<snip>
>> Err, for example, the sadmind worm is well known enough to be
>> one of many hints for eEye to know that the mere existence of
>> a cmd.exe backdoor is not proof for CodeRed. It is suspicious,
>> obviously, but if there is no way to conclusively identify a CR2
>> infection, no scanners should loudly proclaim that a box is
>> identified with CR2 and instead detail what exactly it found that
>> was bad and hint at the potential causes if they desire to do so.
See, I don't really expect this of a free tool. It was put together quickly to try
and let us know if we had a box that was vulnerable. Maybe I am not remembering this
correctly, but the Code Red scanner didn't ever tell me that something was infected.
Only if it was vulnerable. The Nimda tool was the first one that I remember that
attempted to get the "infection" piece down.
Again, at the time that the scanner was put together, the main thing to check for was
CMD.EXE and ROOT.EXE. We didn't know about the .eml files, to scan .htm and .html
files for README.EML and README.EXE and so on.
Could CMD.EXE and ROOT.EXE be a sign of something else? Yeah. But they also could be
a sign of Nimda and no matter what they were a sign of, it was bad. My guess is that
eeye will eventually come out with a scanner that says, to check these 4 things and if
ALL of them match then declare an infection, but I can't really fault them for not
being more timely on a free tool. :)
>> Case and point, eEye's public scanner release said "Code Red
>> 2 detected (backdoor found!)" or something to that effect.
But again, in the case of Nimda, what is that backdoor. It renamed SEVERAL .exes and
many of them weren't known at the start. It took me a couple of hours to figure out
that my MMC.EXE had been changed. If you check for certain file names and sizes, they
change them and then eeye has to change their free scanner again. To be honest, we
all screamed when the Code Red scanner came out and said, don't just tell me if it is
vulnerable, tell me if it is infected already. Then eeye tried to do that and we are
screaming because of false positives. It will be refined over time, but it was a
quick tool to help us. Not an end-all, be-all, final authority. (IMHO)
>> [..]
>> > There is no way to keep a FREE scanner up-to-date and
>> EXACTLY right for all instances.
>>
>> I never said that it should be.
But that is what decrying this tool is saying. The way I feel is that it could have
been quick or right. I'll take quick and as right as you can be over correct and a
couple of days too late.
>> > I would MUCH rather have 2 false positives than 2 false
>> negatives. The scanner basically says, "either the worm has
>> hit you or a moron setup your box and did X".
>>
>> Not really, it says it found CodeRed2 when all it found was
>> the backdoor which could be a variety of things.
But that's my point, it found something that needed to be fixed and it was symptomatic
of the worm. Look there are a million different things that can write a CMD.EXE to a
server, but if that is one of the major thing that this worm does, then you have to
use it. If we have to wait for the vendors to find one thing that this worm always
does and is completely different than any other worm (so that there will be no false
positives) then they won't be timely. When I am here at 3 AM and I want to scan and
see if I have any more holes here, I want timely. Because I am looking for
**vulnerable** . I will take waiting a week or to get the **infected** part correct.
I am going to rebuild those any way. I need to find the vulnerable ones immediately
and keep them from getting infected. This tool worked great for that and I think that
this is what eeye designed it for. (Again, this is MHO)
<snip>
