Fight Virus With Virus? 697
Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?
Best friendly virus that does no arm: (Score:2)
Lock the screen in black, disable ctrl-alt-delete on any OS, and type this a bit below average reading speed in white:
"Boo... I'm a virus, you know what you did was really dumb?... You're lucky this time, you will lose no data, I won't send anything critical by email without your knowledge, and your operating system will stay intact... in exchange you'll have to bare with this message for a few minutes.
Clicking on attachments in your email when you don't even know where it comes from = Stupid.
Clicking on attachements of which you don't even know the extension = Dumb.
Opening a file that you don't know about in your [download] directory = Asking for trouble
Did you know that running an operating system without updated antivirus file, or without antivirus at all is bad when you're a rookie? (you ARE a rookie since you are reading this, please don't consider yourself bright or IT-man 2001 because if you ARE actually working in IT, you're even dumber than a rock, reason #1? a rock wouldn't catch this virus)
If you typed CTRL-AlT-DELETE anytime while this was displayed, you diserve to be wiped and bitchslapped you selfish log, if you don't care about the damages you can get, think about the damages you can create by spreading your stupidity?
Now find a way to remove me, else I'm gonna repeat this every xx minutes, and in the end, I might actually end up doing something bad.
Regards, retard!"
howzat?
Many infected users don't know they're running IIS (Score:2, Informative)
I would like to point out that many if not most of the machines that are still being infected by the Code Red worms are operated by users who are not even aware that they are running IIS.
Case in point, my roommate bought a Dell Dimension L700cx with Windows 2000 about 6 months ago. He was surprized when I showed him that his machine is running IIS and serving the default web page on port 80. This person did nothing to install or activate IIS, the machine was shipped with that configuration.
I think this fact is important to keep in mind when trying to understand why so many machines remain vulnerable to the IIS attack.
PS: We run our LAN behind a firewall that denies port 80, so my friend's machine was not infected.
Old idea (Score:2, Interesting)
The Cheese Worm did this for Lion-infected hosts (Score:2, Informative)
The Cheese Worm [cert.org] seems to constitute exactly what you want. Cheese actually sought out Linux hosts [linuxsecurity.com] infected by the Lion worm [whitehats.com] and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known [theregister.co.uk].
Another first for Linux and Open Source software!
Just 13 years behind the times... (Score:5, Insightful)
The first such anti-virus virus, Den_Zuko, was discovered in 1988. Check out this article [vnunet.com] on VNUnet, which has more info on the history of such software and why it's a bad idea.
More recently, the Linux.Cheese.Worm has done similar things for Linux users infected by the Linux.Lion.Worm.
Re:Just 13 years behind the times... (Score:2)
Sircam autoresponse? (Score:3, Interesting)
The message could even say that was what it was doing.
"My advise is to run this script to remove the virus and to pass the information on to other people"
This wouldn't really be a virus at all: the people receive it in response to a request for advice and it is something you actually think they should be running. It doesn't try to infect other machines, except by advising their users to use it; no more illegal than Norton responding to a download request with a program.
Don't be a part of the problem (Score:4, Interesting)
Why do schools neglect an ethics curriculum?
Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.
If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.
- "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.
It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.
How funny would this be... (Score:2)
I don't agree with doing it whatsoever, but that would wake up a lot of sysadmins.
Defense department research (Score:2)
I have a friend who works for a company that's doing just this. They are funded by the government to write intelligent agents ("agents" in the sense of mobile code) for security purposes. So rather than merely setting up a firewall, the goal of this is to write software that can move from machine to machine, like a virus, and stomp out viruses, trojans, and fight off other attackers.
Call it a white blood cell.
So is developing a counter-virus, an antibody, a white blood cell being part of the problem? I don't think so. Once a computer's been hacked, it's already been hacked. It's already been violated. If you don't want people to write counter-viruses, for heaven's sake, don't let you computer get infected in the first place! Viruses are preventable.
Re:Don't be a part of the problem (Score:2)
If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.
Well with certain diseases, we DO force people to take medicine, even before they get the disease. FORCED immunizations. Do you agree that that is just as wrong?
Re:Don't be a part of the problem (Score:2)
Something may be ethical, but not legal, and vice versa. In this case, a white-hat worm would most certainly be illegal, because you are modifing someone's property without their concent, but to simply say it isn't ethical doesn't look at the whole picture.
What has to be asked is do people benifit more from your actions than the harm being caused? If this is so, you can ethically justify your actions. If by modifing one person's machine you prevent 50 from being infected, you're doing overall good, and while still outside the law, you are benifitting society.
If a white-hat worm were to be released into the wild and become widespread and clean up code red's damage, I think it would spark a lot of conversation on the potential of other such worms and the regulation of them for their possible future and benificial use.
Re:Don't be a part of the problem (Score:2)
A couple points:
1. The infected party doesn't know they're infected. Kind kills the analogy.
2. Lots are cable modem users whose TOS does not let them run servers to begin with.
3. They're causing a communal problem - excessive network lag. Why let the authority figures make all the decisions when you can just use the exploit to net send them a message telling them their infected.
If more people became part of the problem, we'd have a more informed group of users and tighter security.
Re:Don't be a part of the problem (Score:5, Informative)
Now there is ethics and there is ethics. Here is a scenario that occurred once in Baltimore. A house thief hot-wired a car. He jammed the steering wheel all the way to the side and floored the gas. The car spun and made lots of noise. Meanwhile, the thief broke into people's houses (that is besides the point). Am I ethical if I jump into the moving car and turn it off ?
The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.
As another example, suppose my neighbor's house is burning and his 10 year old is screaming at the window, and he is not around. Am I ethical in breaking in to save his child ? In this case the answer is really clear.
In the case of machines compromised with CodeRedII, consider the capability for MASSIVE DDOS directed at anybody launchable by anybody. Those machines are tools to be used by anyone for any reason they like. They can be used as launching points for hacks on military sites. They can be used to snoop for passwords etc. If you go onto those machines and simply remove them from the network by shutting them down (in an orderly fashion), I think you could argue rather strongly that you are taking such action in the interest of public safety.
Ethics is rarely so cut and dried that one could claim that you should NEVER alter someone else's property.
Re:Don't be a part of the problem (Score:2)
I think you could argue that rather strongly too, but I also think that the prosecution will make mincemeat of it unless you have a really good lawyer arguing rather strongly alongside you, in which case the prosecution will have to settle for making something less finely ground, such as Dinty Moore beef stew, of it.
Re:Don't be a part of the problem (Score:4, Insightful)
When I was 4, I was in my apartment complex running around like a, well, screaming 4 year old. One of the residents (happened to be a RN) was watching me play with my brother and then called me over to him. He took a good look at me, grabbed my hand and took me to my apartment.
"Your son has the measles. Take him to the doctor, now."
There was a person, completely unrelated to me, who didn't even have kids whom I could "endanger" with my measles. Was he within his rights?
The original poster must realize that an infected machine has already been compromised by an intruder. If you walk past an apartment and see someone has forced the door open and is ransacking it, do you continue walking by? Or do you yell at the thief? Call the Cops?
Those "infected" machines are flooding the pipe that I'm paying for, so doesn't that make them some part of a "commons" that makes them part of everyone's responsibility?
If my neighbor is playing his music too loudly, don't I have the right to knock on his door and say "Hey, turn that down, please?"
If I'm being constantly probed by thousands of infected machines, my internet access greatly slowed down by all the garbage in the pipe, don't I have a right to find the owners and tell them "Hey, knock that shit off. Fix your damn machine, it's hurting everyone."
Furthermore, to pick on another pet peeve of
Just some thoughts...
Re:Don't be a part of the problem (Score:2)
Criminal law guarantees you a trial by your peers. It is not illegal if your peers will not convict you. Here is an example: I knew a fellow in San Francisco who got AIDS as a long-time drug user. He nearly withered away and died. He started smoking pot at the advice of his physician even though it was illegal at the time. He was arrested numerous times, but never convicted of smoking pot.
You see, a jury of San Franciscans will NEVER convict someone with AIDS of smoking pot to boost their appetite. My friend gained a lot of weight and probably lived another 2 years as a result of pot smoking.
In the case of CodeRed anti-virii, you would need to have a reasonable argument that your actions were justified as bettering society on the whole. If you don't think such an argument exists, I wouldn't recommend writing it
Re:Don't be a part of the problem (Score:2)
I disagree. CodeRedII is going to permanently damage your system. It is the equivalent of AIDS for computers - if completely knocks out your defenses, but doesn't cause any harm itself.
People with AIDS do not live very long. Neither will computers with CodeRedII. They are remote-rooted by anyone accessing the httpd port.
Also, you neglect to make an analogy between financial harm and physical harm, perhaps on purpose. Both are justifiable legally.
If you attack someone else's machine, then you're on exactly the same ethical level as the person who wrote the original virus.
THAT is a flawed analogy. Whereas it may not be appropriate to kill someone for committing murder, using an anti-virus to shut off machines with CodeRedII is completely different. The machines are compromised and vulnerable.
Imagine you are a business owner, and someone came along, opened the doors to your store, didn't take anything, and left. Are you trying to claim it would be illegal for me to close the door, and place me on the same level as the first person who opened the doors ?????
If you do believe that, please put down the crack pipe and back away slowly.
Re:Don't be a part of the problem (Score:5, Interesting)
The thing is they CAN seize you and force you to take medicine IF you are determined (Usually by 2 doctors) to be a danger to yourself or others. Ever hear the term "Involuntary Commitment"
There ARE times when you are forced to do things
Re:Don't be a part of the problem (Score:2)
Re:Don't be a part of the problem (Score:3, Interesting)
There are cases that it would be wrong to 'fix' someone's computer... If, for example, they ran a thriving business from it and you were being annoyed by a trojan that ran occasional port-scans, stopping their business by crashing their machine is unwarranted...
But, in the case mentioned, a worm could be written which would seamlessly upgrade the affected computers, and close the backdoors permanently. Consider that these backdoors allow (and very likely will be used) attackers to control the machine for a DDoS, port-scanning, continued spreading of the infection, and with some of the later bugs, full access to the machine which would potentially allow all sorts of electronic theft. In this case, you're almost guilty by your inaction.
The huge ammount of damage that can be caused by each infected machine, both to the owner, and to the rest of the internet completely outweighs the owners right to have their computer configured in a certain way.
In many jurisdictions, inaction can be a crime. If, for instance, you see someone in mortal danger and you could have warned them, but didn't, you can often be charged with murder. (House on fire, you know someone's inside, but don't bother trying to alert them or call for help.)
People like you really frighten me. You have a twisted sense of ethics and you want to force other people to be indoctrinated in them. Ugh.
Re:Don't be a part of the problem (Score:3, Insightful)
Arguably true, but the bigger issue is "what are correct ethics?" Some things nearly all people can all agree on: it isn't ethical to copy someone else's work and pass it off as your own. But there are a lot of other ethics issues that will be very decisive. For example:
"It is permissable to take a person's life if it is the only way to protect your life or the life of another."
I have had many arguments with people who think that there is never, ever a reason to take a life, whereas I believe that self-defense is a fundamental human right. In the case of a divisive topic such as this, an "ethics class" is useless at best -- and brainwashing at worst.
I think some kind of critical thinking training is a better idea. If you can think critically, you will develop your own ethical code.
Re:Don't be a part of the problem - Cisco fix (Score:2, Informative)
1) From the "cbos#" prompt*, input the command "set web disabled". I think you'll have to follow that up with the "write" command. That shuts off the router admin web-interface. If you really must have that interface, you can change the port instead.
2) Upgrade the CBOS to version 2.4.1. See http://www.cisco.com/warp/public/707/cisco-code-r
Hope that helps...
*Note: to get to the "cbos#" prompt, input the command "enabled" at the "cbos>" prompt.
Re:Don't be a part of the problem (Score:2, Informative)
Do you really want to rely on Microsoft's updates to be reliable and correct? Updates are best installed on test servers and then migrated to production systems. The fact is that once an exploit is discovered, it typically takes several months for destructive software to be released that takes advantage of the export. Code Red came out much quicker and that has caused many of the problems we are witnessing.
Re:Don't be a part of the problem (Score:2)
Ah, but we (as a society) do legally require people to get vaccinated, because doing so benefits society as a whole sufficiently to justify the slight loss of personal freedom
Not so slight in the case of MMR vaccine which has caused much of the increase in autism cases lately.
Getting back to computers, what about where the anti-virus-virus causes inadvertant damage to the system because it has an unusual configuration, different software, etc. So instead of fixing the webserver, it utterly kills it. That could happen very easily if you binary patch even a slightly different version of the executable than you were expecting. Then what?
Re:Don't be a part of the problem (Score:2)
No. Ethics is that branch on philosophy that deals with the question, "How shall we live our lives?" There are supernaturalistic theories of ethics (i.e., we should live our lives according to the dictates of some supernatural being), but there are also plenty of theories without a whit of religious belief - utilitarianism, existentialism, Kantian rationalism, and others.
Applying these theories to the case of an anti-virus virus is left as an exercise for the reader.
Understanding (Score:2)
I'm going to have to disagree on this point. Ethics and religion are very different things. They are actually not even directly related to each other. The link between the two is morality, to which both are related. To give an example, it's possible for an agnostic person to act in an ethical manner. Actually, it's possible for any person to act in an ethical manner. It's also possible for someone with a religious ideal to act in an unethical manner without violating his/her religious convictions (the Inquisition is an old example, but it fits, so I'll use it for ease). Religion is a belief system. Morality is a rule set based on the belief system. Ethics is adherence to generally accepted codes of behavior.
And, in response to your second sentence, religion is specifically a belief system. So, while linguistically your statement is correct (one can have faith without a directed religion, such as "faith in the goodness of mankind"), by definition one cannot have a religion without faith.
Virg
Re:Don't be a part of the problem (Score:4, Insightful)
ethics:
2. Being in accordance with the accepted principles of right and wrong that govern the conduct of a profession.
moral:
1. Of or concerned with the judgement of the goodness or badness of human action and character.
You want an ethical lawyer, but not one who applies morality. You want an ethical doctor, but not one who judges your morality.
Ethics is reflective, driving ones own behavior with respect for others. Morality is applied to others, and rarely implies respect for others.
Possible? Yes, of course. (Score:4, Insightful)
Part of the problem with worms isn't just the malicious acts that they perpetrate, it's the bandwidth that they use.
A particularly virulent worm can bring servers and routers to their knees just propagating itself. That's before it even gets the chance to do any of its intended damage. (Remember Melissa, or The Great Internet Worm?)
Add to this very real concern the fact that striking back in this way, no matter the good intentions, is almost certainly illegal, and the whole idea is a definite no-no.
(Yes, it does have a certain appeal - but so do many other things that are bad ideas, too)
Cheers,
Tim
Re:Possible? Yes, of course. (Score:3, Insightful)
Good virus resides on your computer. Computer gets scanned; good virus cleans up offending computer, installs itself. Now, rather than sending out 300 requests at a time, the offending computer is sending out nothing, unless it is scanned as well.
Anti-Sircam Virus (Score:5, Funny)
This has already happened (Score:4, Insightful)
Personally, I feel a virus is a virus, regardless if your intentions were good. You're not any better than the hundreds of losers out there creating this mess. If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.
Re:This has already happened (Score:4, Insightful)
It's probable that you don't understand the difference between right and wrong.
Think of cops and robbers. We have bad guys with guns running around on the streets, and we have good guys with guns running around on the streets. Neither group is very bright, and both are liable to shoot you for pulling your wallet out too fast in a darkened doorway. Still, we know which group we're going to train and pay to protect us using their own judgment.
A neighbor who checks and locks my door is far more neighborly than one who walks in, spray paints grafitti on my walls, craps on my carpet, leaves a dead rat hanging between the old coats in the closet, and says "oh, you have a security problem, you should get that fixed before someone does something bad to you".
People who bought buggy software got ripped off, and you're discouraging conscientious software engineers from providing free, automatic service to those people, and preventing them from becoming unwitting dupes in spreading the bad viri around the world.
But you shouldn't live in fear that this will become epidemic. People who do know right from wrong and who do choose to do right understand that doing right is often mistaken for doing wrong by people who don't know the difference, and our system of justice isn't based on right and wrong, it's based on perception, so they won't take the chance of being railroaded, Good Samaritan law or no.
--Blair
Re:This has already happened (Score:2)
"Illegal" is not the same as "wrong".
"Legal" is not the same as "right".
Police typically check locks on doors. They can and do enter property they find open and unoccupied, and they can and do lock those doors if possible and if they think it's a reasonable thing to do given the neighborhood (hint: the internet "neighborhood" is roughly every machine on it, and everyone, good or bad, lives right next door to you). A warrant merely franks the search into evidence.
The fact that you don't like your neighbors is your problem. The rest of us will thank ours for looking out for us.
Then you might want to stop accepting unsolicited communications.
You might be competent to download and apply a patch. But the network is full of incompetent or apathetic people, and their incompetence results in the ability of dangerous worms to propagate.
Their computers are emanating viri and worms just as evilly as the computer that originally did it. If a bum who crawled in your open door and died was emitting a foul stench and bacteria that were wafting down the street infecting other houses, you can bet I and the local HazMat team would be, without a warrant or your permission, all over your door nailing it shut, and your pewling cries of "trespassers!" wouldn't impress a jury.
The problem is that the Internet hasn't got itself set up that way, and the real culprits, the ones who install and run buggy software on a public network, are not being prosecuted.
--Blair
Discussed before (Score:2, Insightful)
Why not? (Score:2, Insightful)
Now this just goes right back to the whole "but I thought a virus was bad" response that your typical user will tell you. For the most part, it could work wonderfully, but the big thing is, the only people who will need it are those who did not patch a system for the bug (since if they patched it, then the retrovirus (if you will) will not be able to use the same vulnerablilty). Those are most often the same people that opened 40 SirCam attachments even though they were warned ("But it came from my best friend!"). To these people, a virus is something to be afraid of, regardless of purpose. A virus is always a bad thing that will "break the computer" and we don't want to "break the computer" because we can't "fix the computer" <Cue ominous music>
But then again, if these people are so oblivious as to how they're infected, then it just may work as long as the media doesn't blow it out of proportion again.
DirectTV hacked the hacker.... (Score:2)
Hey, if it worked for DirectTV, it should work here...
Actually, this may start a "best of the best" competition with virus writers. They'll come back with a virus to counteract the anti-virus, and on and on.... might be interesting...
Re:DirectTV hacked the hacker.... (Score:2, Insightful)
Virus writers would close the door they came in in advance and write in another door that would be extremely hard to find. The worm would still infect other machines, and it would be a very long time before the other back door kicks in. People would think the worm they got was a purposeful fix worm, when in actuallity it only would be a matter of time before it became a zombie. Now that would be a smart virus. Of course, the hardest part would be giving the new back door the functionality needed while effectively hiding itself.
Have we already forgot the Cheesy Worm? (Score:2)
See this link [newsfactor.com] for examle.
It's not 'virii'! (Score:2, Insightful)
check out http://www.cknow.com/vtutor/vtplural.htm [cknow.com] for more information...
(rant mode off)
Re: (Score:2)
Illegal (Score:4, Insightful)
This means that unauthorized access in the attempt to do a "good deed" is just as illegal as black-hat unauthorized access.
For this to happen, someone with the antidote virus would have to break the law to spread it and apply it. Of course, Robin Hood was considered a criminal too.
Because... (Score:5, Insightful)
Seriously, folks, everybody who *could* write something like that either (a) recognizes that infecting someone's box is infecting someone's box, closing holes or not or (b) sees no problems in having the rooted boxen out there anyway. I doubt that anybody else actually has the skills to do it.
I'm Batman (Score:2)
Of course, the author can't go around claiming responsability (or posting stories on slashdot), that's not cool.
Go ahead and do it. (Score:2, Informative)
Google cache because it looks like the original site has been remove.
I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.
Fighting fire with fire? (Score:2)
Instead, (idea from another
This reminds me of the Fish Virus.... (Score:2, Interesting)
Further info about the virus is found here [f-secure.com] from Datafellow's [datafellows.com] virus database.
Preferable method (Score:3, Informative)
(which you can do manually right now with the worm-installed back door.)
Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.
You could do that, but don't! (Score:4, Insightful)
Re:You could do that, but don't! (Score:3, Interesting)
But I think people are overlooking a more ominous repercussion, technically and ethically: Setting a precedent. If the precedent were set that it's OK to loose countercode upon the world, think of what might result.
In other words, if counterviruses and antiworms became commonplace, it would turn the internet into one big war zone for autonomous code. And I can't even imagine what might result if an arms race broke out in that contest, though I expect some of its fruits would be quite frightening. I've already drawn the analogy to Core War in a previous thread.
Re:You could do that, but don't! (Score:3, Insightful)
Out of the frying pan... (Score:2)
Apparently, it seems that in the early 1800s, there was a general problem with people smoking too much opium, so people came up with a supposed cure for it -- morphine! Of course in hindsight this wasn't any better than opium, but at least it had a pain relieving effect so there was some medical use for it (and still is). Sure enough, former opium smokers got hooked on morphine, and a new cure was needed. What did we get? Heroin! This was much worse, had no worthy side effects, and has generally been a huge headache ever since. What was the solution? Go cold turkey? Of course not, we came up with yet another new drug -- methadone. This one seems to have the great benefit of not being worse or more addictive than it's predecessor, but that just means that people don't want to stop using heroin in favor of methadone, so while methadone may not be worse, it does little good either.
Like I say, this may not actually be true, but I think it illustrates the point very well. Even if it isn't true, there are still similar examples all over the place -- people that give up cigarettes for nicotine gum, etc.
This sort of suggestion has the same critical flaw: it might look good on paper, but in practice you're just trading one nasty thing for another. Sending out a benevolent trojan sounds like a nice idea, but how do you know that it'll be benevolent anyway? Are you sure it isn't going to be vulnerable to some flaw that will do more harm than good? You've checked all your buffers and are careful in what your program accepts and strict in what it sends out? Moreover, you're confident that, even if it *is* perfectly benign (which, let's be honest, is a tricky assertion at best, and very hard to verify) once it's out in the wild can you guarantee that your code isn't going to get hijacked by someone less saintly or all-knowingly proficient as you surely are?
I doubt it.
These sorts of proposals sound nice but are fraught with danger and likely to come to a bad conclusion, both technically and, let's not forget, legally. This sort of idea comes up every now and then -- K5 is debating it right now, too [kuro5hin.org] -- but it's never a good idea and in practice it will never reliably work. It's clever & tempting, but raises more problems than it solves, just like trading morphine for heroin...
@work (Score:2)
A K5 USer has published an anti-CodeRed virus (Score:4, Informative)
--CTH
See Everything2 (Score:2, Informative)
Re:A K5 USer has published an anti-CodeRed virus (Score:4, Interesting)
The legal implications of this are a bis issue, but it's certainly an interesting code example.
Yeah, it's a great idea. It would be wonderful to see someone do it, but at the same time, if you did, you're as bad as the virus writers, since this would propagate everywhere and make changes on their systems without their consent.
For me to even academically consider such a virus, it would also have to have automatically e-mail the (l)user whose machine has just been patched, and state "You are an idiot. You've been negligent in the maintenance of your webserver. A benevolent UNIX/Linux geek wrote a virus which propagates by the same method as Code Red and it has now fixed this vulnerability on your machine. To learn about real webservers, go to www.apache.org."
But based on what I'm seeing from the description (I haven't unzipped/untarred it yet), I suspect it's more along the lines of what I've been wanting to do. If I get a request from a IIS-infected machine, why not have it force a reboot of that machine? Through the negligence of the system's owner, it attacked me. Why can't I merely force a reboot, clear the virus from the memory, and hopefully alert the imbecile involved that he's got a problem?
Take a look at my webserver log (link from my sig). I seem to be getting hit by the same IIS-infected hosts over and over. I'm sure the IIS-infected machines are getting hit by the same other machines over and over. If I were to force a reboot of those machines which attempt to infect my Apache server, then they'd promptly be reinfected, and since Code Red II scans within a tighter range of IP addresses, I'd probably take that machine down again. Of course, the cycle would repeat, and infected machines where I'm within their scanning range would be coming up and going down all day. Surely the owner would eventually realize something was wrong?
I'd love to do this, but I still don't like the legal implications. Stealing a car to prevent someone driving while drunk is still illegal, and this is a lot less clear-cut.
Re:Citizen's Arrest (Score:2)
Re:IIS = Loaded Gun? (Score:2)
Is it possible you accidentally left your sense of humour and response to irony in your other pants?
He probably hates me because he's not circumcised. [grin] With my .sig, I get irrational stuff like that every now and then.
Re:A K5 USer has published an anti-CodeRed virus (Score:2, Insightful)
Already been done (Score:4, Interesting)
I had begun work on a worm called Code Blue that would infect Code Red machines and clean them of Code Red. This kind of work is very laborious since it involves writing Intel assembly code that uses the Win32 API and runs in a Windows environment.
Before I could finish, my best friend (who is a security consultant) informed me that somebody has already done this. There is a perl CGI script going around that you can put into your root directory and name "default.ida" so that infected machines will cause it to execute.
The script connects to the IP of the attacking machine, uses the Code Red II backdoor to clean the system of trojanned files. Then it uses the very same buffer overflow exploit used by Code Red to send a binary to the server that patches IIS, removes Code Red-related registry entries and reboots the machine.
Re:Already been done (Score:4, Interesting)
1. Where's the script?
2. Shouldn't it be modified to install itself? Otherwise, it'll get drastically outpaced.
Note: yeah, yeah, ethics and so on. Disclaimer, and another one.
Re:Already been done (Score:4, Insightful)
Go <a href="default.ida">here</a> to check your server for the Code Red worm and remove it if found.
Unlike an actual anti-security-hole virus, in this situation you are providing a legitimate and documented response to an actual request. If you're not scanning other machines unless they actually ask (either by following the link or by attacking you), it's not really any more unethical than, say, active FTP (if you send this message, I will open a connection back to you and send some data over it). It is no more using the other person's machine than, say, slashdot forcing my machine to render an HTML document or an FTP server forcing my machine to store the document I download.
Beneficial Worms (Score:2)
I obtained some script kiddy code to open up a shell on the alternate machine and started to modify it. Since I have no desire to be assused of starting a virus of any kind, I have no intention of finishing or releasing this, but I want to have the concept proven in case someone with more guts than I decided to release something similar.
No matter how you look at it, I believe that releasing this worm would be illegal, at least in the US where I live. Knowing this, I'm not going to concern myself with legal issues, but with ethical ones. The purpose of this prototype worm is to exploit the named deamon and obtain a shell on the victim computer. Then it will send over a copy of the worm, along with a nonvulnerable version of named.
On the victim's side, it will make a copy of all programs and configuration files it needs to change and replace them with safe versions. It will then send a message to root on that machine explaining exactly what was done and why, how to reverse the changes in case the worm broke something, and what to do in the future to avoid the same or similar problems. The worm will then
find and exploit 256 more systems within the same network level, one in each subnetwork. For instance, if the worm is currently working at the class A level for the 24.0.0.0/8 network, it will try to find one system in the 24.1.0.0/16 network, one in the 24.2.0.0/16 network, etc. Each progression will work one level lower. This will prevent the same machine from being hit more than twice for every pass the virus makes over the internet. After finding 256 systems, the worm will shut itself down and remove itself.
The important factors of this worm is the fact that it will ONLY be beneficial. If it causes more problems than it solves, it will be seen as another nuisence instead of fixing security holes as it is intended. It is important that root on the machine is notified of any changes. This gives the administrator the opportunity to fix other potential problems and if necessary reload the system. There must be a way that an administrator can leave configuration files on the machine so the worm will function in a limited capacity. The machine operator can therefore prevent the worm from making changes although they will still be notified if there's a security risk.
The worm will only search for and detect a single flaw in a single program, and only use that specific program to exploit the system and only replace that single program. Updating an entire package to fix one program may actually introduce other security problems into the system. Programs
deployed on the system should also be either compiled on that system or staticly linked to prevent any library conflicts.
On a side note, the worm might also want to check for a root kit on the machine and notify root if one exists. If the machine has already been comprimised (which is possible if there are vulnerable programs running), then the machine will need to be reloaded and root needs to know about it. Fixing one program won't make any difference.
Am I completely off my rocker here? Comments?
-Restil
Why not put up a webpage that people can use? (Score:5, Insightful)
All the viewer has to do is click a button at the bottom of the screen.
Just so happens that this particular button sends a request to
Afterall, they did click on the link, right?
Seriously though, if someone wants to get all pissy about you going to their box and fixing their screwup, threatening to sue and the like, I'd just countersue
I've done some of this (Score:4, Interesting)
As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc [robertgraham.com]. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.
You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).
You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.
CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.
Already Happened, I Think (Score:2)
I remember seeing a /. blurb about just such a thing. If I remember right, after it invaded the system, it patched a security hole, copied itself onto whatever removable media was in the computer and deleted itself. Unfortunately I couldn't find the article in the archives.
In the meantime, this sort of program is pretty trivial, aside from invading a secured host. I've heard talk in various organizations about writing maintenance viruses to crawl the network's hosts and do whatever updating needed to be done. Such ideas are usually tanked because everyone's a little nervous about independent critters running loose, doing things on their computers. Besides, there are more reliable automated ways to install patches and updates. In the meantime, writing one of these as a good samaritan deed would likely get you prosecuted because, 1) You don't own the computers you're infecting 2)You don't know what the configuration is on the machines and your virus might screw 'em up, 3)What if you missed a bug in your code?
There is another way... (Score:5, Insightful)
...though it's not quite as effective.
Since the start of this week, I've been running a Perl script as an hourly cron job that parses my firewall logs, gets the originating IP addresses of any Code Red scans, does a reverse lookup, attempts to extract a meaningful domain name and then mails a polite notification to postmaster and webmaster at that domain. The notification contains a link to the MS page with the details of the relevant patches.
Since doing so, I've had a number of responses from people thanking me for pointing out the problem and confirming that their server has now been patched. The response rate is only about 1%, largely due to the fact that around 90% of the problem servers are on dial-ups/cable modems/DSL, but it's better than nothing.
I'm not advocating that everybody, or even a large number of people, do this, as the amount of traffic it would generate would only add to the problem, but it seems like a more legal solution than another, white-hatted, worm.
Re:There is another way... (Score:4, Informative)
from the bugtraq post: [securityfocus.com]
To: BugTraq
Subject: Infection Notification
Date: Sun Aug 05 2001 10:50:22
Author:
Message-ID:
If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:
IP ADDRESS DATE/TIME WITH TIMEZONE
Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
---end bugtraq post---
DOS against security focus... (Score:2)
For those of you participating in the DOS attack against Securityfocus...
Although, they did not launch a posting to this, in the mailing list they said that they were going to discontinue taking mailings from people.
When I went to get the link for this message I found that they are having a hard time responding to HTTP requests... Perhaps caused by the slashdot community?
Lando
just pop up an explorer window for cert.com (Score:2, Informative)
Re:Source? (Score:2)
Hey, who said my Perl skills were anything other than sub-stellar? That's the nice thing about Perl - you don't have to be any damn good to write useful little bits of code. :)
I'm trying to arrange for space on a relatively ./ proof server right now and should be able to post an easily hackable version of the script there soon. I'll post the URL when it's sorted.
You'd spawn a war that hasnt escalated so far (Score:4, Insightful)
Re:You'd spawn a war that hasnt escalated so far (Score:2)
No, it's like saying a certain amount of rape does not justify raping the rapists (otherwise we could just allow rapists-to-be to get their jones off raping rapists (of their gender preference of course)). I realize that sometimes we are stuck between a rock and a hard place when dealing with miscreants, but the power to commit acts deemed illegal at the behest of authority leads to corruption - family and friends of those in charge of supervising the counter-rapes would no doubt get first shot, rape harder than the rapist did, longer
I support community action more than the average individual, but there is a very important distinction here: community action is only warrented when the action is to stem abuse and corruption AND the adversary does not make themselves avaiable to a dialog; and even THEN, only if they refuse to aknowledge that a large enough opposition to their behaviour or ideals should result in change.
I do NOT support community action to fight violence. Why? People are not responsible enough to recognize the difference between revenge and problem resolution. When it comes to the moment when you're smashing the bat over some dissident's head, you're probably not thinking about whether or not said dissident will continue their actions (in this case, continue writing bad viruses), but rather how much the dissident had this coming to them. And since you've lost sight of the goal, no resolution is likely to come from it. Same goes with white hat viruses
All this is notwithstanding the fact that you'd raise awareness of how to write viruses (I'd imagine you could easily publish a book "How to get into an IIS server, and spread
Unfortunately, mentalities like yours seem to prevail. People lack the tolerance and foresight to see that sometimes the eye-for-eye cure, no matter how self-satisfying, can cause the problem to reach levels of magnitude far beyond that which it would have reached had resolutions be seeked IN OTHER WAYS.
Incidentally, there is someone on our street with cracked windows. Despite this, everyone else seems content to continue to take pride in the appearance of their dwelling; the lawns are mowed, and the flower beds are gorgeous. If the motivation for behaviour was whatever the lowest common demonitor was, we'd have never gotten out of the stone age. I should hope that the sole motivator for maintaining some sense of responsibility, dignity, and self-control is not that others HAVE to do it to. I could list hundreds of examples, from j-walking to litter in which the only reason they havn't reached catasphoric levels is because SOME people take it upon themselves not to contribute to the problem, even if there is little chance of being punished or caught. Even if littering and jwalking were legal, I'm positive a significant portion of the population would continue respecting others' environment and traffic flow.
A please notice I never once suggested we 'lay back and enjoy it', although I suppose drawing judgemental conclusions out of posts has long since become a
net police (Score:5, Insightful)
Having good intentions is nice but consider this (fictional) scenario: A local cat keeps trying to have 'relations' with my cat and I dont know who the owner is, plus the owner is unaware of their cat's activity. I catch the cat and get it 'fixed' without the owner knowing. When the owner finds out I doubt they or the police would be too pleased about it. Swap 'cat' for 'web server' and you have this code red situation.
Yes the internet is unpoliced but I dont think the 'Do-Gooder' virus is a very good answer. Internet policing is an interesting new subject but traditional security ideas still apply - the owner of the house is the one responsible for making sure the door is locked. People need to be taught this applies to the internet too.
(And no jokes about unauthorised entries thank you very much)
That doesn't solve the problem. (Score:3, Informative)
A: Microsoft needs to release more secure OS/Web servers.
B: People need to patch their system themselves or take it off the net.
Its entirely possible (Score:5, Interesting)
I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?
Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?
Re:Its entirely possible (Score:3, Interesting)
If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort. And I won't even go into the notion of the "danger to life and limb" that is present in that scenario, but suffice it to say that generally speaking, you can do things you can't otherwise get away with if it's for the purpose of saving a life.
When it comes to your web server, nobody's going to die if you get defaced, rooted, bent over, etc. It costs some money to fix, ok, but that does not give you carte blanche to break the law at a similar level. Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access." It doesn't matter WHY you're doing it, just that you know you're not supposed to be there. And if you're basing your code upon a notorious worm...well...good luck trying to say "I didn't know!" :)
Final point, you have other options. Keep up with your patches. Install IDS and watch the logs. Yes, this takes work, but so does writing a counter-worm every time a new worm comes out, and at least this way you can be protected BEFORE it hits, not after. And if all those Code Red-nailed boxen are knocking any of your systems offline, I gotta tell ya, you need to do something about your network, because as severe as the scanning is, I haven't heard from a single client who has actually had downtime from it.
Re:Its entirely possible (Score:2)
At work, we had a Lotus Domino server that would crash whenever someone requested an non-existant Web URL from it (don't ask...). As most access to it are done from programs, or from links & bookmarks, this hasn't actually been a problem until recently...
Since the beginning of August it started crashing every hour or so, making it rather difficult to work with. Then, this week it crashed every ten minutes... Initially we assumed that unknowingly a coworker was mistyping an URL, or doing some bizarre tests which crashed it. Then we understood what was really happening: it was CODE RED! Does that qualify as client having downtime due to Code Red?
However, in retrospect, this whole story had a good thing to it: it encouraged the guy in charge of Notes to find out why exactly it was crashing when asked for a non-existing URL... And he did indeed find the faulty config option and fixed it.
Ok, now on the next task: another of our Domino servers crashes whenever somebody enters a bad password into the HTTP password dialog box for protected pages (yeah, yeah, I know...). Now that the weekend is approaching, and the kiddies are putting their final touches onto their new creations, could somebody please include an Authorization: Basic Tm90ZXM6c3V4b3Jz0 into the HTTP headers of the probes of his Code Red III, so that we have an excuse to fix that problem too? ;-)
Re:Its entirely possible (Score:4, Funny)
The problem is that 'self defense' only exists in a situation where your personal safety is at risk - like the above scenario.
It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?
Basically, you can't violate someone else's rights unless your own safety is in danger.
Re:Its entirely possible (Score:4, Funny)
That's a great analogy. Mostly because of the image it conjurs.
...but it's a bad idea (Score:3, Insightful)
Re:Its entirely possible (Score:5, Insightful)
Not necessary, if people would only research (Score:3, Insightful)
Re:Its entirely possible (Score:4, Insightful)
There is really no single law that covers this so a lawyer would be useless in this case. You could get ten different opinions from five different lawyers and any or all of them could be right. Or wrong. That's what Judges do.
Now, with the PHP or CGI programs that do something to a computer, it would be a very grey area. After all, the 'attacking' computer is actualy requesting information from your machine. You are simply returning information. Then you can get into the motive of the requestor and the motive of the author and it gets even worse.
Basically, all a lawyer is going to tell you is his theory of how a set of laws will be interpretted. Only Judges can actualy do the interpretting.
Re:Its entirely possible (Score:3, Informative)
Re:Its entirely possible (Score:5, Informative)
Guees that means if my machine gets hacked here I have to give it over to whomever hacked it.
Re:Its entirely possible (Score:2)
Re:Its entirely possible (Score:2)
Re:Its entirely possible (Score:2)
It's understandable in some ways. Say, for example, someone pulled you off the street into their home and shot you. It's your work against theirs that you didn't break in, and you're dead.
Re:I Hope You Keep Bail Money Near Your Gun (Score:2)
Some people, to me, are of negative worth. These would be the rapists and murderers. I wouldn't assume someone was of negative worth, but I think the simple fact of finding them in my house without my permission, despite locks, would be fairly strong evidence for that.
Now, I don't necessarily think these people should be killed, but my adversion to killing is sufficiently lowered in those (hypothetical) circumstances, that I would be willing to shoot, if I thought it was warranted.
Now, what is warranted... Tough question. To me, seeing some kid trying to break into your garage isn't. Seeing someone walking *out* of your house with the TV, isn't. Heading the door be kicked down and seeing someone come in, is.
If I could clearly see them and tell they didn't have a weapon handy, I'd give them a warning to leave. If I couldn't, why would I want to risk my life and that of my family, by giving them a warning which they might use only as a chance to duck for cover before going for their weapon?
There's been a rash of home invasions in my area, which often lead to murder. I don't know about you, but my door has never been kicked down, I think I'd assume the worst, and in that case, be willing to defend myself. Any criminal intending only theft should either announce himself "Hey, I'm just here to steal the TV" or risk my assuming that since he broke the door down, he's probably got more sinister motives, given the rash of invasions/murders.
This is a Bad Idea (Score:4, Insightful)
No matter how good your intentions are (RTM just wanted to play around, right?) you cannot take the "law" into your own hands.
Ethical issues aside, it would be very dangerous to being publicizing that there was a beneficial worm available; immediately, we would get copycat worms everywhere, appearing the same (yes, this could probably be circumvented by MD5 checksums or something, but jeez, if the webmaster was going to go through THAT much trouble, they'd install the damn patch themselves!) but doing far worse things.
I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.
The defenses always have to be kept up - or else you have to start making judgment calls about which outside sources to give access to, which is a path no one wants to go down.
works until.... (Score:2, Insightful)
Re:works until.... (Score:2)
After all, either way they've got to clean up, the easiest way to clean an MS system from an unknown problem is to reinstall and download all the updates. One way they do it because the machine is a bit slow or unstable, run of the mill for a windows server, the other way they do it after contributing to potentially millions of dollars of 'damages' (usually lost sales) at some target site.
Darwinian Predator - Prey relationship on the net (Score:5, Insightful)
All you can do here is appeal to the logic of those who would pursue such an activity and suggest that they not undertake it, but regardless of how much you argue, convince and suggest, someone will eventually do it and there will be severe concequences - not all negative, but severe, with respect to how we look at technology and how we use it.
It could further be argued that those against such undertakings, need to ajust to changing technology and make the appropriate changes to their world view. This is what the recording industry is having to do, as well as companies in other well established industries. The same will eventually be true of how we look at software design (computer viruses), and biology (human cloning).
--CTH
Re:Darwinian Predator - Prey relationship on the n (Score:3, Funny)
If only this sort of thing weren't illegal where I live...
Re:The law's not on your side (Score:2, Interesting)
What about just disabling the viris as a response to the scan? As Code Red boxes advertise themselves as infected and vulnerable, you don't need to probe the net for infected/vulnerable computers. Besides, releasing _any_ scan-and-infect worm on the net is a bad idea.
Is automatically patching someones box for them (as compared to infecting it) a valid form of self defence? I can't see being sued for it.
If you wanted to go a little further overboard, you could install a defensive-response worm in response to an attack. It would only spread as far as the origional infection and place minimal load on the net.
Re:So the solution would be... (Score:2)
Re:Because of this the internet is dying.. (Score:2)
i live to see the world, be there for my family, and be who i am, but the governement and monopolies sure are good at fudging things up.
Re:Funny, (Score:3, Funny)
I agree. This past monday when i first login, my W2K told me it shut down in 2 minutes because it just installed an anti-code-red. this is itself exactly a virus: executing something without owner's consent...
This past Monday? Wow. I see your administrators take their time, don't they? Or did they wait until they'd been infected to decide that it might be time to take preventative measures?
Indexing server is essentially part of IIS (Score:2, Insightful)
The indexing server is bundled with IIS, and is one of the main reasons for choosing IIS -- searching is bundled right in. Comparing it with "some CGI script" is disingenuous.
It would be fair to compare it with Apache modules that are part of the standard distribution and are usually installed. Care to point out a recent hole in such a module?
Insightful, my foot. The pro-MSFT moderators are busy today.