Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Benign Worms
From: "Eric Paynter" <eric () arcticbears com>
Date: Sat, 14 May 2005 10:50:18 -0700 (PDT)

On Sat, May 14, 2005 9:30 am, Valdis.Kletnieks () vt edu said:
Even if you *do* manage to code the worm correctly, all it takes is for
*one* person visiting your site to have plugged their laptop into the net,
and you're at least potentially screwed.

Hopefully as a minimum, one would code it to be limited to certain
subnets. That way, even if it does get the laptop, when the laptop goes
onto the Internet, it will not scan from the NIC with a public IP. It will
just go dormant.


And I posit that if your network is either small enough or run *that*
fascistly that you are ready to swear on a Bible in court,
under penalty of perjury, that you *know* everything that's connected to
it, then you don't need a worm to fix it.

Fascistly? Well, maybe from a university point of view, where the networks
tend to be more open. But for some corporate networks, the corporation
owns all equipment on the network and has a legal responsibility to ensure
the safety of the data on the network. That means forcing patches to all
machines.

With all the exploits over the years that allow users to escalate privs,
it's not too uncommon in medium and large corporations (several thousand
or more desktops) that some users have taken over their desktops and
removed the sysadmin's privs. If the corporation has a geographically
distributed wide area network, it may be cost-prohibitive to send people
to every site where one of these "rogue PCs" is detected, not to mention
that some can be very difficult to detect. Non-technical enforcement
(determining the user and escalating to HR) can also be difficult,
especially when inter-divisional politics get in the way (surprise: most
large corporations have very dysfunctional relationships
inter-departmentaly and especially inter-divisionally).

What's the easiest and fastest way to periodically sweep the network clean
of these PCs, to meet the mandate of ISD to have everything patched, to
avoid the politics of disciplining user X for breaking the rules, to just
make it happen without all the argument? This is the line of reasoning
that leads young support jockeys to consider benign worm development...

Although I would still suggest that a worm is not the way to go. Put the
"hack and patch" functionality on a server and point the server at each
subnet you want to target. Much safer. Much easier to control.

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault