 1234 on it, I appologize but nothing more.
BTW analogies suck.
You mean, you personally think that some analogies might be missleading for somebody. But there are people which need analogies to understand a problem...
This is nothing like car parking/trespassing.
Well, I cannot imagine why someone would try to drive in a too small garage. But I cannot imagine why some OS should crash on small windows. Hum, looks like an analogy :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Sun, 23 Sep 2001, Kurt Seifried wrote:
Claiming ignorance ("I didn't know Labrea would crash his PC") will be
I wouldn't want to be on the receiving end of a fortune 500 companies lawsuit after all their web servers or whatever got hosed by my machine. Try
OTOH, claiming ignorance does not protect them either, particularly not if Nimda hits them while Code Red & Co. had so much unfortunate publicity recently. However, just discarding excessive logs is usually the most time-saving response if some virus plays with your longanimous Apache httpd ;)
Hi, the problem with this long logs is that maybe less experienced admins will have problems processing them with a little script befor they are fed to their favorite loganalizer. If I would be a hacker, I would take my chance now to try to intrude other systems, as chances are good the admins are in a kind of "the daily nimda tons of stuff again" state and tend to be less careful. mike On 24 Sep 2001, at 1:46, Matthias Andree wrote:
OTOH, claiming ignorance does not protect them either, particularly not if Nimda hits them while Code Red & Co. had so much unfortunate publicity recently. However, just discarding excessive logs is usually the most time-saving response if some virus plays with your longanimous Apache httpd ;)
On Mon, 24 Sep 2001, Thomas Michael Wanka wrote:
the problem with this long logs is that maybe less experienced admins will have problems processing them with a little script befor they are fed to their favorite loganalizer. If I would be a hacker, I
Their business. But it's also their business to install patches as they are available, and I'd really like to see penal codes extended to prosecute careless admins who don't install security patches in a reasonable time. Aid to Computer Sabotage or something.
Is it possible to retrieve administrator's email address from IIS? Or there is always a standard admin address. _____ < http://members.home.com/asolofnenko/ > Alexey N. Solofnenko < http://www.inventigo.com/ Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
On Monday 24 September 2001 12:02 pm, Alexey N. Solofnenko wrote:
Is it possible to retrieve administrator's email address from IIS? Or there is always a standard admin address.
No, it provides nothing that I could get to. I tried a couple times emailing the administrator, security, abuse and all the other usual addresses. The problem is that although IIS is installed by default on Win2K boxen, an SMPT package is not (automatically) installed. So you can't even email root at bad.ip.number. -- __________________________________________ J.Andersen
Hi,
On Monday 24 September 2001 12:02 pm, Alexey N. Solofnenko wrote:
Is it possible to retrieve administrator's email address from IIS? Or there is always a standard admin address.
No, it provides nothing that I could get to. I tried a couple times emailing the administrator, security, abuse and all the other usual addresses. The problem is that although IIS is installed by default on Win2K boxen, an SMPT package is not (automatically) installed. So you can't even email root at bad.ip.number.
Try whois, look for tech-c and admin-c mail addresses and direct your complaints to them. There are some helpful online whois tools around which you might find interesting: http://www.geektools.com or http://classic.samspade.org . SamSpade.org is a well-known online tool box with more than just whois. If the owner of the domain does not answer your mails, move on to his upstream provider.
J.Andersen
Boris Lorenz <bolo@lupa.de> ---
On Sunday 23 September 2001 10:21 am, Mike Reaves wrote:
It is clearly stated in American law at least that "Self Defense" is only applicable in circumstances where there is a "Reasonable cause for bodily injury". This doesn't mean injury of personal possessions.
Interesting you can state this with such pontifical certaintee, considering American law is composed of massive amounts of federal law, 50 disparate bodies of state laws and thousands of local laws. Thats some impressive law degree you have there. Your assertion that I can not act to protect my property is simply not the case. That every person must stand aside and let the arsonist burn their house is totally absurd, and not the law anywhere with the exception perhaps of Massachusettes. Still, your arguments are totally off base, in that LaBrea does no more damage than leaving the phone on the table rather than hanging up when the pestering salesman calls, leaving him to pay the long distance charges. -- __________________________________________ J.Andersen
participants (13)
-
Alexey N. Solofnenko -
Alexey N. Solofnenko -
Anders Johansson -
Boris Lorenz -
jdd -
John Andersen -
Kurt Seifried -
Matthias Andree -
Mike Reaves -
Ray Dillinger -
Steffen Dettmer -
Thomas Michael Wanka -
Wade Chandler