> I'm not sure of the ethical or legal aspects of this, but I
> don't see why
> we can't take advantage of three facts:
>
> 1) There is something of an ongoing log of affected machines
> that can be
> obtained from boxes earlier in the IP list.
> 2) Machines which have been compromised can STILL be compromised.
> 3) The worm has a "lysine deficiency" which can be remotely
> introduced.
I'd say legally, you're on very shaky ground. Not something I'd attempt,
for that reason alone. What if a bug in your "friendly worm" trashed
someone's server or DOS'd them at a critical moment? I think the lawyers
would be onto that one.
A "safer" approach would be to have something that could do a whois lookup
of the attacking netblocks and prepare a scripted email for you to review
before aending.
Besides patching the IIS server when the original advisory came out, I have
also taken the steps of heavily filtering outbound traffic from the IIS box
(stuff that should never be generated in normal use), and logging that, so I
can be aware of anything suspicious, severely limit the abilitiy of any worm
to infect other systems and minimise the risk of being involved in a DDOS
attack (except perhaps against myself, but that's my problem! :) ).
