"Cheese Worm" Fixes Broken Linux Systems? 240
Wakko Warner writes: "According to this article, a new Linux worm named "Cheese worm" has been spreading lately. The difference between this and other Linux worms is that Cheese worm attempts to fix backdoors added by other worms, removing malicious code and user accounts and scanning for other infected systems on the network. Now if someone would only release something like this for Outlook that turns off VBScript..."
Re:But do I trust it? (Score:2)
The idea is brilliant.
Re:But do I trust it? (Score:2)
Praised on one OS, invasion on another other. (Score:3)
How exactly does that compare to a worm that will enter the system through faults in daemons without user intervention or knowledge, r00t the box, and deliver literally any payload they want, good or bad? Certainly there are some similar vulnerabilities in Microsoft daemons, i.e. everyone's favorite IIS. But I guess I shouldn't expect that many people here to be able to make such a distinction.
Microsoft has long since released a patch to prevent COM automation of the address book, and future versions of Office prevent it by default. Should a worm of sorts be released to automatically download this patch and install it for the less-than-capable enduser? Hah! You know as well as I how quickly the slashdot crowd would interpret that as an invasion of privacy by the most evil and loathsome entity in the history of the world.
Ahhh, another tool in the weapon against spam... (Score:2)
And finally China is secure...
--
WolfSkunks for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.keenspace.com";
Good Samaratin Worm. (Score:2)
At least they don't send you a bill (Score:2)
or it could be some odd sort of new Antivirus software prototype (laugh!)
Naw, if the antivirus folks were behind it, it would also look for credit card numbers so they could charge you for the priveledge of having your system secured.
Re:Someone actually did it. Awsome (Score:3)
I can think of one silly example why it would be a bad thing; What if somebody was testing network security software, thinking that this hole was unpatched on a target machine, and now, all of a sudden it isn't, then there's a bug in his security software that potentially goes undetected, and that security software gets sold and widely distributed. Can the dumb 'ol worm guarantee that all systems on the net from that point in time onward will be patched?
That's just a silly example of an unrealistic situation - but for every one of those I can think up in the 5 minutes it took to read this
The basis of testing, or even just running a computer, is having a known-good system state to run from. If some unknown element is being changed, for whatever reason, that's a variable that the operator is not aware of. And that's a bad thing.
But do I trust it? (Score:5)
Further, it is still using my system resources (bandwidth, etc.) to spread itself without my permission, which amounts to trespassing in my book, even if it is supposed to "help".
If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.
Re:Neat.... but... (Score:2)
Now, if someone AGREES to become a scanning node, that's another matter. They're consenting to allowing their machine to portscan others. They're consenting to allowing the benevolent worm to use their bandwidth to propagate itself and help others. They're accepting responsibility.
If they didn't agree, then the worm has NO RIGHT to use their bandwidth, even if it is to help others, or clean up after malicious hackers. Unless someone has agreed to allow you to use their resources, it's stealing.
I think the concept is a good one, however. I think if the worm were "sterilized", so that it simply went in, innoculated, patched the hole, then quietly deleted itself - noone would have an issue. If the same worm emailed root@whatever.host with a url to download the propagation software, that would be cool too.
The problem with that last part is that the malicious worms could do the same thing, masquerading as "fixes".
Re:kind of pleasant (Score:2)
If a burglar has already broken a jewelry store window, gone in, stolen some stuff, and left, it's OK to enter through the same broken window, as long as you are just picking up the broken glass.
I'm sure the cops would just LOVE to hear that explanation
Either way, it's still an intrusion, whether it's benign or not.
If it propagates itself in the same way (portscanning, etc...) then it's still using bandwidth without permission, even if it is for a good cause.
Cool concept, Poorly thought-out execution.
Re:Kind of Amusing . . . (Score:2)
That way, it still does the "nice" stuff, and leaves it up to the sysadmin as to whether or not to become a redistribution point for the fix.
Re:A Really Really Bad Idea (Score:2)
So the linux collary would basically be an extention to apt that allows you to grab some information (changelogs) about the updates it's about to do?
That's a *nice* idea.
Re:But do I trust it? (Score:2)
In *theory* Windows Update isn't such a bad idea. The main underlying issue is that it isn't full disclosure, and the patches themselves are closed - so you can't verify that they actually WILL do what they SAY they will do.
Windows Update reads from the registry to find out what you have installed, and what you don't. Considering how much information is stored in the registry, and the fact that it's closed, there's no way of knowing exactly what information it does send back to M$ about your system, besides the contents and their update status.
What would be cool would be to simply portscan (the same method the crackers use to get in) the machine in question, then act on those vulnerabilities only, reporting to the user exactly what is being done, and any holes that have been found/closed.
Basically Windows Update done right.
In *theory* it's a great idea. In practice, it may suck. Some people open things intentionally. Some people NEED (for whatever reason) to use an insecure version of [certain program].
There's also the possibility of infecting the base site, or it's mirrors - and having the infection spread exponentially.
Re:But do I trust it? (Score:3)
Well, I'm no expert...one of my boxes was hit by Ramen shortly after installation of RH6.2, before I could finish downloading the update rpms from RedHat's site - seems someone on my local cable node had already been infected, so as soon as I got it installed BLAMMO! there it was. Did the cleanup/innoculation myself, and learned quite a bit in the process. (switched to Debian later that week)
The thing that tipped me off to the worm's presence? My eth0 activity was sky-high, and I wasn't (to my knowledge) transferring anything.
Now, I'm not saying a "good" worm is a bad thing - but I'm not entirely sure that it would be easy to tell the good from the bad at first glance. If these things propagate in the same way as the bad worms do, then people are still going to see their network card's usage jump up VERY high. People are still going to be portscanning other people's boxes, without knowing, and without other people's permission. It's still suspicious activity, regardless of the purpose.
I can see an alternative though. Set up a website (or better yet, a voluntary series of mirrored sites) where users can go, and ASK to have their computer portscanned, and fixed if necessary. Make the "good" worms "sterile" (IE: unable to reproduce) so if the machine is infected, it can be automatically innoculated and patched against further infection.
Want to know if you're infected? Just go to the site, and have it scan you, fix any problems it finds, and email you the results (or alternatively display them on the webpage). Have the same set of pages offer a tar.gz/deb/rpm of their site, including the scan/vaccination tools, so people can set up their own mirrors. Have the mirrors periodically checksum each other (say, weekly/monthly), to make sure they're all updated correctly, and that their payloads haven't changed.
By making the process voluntary, and the worms sterile, you're only providing the innoculation service, not another (benign) infection.
By allowing users with the disk space/bandwidth to set up their own mirrors, you eliminate the single-point-of-failure.
By periodically checksumming known mirrors' copies of the patches, you make sure people don't abuse the system to deliver malicious worms, rather than distribute the benign ones.
The trick is making sure users actually go to these sites, and scan their machines every once in a while. A few conspicuous links on security sites, and major *nix hubs would help there.
Possibly even a "reactive" script that would detect worm activity, and email root@source.ip.of.scan, suggesting they go get scanned...hrmm...on second thought, that one could be exploited by the "dark side" as well - send a false email to root@whatever saying "I think you're infected, go scan yourself here" where "here" actually points at a delivery system for a malicious worm...ok, so that part's not a good idea.
I'm just thinking here - second cup of coffee stuff
Re:kind of pleasant (Score:2)
I'm sure the cops would just LOVE to hear that explanation ;P "
I think a better meta-for might be a robot wandering around a badly policed town and bording up broken store windows. It would leave a note explaining how it did it, when it did it, and what it did. This could prevent further looting. A robot is different than a human in that you don't have to trust it. If it's specs are sane and it dosn't malfuntion it does exactly what it is told.
And sanity checks in the wild are what signatures and checksums are for... right? If we trust them for other things, why not this?
Re:Someone actually did it. Awsome (Score:2)
Re:Good worm, Bad worm. (Score:2)
With regards to automatic patching, how would you feel about updating patches on 100 machines? How about 1000? Fact is, admins don't want to have to manually log in to hundreds of machines to apply patches, so an automatic roll-out is the way to go.
--
Re:But do I trust it? (Score:2)
Bingo. I mean,it would be very easy to create a worm that looked a lot like this one. People might just say, "Oh, it's just the Cheese worm. It's OK."
I do have to admit that the idea of a beneficial worm is pretty neat, however.
No. As with malicious worms, you have no choice! (Score:3)
So what are you going to do? Put your unpatched antique box on the net and hope Cheese finds it before Ramen? Ahuk, ahuk, ahuk...
The bottom line is: if your security sucks, you default to trusting every Tom, Dick and Harry out there with your box. The usual term for this is ``data suicide''.
Re:Fixing outlook (Score:3)
Besides, it would be trivial to convert your typical Outlook virus into JavaScript, PerlScript, or even an VB EXE file. NOTAFIX.
Microsoft has had a security patch out which mitigates the problem for many months. Have you tried it?
--
the value of this thing (Score:3)
Think about it. In the 'doze world, there's MS, the sheep...er..users, the Vendors and the hackers on a bad day. There is no sense of community...if you help your friend....you're likely breaking some kind of law.
On the other hand, with Open Source, here's an instance where some lone hacker takes a paradigm and smacks it upside the head for our mutual benefit. This is wonderful PR!!!
Just when MS gave a speech about how Open Source OS's are insecure, and the community aspects are negligible at best, this guy kills both birds with one stone. And it didn't cost any of us a "beer" dime.
You just can't buy publicity like that. I think I'll start preaching "Random acts of kind InfoWar". Really....this whole thing is a head scratcher we could use to our advantage.
oh.....check
Kind of Amusing . . . (Score:2)
Sure, the idea of a worm in general might not be a good idea. But then, the only people who will be affected in a nontrivial way by this worm will be those who've been infected by another, malevolent worm anyway. Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong, if the one wrong meant there were all those compromised computers out there that could be used in Denial of Service attacks, and the second wrong took those out of the equation.
--
Re:It leaves this message... (Score:3)
And how long before someone modifies the Cheese worm so that it still patches the system from 1i0n, leaves that exact same message, and then goes and deliberately opens up a brand new hole for exploitation? I'd say seven days is a conservative estimate. If it appears that your system has been "patched" by the Cheese worm, you're best off wiping your system and restoring from backups.
Cheers,
Re:Neat.... but... (Score:2)
--
Interesting Concept (Score:2)
What a great deal of sand in the face for Microsoft to learn of the open-source community banding together to secure the systems of the untrained, locking them down against participation in DDoS attacks and such. As if they don't already need a bulldozer to get the sand out of their faces with all the high-publicity IIS compromises of late. =)
Sure, some of us don't want something like this getting onto our systems as it demonstrates that we've not locked it down well enough to begin with. But for those who truly *can* stop it from exploiting known vulnerabilities, we obviously don't need it. However, I'd wager that well over 90% of the people using Linux don't know what to do to lock their systems down.
Bravo!
(that is, until someone finds out that this worm is actually doing something malicious while pretending to patch the system)
Turning off VB script (Score:3)
Re:In the "impressive, but not really" department. (Score:2)
In the "impressive, but not really" department... (Score:4)
A while back, I noticed a port 111 scan from what appeared to be a company's mailserver, setting off "worm" alarms in my head. Though I normally ignore such things, I was in a rather giving mood, and decided to alert the company of their potentially compromised box. Several bounces and lack of replies later, I gave up. The company just didn't seem interested in making it possible to report potential security holes or server problems - no addresses on their website, several possible leads gathered through bounces failed, and the whois lookup revealed a Hotmail address for the technical contact. I wonder how many other companies are as difficult to warn, and may not even care that their boxes are insecure.
Maybe I just don't understand how hard it is to be a sysadmin, but can it be that difficult to at least glance at your operating system vendor's updates site once a week to check for patches and warnings? Is it that hard to do a simple system lockdown after the initial install and reopen services as necessary? Or am I just clueless?
<Blatant flame>
Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...
</Blatant flame>
Sorry if I insulted anyone with that short rant, just thoroughly unimpressed by the number of port 111 scans I see coming from what should be very carefully watched boxes all over.
Re:But do I trust it? (Score:3)
If you don't like worms, keep your system secure before you get hit.
Re:Interesting Concept (Score:2)
-------
CAIMLAS
kind of pleasant (Score:2)
sean
Re:kind of pleasant (Score:3)
and new systems would be patched immediately, no more hunting down and downloading a bunch of old fixes every fresh install.
imagine bands of roving web worm maintaining and managing the security of the net. am I just tired, or does this sounds really cool?
sean
earth worm worm (Score:4)
just don't believe people when they tell you that you can cut it in half and both halves live
sean
How fitting (Score:3)
Too funny...
But seriously...maybe this'll nudge those black-hatters to actually compete with each other to *fix* holes.
Re:A Really Really Bad Idea (Score:2)
SysAdmin Worm (Score:2)
It'll need to detect I've rebuilt Sendmail with regular expressions, and connect with some machine out on the net that has the same version of gcc, libraries, et cetra as I used on the build machine to create the binaries.
It'll do the same for SSH, turning on the ability to invoke it from inetd, and without opening the hole closed by turning off X forwarding.
It will need perhaps the skill to rebuild Apache properly to include mod_perl and OpenSSL.
Somehow it will know which of my two Perl binaries it will update.
I think I know what to name it.
I wonder how Windows Admins would react... (Score:2)
Would they update to new software (for the desired installs, of course) or would most want to just reinstall the open barn door?
Re:SysAdmin Worm (Score:2)
Granted. Though I would prefer the proposed version that didn't scan but only defensively spread itself to other probing systems, its attackers. My post was addressing this part of what I replied to:
The worm installs itself on the macine, checks for the instalation version, logs into the bug report homepage for that distribution, and updates all of your packages or binaries from a set list of servers...
Someone using an RPM distribution, to name one package manager, soon learns that if they update the original software themselves (configure, make, make test, install) that it is better to leave the system thinking the old packages you are replacing are still installed. otherwise you are going to have to force the package manager to ignore what it thinks are dependency problems. Sometimes what is updated is only one important part of a package. Grabbing new versions and blindly installing them over what is already there would actually penalize those who update their software before official updates are available, should they miss the one hole the worm might use.
The bottom line is that this addition would downgrade the software on a system which does not restrict itself to the official packages. In other words, about all servers that do anything interesting. The software is modified to perform functions. Security is essential, but worthless if it keeps the server from functioning. Or overloads the update sites it uses.
Lion worm is fixable. The proposed trashing of the installed software base is less likely to be.
Missing the point (Score:2)
It's a bit like someone turning in a wallet he found instead of keeping the money for himself.
nicely done... (Score:2)
Someone should set out to write an informative document which isn't so bloated with too many tech terms for the newbie Linux admin [antioffline.com] that shows them how to lock down their Linux systems on an install. I wrote a lame one about 2 1/2 years ago, but never bothered following up on it.
Education, education, and more education. I wonder how come many complain about security, when so little take a few hours to actually inform themselves of the risks/fixes for typically easy problems.
2600 is being run by Peter Pan [antioffline.com]
It leaves this message... (Score:4)
# after a l10n infection... (to stop pesky haqz0rs
# messing up your box even worse than it is already)
# This code was not written with malicious intent.
# Infact, it was written to try and do some good.
one step ahead of you (Score:2)
Re:In the "impressive, but not really" department. (Score:2)
Redhat Linux 6.x boxen have protmap runing by default, and rpc.statd has a hole in the defult install. Exploited by Lion, and adore (IIRC).
Re:technical aptitude? who needs that? (Score:2)
Re:But do I trust it? (Score:2)
As for your 'I've put other devices in place to avoid exposure', what a load of crock. If you've avoided exposure, Cheese shouldn't spot it or your amelioration devices should catch cheese as well. It's a crock.
The box is yours, and cheese is by no means the best way to solve problems but for those who can't be bothered to secure their box right, Cheese is the best way to fix these typhoid marys.
DB
Reminds me of the 70's (Score:2)
ethics aside... (Score:2)
Put the ethics of the situation aside for a moment. The fact is, creating this type of exploit is possible. No amount of preaching will make this type of exploit go away. Like nuclear power, the cat's out of the bag.
So shouldn't the discussion be more along the lines of "what do we do now?", rather than "I like, I don't like."? If you
With that in mind, I have to come down on the side of favoring this particular worm. If we're going to have an evolutionary arms race, I'd like the good guys to win, after all. Ethics matter, but it's too late to go back.
Re:Neat.... but... (Score:2)
Obviously. If you KNEW you were compromised, you would reinstall if you had half a brain.
However, if you did not KNOW you were compromised, it might be nice to have the "white" virus remove the holes before more malice comes to your box.
I think that is the entire point.
Better Idea (Score:2)
On the flip side. This worm is still using other machines unauthorized and I am sure the author could get in considerable trouble with the law. Shit...what about all those nice honeypot networks that are supposed to be all messy and bad. (redhat full istall..boom honeypot)
Nevertheless, this will probably get negative spin:
"Linux Users are so mindless about security, that vendors have to release worms against their users to protect them from hackers."
You shouldn't try to force people to be interested in security, especially against their will. It's like using the ATM in the worst part of town at 3 AM. Not a good idea. Once you get mugged, you will start worrying about security.
Re:You've got Root! (Score:2)
Re:Good worm, Bad worm. (Score:5)
Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.
Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc suppport...do they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.
Not Morality Issue (Score:2)
This is not a morality issue, this worm ( and idea) is now in the wild, worring about the morality of it is pointless waste of energy.
We need to harness this idea to the benefit of all.
A Really Really Bad Idea (Score:3)
I'm sorry, it sounds cool but it has many problems in my mind.
1. Lack of Transparancy. I don't like the idea of something that runs at a priviledged level or modifies my system without my permission. Do I get a chance to view the source code before it patches to ensure its good intent?
2. MAD. This will start a war of attrition. Worms scanning and invading systems. How long before a worm says 'if I can't have it - neither can you!' and wipes the hard drive.
3. Evolution. This will cause mutation in the malignant worms that will make it harder for patches to be created. Think anti-bacterial resistance.
4. Automation. People say this is great and automated and the admin doesn't have to even wake up. What would happen to the Internet if Windows automatically installed patches without your permission? Just think of all those IIS sites disappearing when the service pack screws up and no-ones there to monitor it! Hang on, perhaps thats not such a bad idea :)
The risks in my mind really outweigh the potential rewards. The only people who see this as cool are those who are too lazy to have some form of management process to maintain their security.
I do like a system similar to the MSFT update whereby my installed software is audited, and I am notified of any patches available, and then given the options to read, and install the patch - if I chose.
Cheers RedIguana
Re:Good to see (Score:2)
Re:Neat.... but... (Score:2)
Well, this cheesy virus can "infect" only boxen that got the virus and stay unpatched for a long, long time. These are likely to be unattended or purely adminned boxes. They can become a breeding ground for a new wave of DoS attacks, but now they are fixed as easily as they were br0ken into.
This is a totally new, proactive approach to Internet security. As soon as new virus is found it gets rev-engineered and an "antibody" is released (officially, from very official Web site, cryptographically signed if you like). This can be permitted by laws.
This antibody then may check certain file in certain place, like /etc/please_no_antibodies, and if this file does not contain a valid gpg-signed request to bug off then it proceeds, cleans up the virus, creates log of changes and mails it to the box owner.
Thinking commercially, this can be even a subscription service. You register IPs of your boxen on the Net, and the service scans your boxes (from a central server) from time to time; if the box is r00ted with known virus then it will inform you.
Even if you don't like this "commercial" approach, I hereby transfer this business plan into public domain. Logs of /. and Google will preserve it forever. Patent this! :-)
Evolution of Life (Score:5)
Now we some new parasites (unhacking worm) coming out that have a symbiotic relationship with their host (linux machine).
You've got Root! (Score:2)
--
Re:But do I trust it? (Score:2)
This is stupid. Of course you shouldn't trust it. You should fix the holes yourself, and not allow the worm on your system.
However, for those who are less security-conscious, this is a Good Thing. Not infallible, and not the best alternative, but perhaps (and only perhaps; I don't know enough to judge) better than leaving the system wide open.
Microsoft has this already (Score:2)
Two sides ... (Score:5)
On the darker side, this reminds me of the "toner wars" in Diamond Age [slashdot.org] , where good and evil nanites ("mites") battled in the air, and the carnage was horrific. Going outside during a toner war was like breathing straight graphite powder. Is this the future of security? The future battleground for white hats and black hats?
It's a cute idea, really, but it has to stop. All property rights aside, we cannot afford to fight this war in this arena. The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization. But in some ways the battleground already is the property we need to protect; worms are in a real way terrorist rather than military. What's to be done? Education, and lots of it. Hope it's enough.
question: is control controlled by its need to control?
answer: yes
Re:earth worm worm (Score:2)
Fixing outlook (Score:2)
Already done. Paste this into a
Neat.... but... (Score:2)
I really dont like the idea of worms like thi. I sure as hell dont like the idea of ANY worm or any mutant program trying to do something to my systems without me knowing. Whatever reason it was done for, thanks, but no thanks. I'd rather secure my system the old fashioned way.
Outlook Fix (Score:2)
MsgBox "You're Fired. Clean out your desk and leave within thirty minutes."
We didn't actually implement it, but we feel that if we had, we could count on people learning not to click on random VBScripts.
Re:Neat.... but... (Score:2)
I mean, yeah, I agree with you- not a good idea to rely on benevolent virii to have a secure system, lol, but this "benevolent worm" is only gonna affect those who couldn't or didn't secure their own systems "the old-fashioned way"
http://www.bootyproject.org [bootyproject.org]
Something I think should be said... (Score:2)
The real good I see in it: if this shows up on your computer, you know that you haven't been taking appropriate safety precautions. Count yourself lucky that nothing bad happened, and fix it.
Re:Why... (Score:2)
Re:Why... (Score:2)
As for the SDK documentation, it is almost adequate, not execellant, and I use the one on msdn.microsoft.com, I assume that will always be the most recent. If you want an example of an excellently documented SDK, check out man. You will never, ever, never run across stuff like: "this variable is undocumented," which exists in the SDK.
As for fixing problems in MS, turning off VBScript isn't the solution. Seems to me that perl, tcl, python, and other equivalents do not have the same security problems as VBS. I think the main problem lies in vbrun*.dll.
Re:Why... (Score:2)
MS (what else?) (Score:2)
Try to search "Windows NT unknown error" on google!
Say what? (Score:2)
"if someone would only release something like this for Outlook that turns off VBScript..."
Hey, wait just a minute there. I get paid good money to do that. Don't go replacin' me with no worm.
Re:But do I trust it? (Score:3)
The fact is, if you are security concious and have all the latest patches and follow the proper regime for maintaining your system, it is fairly unlikely that your system will ever get compromised......and if you "let" any worm into your system you should be shot without any hesitation.....though in this case if the Cheese worm _can_ get into your system it seams to mean that you have already been attacked and your sysem is not trustable...so what harm could it do?
# Tom von S.
# -------------
# "Nuclear weapons can destroy all life on earth,
Cheese Pleez (Score:2)
I feel like a geek Rodney King here - but the goddamn salespeople have got to use something they can somewhat understand! Lusers or not. Am I not right?
I'm getting off subject - great post though. Got me fired up.
Re:Ever heard of Ramen worm? (Score:2)
Enigma
Don't feel safe! (Score:2)
cool1 (Score:2)
What if it turns ? (Score:2)
Re:Outlook Security Patch? (Score:3)
Excuse the blantent plug, but instead of telling users to hack into their Windows registry (not soemthing most users are capable of), I devised a program, Script Sentry, that seizes control of the VBS extension (as well as quite a few others, but only after you approve it of course). This way, when the script is run, Script Sentry opens up, scans the script for possibly malicious code, and then alerts the user.
For example, in a momentary lapse of judgement, I open that "Love Letter" attachment I recieved. Instead of being infected though, Script Sentry alerts me that the "Love Letter" would have deleted files, edited my registry, and accessed Outlook. I tell Script Sentry not to run the script and crisis averted.
Oh, and the program is 100% free (although I have a means for people to "donate" if they feel it's worth the $$$).
In case anyone's interested, the URL is http://www.jasons-toolbox.com/scriptsentry.asp [jasons-toolbox.com]
Re:Is this really a good thing? (Score:5)
--
Re:Someone actually did it. Awsome (Score:2)
Data point (Score:2)
Fantastic! (Score:2)
I think it's a great idea. Perhaps, if instead of modifying your system for you, it sent an email to postmaster, webmaster or root with a detailed explanation of what it found and how it could be fixed, this would take care of many of the complaints I see here.
The neat thing that I see here is that this is a step closer to a "self-healing" system. If this worm were updated and released by a serious security organization which keeps track of the latest cracks with drop-dead dates to ensure that only the latest version is spreading, then this is a step closer to a more secure internet for all of us. Maybe trying to actually fix the system was a bit too ambitious because nobody will (should) trust it.
Macintosh AutoStart worm (Score:2)
Is this really a good thing? (Score:4)
This may be a white hat release, or it could be some odd sort of new Antivirus software prototype (laugh!) but in reality it's just a virus/worm like any other. The payload is just some wierd combination of benign and melignant (but not militious per se). I still object to any software that modifies my system configuration for me, regardless of it's moralistic approach.
--CTH
--
technical aptitude? who needs that? (Score:2)
in the technical quality of this article. Its really sad that tech writers on average have such a lousy grasp of what they're talking about and/or that they end up garbling facts trying to talk-down to the level of the average joe public.
Its also sad that so many of these articles end up on
"Web browsers wait for data on port 80 and 8080"
Maybe I'm just being persnickity - but I've never had mozilla running from my inetd.
I do not trust it. (Score:3)
I agree completely and would probably reload an infected machine from backup just to be safe...
That being said, I have thought about makign similar programs with limited spreading abilities (i.e. only able to transverse private IP networks, not cross the internet, etc.) as a self-policing action within a network.
Buzzword Compliance. (Score:3)
Re:Is this really a good thing? (Score:2)
I can imagine a win32 version of this thing myself. Think if its nice enough to actually output what its doing to a window.
Cheeseworm Win32 Version...
Scanning hard disk...
Possible Trojan (VNC.exe) found, removing now...
Possible Virus (Filemon.exe) found, removing now...
Argh!
(Btw, I selected these 2 examples since some anti-virus programs have a huge problem with both of them, since VNC opens a "port" on your computer to remotely access the desktop, and Filemon embeds itself into the system and checks what files are accessing other files.)
It reminds me of... (Score:2)
"Virus? You mean it's a virus?"
Well said (Score:2)
Said by an idiot who has his boxes infected with The tHing, SubSeven, NetSphere, Deep Throat,Master Paradise, Silencer, Millenium, Devil, NetMonitor, Streaming Audio Trojan, Socket23, Gatecrasher, Net Control, Telecommando, Gjamer, IcqTrojen, Priotrity, Vodoo, Netspy, ShockRave, Stealth Spy, Pass Ripper, Attack FTP, GirlFriend, Fore, Schwindler, Tiny Telnet Server, Kuang, Senna Spy Trojans, WhackJob, Phase0, BladeRunner, IcqTrojan, InIkiller, PortalOfDoom, ProgenicTrojan, Prosiak 0.47, RoboHack, Silencer, Striker, TheSpy, TrojanCow, UglyFtp, WebEx, Backdoor, Phineas, Psyber Streaming Server, Indoctrination, Hackers Paradise, Doly Trojan, FTP99CMP, Shiva Burka, BigGluck, NetSpy, Hack?9 KeyLogger, iNi-Killer, ICQKiller, Portal of Doom, Firehotcker, Master Paradise, BO jammerkillahV, AOLTrojan1.1, Hack'a'tack, The Invasor, SpySender, The Unexplained, Bla, FileNail, ShitHeep, Coma, Bla1.1, HVL Rat5, BackConstruction1.2, Kuang2 theVirus, Xtcp 2.00 + 2.01, Schwindler 1.82, Doly trojan v1.35, Doly trojan v1.5, Vampire, DeltaSource, Trojan Spirit 2001, Maverick's Matrix 1.2 - 2.0, Total Eclypse 1.0, OOTLT + OOTLT Cart, Eclipse 2000, NetMetro 1.0, Illusion Mailer, InCommand 1.0 + 1.3 + 1.4, NeTadmin, Logged!, Shitheep, Schoolbus 1.6, Schoolbus 2.0, Chupacabra, TheThing 1.6, AimSpy, NetMetropolitan 1.04, Transcout 1.1 + 1.2, SoftWar, Ambush, Der Spaeher 3, Insane Network, The Prayer 1.2 + 1.3, Host Control 1.0, Yet Another Trojan, NetRaider, TCPShell.c, PC Crasher, Mini Command 1.2, Mosucker, Rat 1.2, FakeFTP, Intruse Pack 1.27b, Snid X2, Freak 88, Asylium 0.1&0.11&0.12&0.13, Prosiak, Traitor 2.1, Connection, Host Control 2.6, BIONET, Rux.PSW, CrazyNet, Rux.Backdoor, Infector 1.x.
*phew*
Re:kind of pleasant (Score:2)
You're just tired, and yet your idea is really cool.
The problem is how to distinguish good worms from bad worms? I mean, the security worms have root privilege, one bad worm will screw up whole network!
It reminds me of a seminar featuring a security package(on NT) which centralized security maintainance and recovery. Just like your distributed model, the security program have all the administrative power on all workstations. I asked the speaker what if the crackers hacked the centralized facility...
Re:kind of pleasant (Score:2)
At least it'll work for inhouse network. We might face legal issue putting it to Internet anyway.
Let's start a project in sourceforge. What do you think?
outlook (Score:2)
---
Ever heard of Ramen worm? (Score:2)
those are Linux worms. destructive worms.
You think one can use those to express the advantages of open source? (i may be stupid, or maybe it's because i haven't slept at all, but i fail to see your point..)
Imagine escalating patch-virus wars... (Score:3)
The war of the patch-virii.
A friend of mine suggested to me that whatever you look for on the Internet, it will seemingly spring into being simply by the fact of you looking for it. That same friend came up with this idea of patch viruses that break into and repair security holes. And **Poof**, it exists.
Be careful what you look for...
Wait a sec... (Score:2)
But Taco & company decided to rebuild the entire system as though they had maliciously took over.
Similarly, even if this "good" worm hits me, I'll treat it like a bad one. You never know, it would be ingenious for some l4m3 (or whatever the numeric abbreviation is) hackers to release a version that looks like "Cheese" but actually does a "rm -rf
--------------------------------
Good worm, Bad worm. (Score:5)
I know the author had semi-good intents, but the effort is really mis-guided. Worm proliferation has become significant in the last year (really, six months). A number of effective worms are out there that target both linux and windows. Watching my firewall logs on a variety of hosts (cable, and several colo ISPs) show that the number of intrusion attempts (or at leasts scans, but 90+% of this has to be worm traffic) has increased for me by a factor of 10 since the 1st of the year.
This kind of traffic, whether good or bad intentioned, adds to network congestion, makes running an IDS challenging at best, and has made the ISP's effectively throw their hands up at having any kind of enforcement about hacking attempts. I don't know if anyone has tried reporting the sources of intrusions to their ISP's, but such reports now fall on dead ears almost all the time. Plus, it decreses the S/N ratio on the network security wise considerably. It is much harder to back-track or IDS post-mortum a REAL threat/attack with all of these other attacks going on at the same time. While worms may pose a minimal threat as far as their attack sophistication, a skillfill hacker can use all this worm traffic as an effective cloak.
Even though you can argue that it's all relatively low traffic, that you need a good firewall, and that IDS should only be run inside those firewalls, you still have the possibility of serious network problems of the horizon. It's not un-thinkable that in the near future a large percentage of linux boxes will have multiple worms, exploiting multiple vulnerabilities all running and infecting other boxes. The fallout from this could be severe. Throw in a few anti-worms, and a few bugs caused by the interactions of it all, and could have a real hellstorm, quietly building now. Surely people remember the morris worm in '89? While bandwidth was more easily swampable at that point, we are perhaps only a few years away from waking up to that kind of destruction one morning.
The only real answer is for us to forceably demand that OS vendors become much more diligent about security. If I was a national government I would truly consider this a serious threat to my infrastructure. While OS vendors have become more responsible across the board, we need to shoot for a higher bar. OS vendors need to provide very paranoid installations as default, with software firewalls enabled. The user should have to be asked for each service to be enabled. 100% available services such as ICMP echo should be required to be sandboxed or stack protected. OS's need to provide as a default security update monitoring, and easy, semi-automatic processes for installing new security related patches quickly, even if the admin is prone to do nothing. Nag the hell out of them to update. I would even argue that services with secuiryt holes should be automatically disabled by the OS, forcing the user to either update the service or manually restart the service essentially accepting the liability fo acting like a moron.
I'm sure a lot of you will think I have an overly extreme opinion, and that things are mostly fine. I can't argue that I think the situation is out of control now. But with our infrastructure as vulnerable as it is right now, it will only take one or two really good worms to show everyone how it should be done. The only thing that has really saved us so far is the fact that no one has done it... It is easily accomplishable.
Re:Someone actually did it. Awsome (Score:5)
You know what would be great though, and be essentially the same code? Something that listened to your firewall logs, detected worms that scanned you, and then went out to their hosts and basically ran it's course, disabling the other worm and closing security holes. But not leaving code to proliferate itself.
I know this would be no different legally, but I would sure feel 100% better about it. How poetic is it to detect a scan and then hack in to shut it down to keep it from scanning anymore. Without any scanning yourself.
Any takers on a modified cheese worm?
Someone actually did it. Awsome (Score:3)
Re:Melissa virus fix (Score:5)
Its just a vbs script that essentially changes the default Windows action for a number of script file types to be 'edit' instead of 'open'. This mostly stops all those email-attachment clickers from running code indiscriminately.
I contemplated adding the next step, of accessing the address book and forwarding itself onwards, in the hopes that anybody still silly enough to execute script files via email will commit the final necessary act to stop this from happening again.
In the end, I decided not to distribute this because of its potential for jamming up mail servers and generally causing a nuisance for people who already know better and dont allow outlook to execute such code in the first place.
Les