[NCLUG] Code Rainbow: New attack, MUCH nastier...

Sean Reifschneider jafo-nclug at tummy.com
Thu Sep 20 01:39:05 MDT 2001


On Tue, Sep 18, 2001 at 01:21:29PM -0600, Michael Dwyer wrote:
>Anyway, it apparently moves via E-mail (Readme.exe), unsecured shares

I've seen prescious few actual e-mail migrations of the thing.  Most
machines are still getting more codered and that snow white one than this
guy.  In fact, I had a hard time tracking down a copy so I could set up a
filter to block them with...

The nice thing about the unsecured shares is that once you get infected it
will open up the shares on your box.  Delightful.

I'd like to send a bill for the extra bandwidth charges to MS...

>Also, FRII is working to limit the effects of this attack on it's

I had called their support folks after sending this message and they had
just heard about it.  I know that Cisco IOS 12.something will allow you to
do some analysis of payloads of port 80 traffic, so you can actually set it
up to block the GET request if it contains one of these things.

I passed that information on to FRII because it's got to be hurting them
and their customers.  Though, on the other hand, they have good reason not
to implement it -- their DSL lines are metered...  This worm could be good
for them.  ;-/

Sean
-- 
 I have a large collection of sea shells, which I keep scattered on beaches
 around the world.  Maybe you've seen it...  -- Steven Wright
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python



More information about the NCLUG mailing list