Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows

RPC DCOM Cleanup Worm Appears 758

UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
This discussion has been archived. No new comments can be posted.

RPC DCOM Cleanup Worm Appears

Comments Filter:
  • that's cute (Score:5, Funny)

    by Anonymous Coward on Monday August 18, 2003 @12:33PM (#6723944)
    Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux
    • by krisp ( 59093 ) * on Monday August 18, 2003 @12:40PM (#6724060) Homepage
      I'd settle for a worm that downloaded a kernel and loadlin.exe. The kernel would boot an included ramdisk image that changed the MBR to hide windows and a login message telling a riddle to guess the root password.

      Something along the lines of:
      Who do I now need to pay $699 to?
      • by Jucius Maximus ( 229128 ) on Monday August 18, 2003 @01:47PM (#6724910) Journal
        I thought this 'reversal' was obvious fodder for SOVIET RUSSIA jokes, but now I can't think of a good one...

        IN SOVIET RUSSIA, worm fixes YOU! (I am not laughing, are you?)

      • Re:that's cute (Score:5, Interesting)

        by swordboy ( 472941 ) on Monday August 18, 2003 @02:06PM (#6725101) Journal
        I'd settle for a worm that downloaded a kernel and loadlin.exe.

        You actually don't need a worm for that. Most users aren't savvy enough to know what an ActiveX installer is so they simply "click yes". We wouldn't have the Gator [gator.com] problem that exists if users were just a bit more educated (or MS software wasn't so exploit-able).

        If you could create a distro that installed and co-existed on an NTFS partition, you'd have a winner. Heck, you could even give users the option to "remove my windows partition" once they started using it.

        IMHO - Linux on NTFS is the first step to widespread adoption. Users would be able to install it through Windows via a regular InstallShield or whatever...
        • Re:that's cute (Score:3, Insightful)

          by MacGod ( 320762 )
          If you could create a distro that installed and co-existed on an NTFS partition, you'd have a winner.

          See, I would tend to disagree. being a long time Mac user, I've struggled to figure out why the MacOS, which I consider to be clearly superior to Windows, hasn't done better. I finally realised: people are lazy and unlikely to vary from what they're used to.

          Sure, the learning curve to switch from Windows to Mac, and the Mac experience is easier to use, more stable, less virus-prone etc etc, but people assu

    • by Anonymous Coward
      Maybe that's how windows got on my machine.
    • by blixel ( 158224 ) on Monday August 18, 2003 @05:15PM (#6727082)
      Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux

      That wouldn't work too well. You would have to download the virus yourself, make sure the virus was compatible with your hardware, make sure you had all the necessary dependencies for the virus to run properly, then you would have to modify the virus source code to work with your particular setup, then go out on newsgroups seeking help when you can't get it to work, and in the end you would end up giving up, re-installing Windows, then posting an article on Slashdot about how Linux "isn't quite ready for the masses yet."
  • by MadBiologist ( 657155 ) on Monday August 18, 2003 @12:33PM (#6723951)
    The only thing better than a clean up worm... is a gummi worm!
  • Did anything interesting happen yesterday on this? Did killing the domain really prevent the worm from doing any damage? I sort of expected an internet slowdown (ie slammer), but didn't notice anything.
  • by Mr. Neutron ( 3115 ) on Monday August 18, 2003 @12:33PM (#6723959) Homepage Journal
    What happens when someone releases an anti-anti-Blaster-worm-worm-worm?
    • by marktoml ( 48712 ) * <marktoml@hotmail.com> on Monday August 18, 2003 @12:35PM (#6723995) Homepage Journal
      It really is more akin to a microphage than a virus. Perhaps this starts a whole new trend :)

      Neat nonetheless.
      • This is interesting because, initially, worms were mechanisms to install software (in a distributed computing type of model) across networks with slow connections (or was it updates?).

        It would be interesting if technology like this were used by administrators to distribute patches to people whose machines have become infected with other viruses...

        Since people never bother to install patches when told to but ALWAYS "install" the latest versions of viruses, this may be an interesting new way to distribute p
        • by Hellkitten ( 574820 ) on Monday August 18, 2003 @02:58PM (#6725613)

          I see a new arms race coming up. "White hat" virus/worm writer vs "Black Hat" virus/worm vriters.

          Or perhaps it was just that one of them finally realized that to make headlines (and get the attention that these guys seem to crave for) it had to be different from the rest. Since worms usually cause damage, what better way to be different than by fixing damage

          Or perhaps it's simply microsofts latest patch distribution strategy. "We use our holes to patch our holes". (So they're not bugs, just an update distribution feature)

    • by TheViffer ( 128272 ) on Monday August 18, 2003 @12:46PM (#6724154)
      Better find a new security hole then as this is closing the door to msblaster's hosts. So basically the "next" worm would have to find another vulnerabilty in Windoze to get to the W32/Nachi worm

      But since its gotten in a "host" a new way the W32/Nachi worm is of little concern since its trying to kill the old worm.

      But what this will do is make leet hackers trying to industrialize thier worms. Such things as taking more control over the system, disabling all traffic to Microsoft, attacking virus protection, or even close the door themselves so that cleaner worms or "copy-cat" worms can't get in.

      The evolution of the "worm" has begun.

      The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.

      • But what this will do is make leet hackers trying to industrialize thier worms. Such things as taking more control over the system, disabling all traffic to Microsoft, attacking virus protection, or even close the door themselves so that cleaner worms or "copy-cat" worms can't get in.
        The evolution of the "worm" has begun.


        Hey, it's more fun than CoreWars! (to people of a certian mentality.) Once a vulnerability is discovered, the contest is on to see who can write the best worm to take over the larg
      • by Abcd1234 ( 188840 ) on Monday August 18, 2003 @01:16PM (#6724546) Homepage
        The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.

        You know, a really cool way to get around this is have the worm only trigger an infection when a Slammer infection attempt is detected. This way, you'll only hit infected machines. Then, coupled with an expiry time, this thing could be relatively benign (well, other than the whole "break into computers and install software without permission" thing).
      • by griffjon ( 14945 ) <`GriffJon' `at' `gmail.com'> on Monday August 18, 2003 @02:05PM (#6725091) Homepage Journal
        It's the first rumblings of Curious Yellow [securiteam.com], I tell ya.

        The end is near. So download Linux!
      • When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

        RTFA has never been more relevant.
    • by shik0me ( 235948 ) on Monday August 18, 2003 @12:50PM (#6724219)
      Skinner: Well, I was wrong. The lizards are a godsend.
      Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
      Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
      Lisa: But aren't the snakes even worse?
      Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
      Lisa: But then we're stuck with gorillas!
      Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
    • by swordboy ( 472941 ) on Monday August 18, 2003 @12:52PM (#6724239) Journal
      What happens when someone releases an...

      [starts coding furiously on a anti-Gator worm]
  • So cool! (Score:5, Interesting)

    by KingDaveRa ( 620784 ) on Monday August 18, 2003 @12:34PM (#6723963) Homepage
    Oh wow! This is the internet equivilent of white blood cells! First there was white-hat hackers. Now white-hat virus writers? Makes a damn good change!
    • Re:So cool! (Score:5, Insightful)

      by __past__ ( 542467 ) on Monday August 18, 2003 @12:37PM (#6724024)
      Except that white blood cells don't usually cause lots of damage themselves. Even a "white-hat" worm causes lots of traffic and can thus bring down networks and make innocent people pay for lots of wasted bandwidth.
      • Re:So cool! (Score:3, Insightful)

        by T3kno ( 51315 )
        You haven't popped a zit in a while have you?
      • Re:So cool! (Score:5, Informative)

        by KingDaveRa ( 620784 ) on Monday August 18, 2003 @12:44PM (#6724129) Homepage
        Very true.

        But, notice that this worm self un-installs at a certain date. Its quite a way away, but even so. The fact it opens port 707 sounds a bit worrying though.
      • Re:So cool! (Score:4, Insightful)

        by cornice ( 9801 ) on Monday August 18, 2003 @12:48PM (#6724184)
        Except that white blood cells don't usually cause lots of damage themselves.

        Except in an autoimmune disorder.
      • by raehl ( 609729 ) * <raehl311.yahoo@com> on Monday August 18, 2003 @12:56PM (#6724303) Homepage
        The thing about the "white-hat" worm is that it'll eventually kill itself - as it runs around patching machines, there are less vulnerable machines out there, so it will lose its ability to spread.

        Or, put another way, if there were no "white-hat" worm that might also up traffic for a while, there will probably be a black-hat one that WILL up traffic for a while, AND format a few hard drives to boot. Erm, not boot.
    • It's viral, so it's not really a vaccine. It's more like cow pox. Cow pox is contagious, but not severe. And, if you get cow pox, you become immune to small pox (and cow pox, of course) forever after.
  • by Aadain2001 ( 684036 ) on Monday August 18, 2003 @12:34PM (#6723973) Journal
    I'm taking bets on how long till the first lawsuit comes out against the person or persons who wrote this helpful worm. I say it will happend before the people who wrote the destructive worms are even arrested.
  • cleaner worms (Score:2, Insightful)

    by 2057 ( 600541 )
    now as much as this is a good idea it is bad because it reduces the internet bandwidth and creates users who don't know how to run windows update, if someone else keeps fixing the problem it will never be fixed.
  • by passthecrackpipe ( 598773 ) * <passthecrackpipe.hotmail@com> on Monday August 18, 2003 @12:35PM (#6723990)
    Heh, if this turned into a trend, it could spell the end of an industry - the virus-removal industry. Imagine: Open Sourced, hunter-seeker virus removal worms, out in the wild nearly as fast as the original, cleaning up the mess some scridiot created in a fit of juvinle mischief. Somehow, I don't think the virus writer/scanner cartel will not let this become a trend.
  • That's hysterical... (Score:5, Interesting)

    by mekkab ( 133181 ) on Monday August 18, 2003 @12:35PM (#6723992) Homepage Journal
    Because Mom and Pop can't be bothered to figure out this internet thingie ("can I talk on the phone at the same time? Will it turn on in the middle of the night and download spam?") It seems some avenging white-hat (aka Sysadmin who is tired of encountering so many damn infected machines) has coded up a viral solution!

    An even better twist of fate would be for that individual to get arrested for creating a worm! (its a DMCA violation to use that hack...)
    • by Tumbleweed ( 3706 ) on Monday August 18, 2003 @01:07PM (#6724436)
      "By running this infected program, you agree to abide by these terms & conditions..."
  • by 403Forbidden ( 610018 ) on Monday August 18, 2003 @12:36PM (#6724008)
    I've had this idea for quite awhile now. All these people that find exploits should just write a virus to patch the vulnerability.

    Bravo.
  • Scanning my users (Score:5, Interesting)

    by zbowling ( 597617 ) * <zacNO@SPAMzacbowling.com> on Monday August 18, 2003 @12:37PM (#6724011) Homepage Journal
    I just got done scanning all my users to check for the patch install. About 1/4 have the patch so far, that are publicly accessable and not behind a firewall. Using the tool on Microsoft's website, and it seems to work well for us ISPs. I set up the router to block that port on my core router but if some gets inside the network with it, we might still get hit. This thing is bad.
  • by FattMattP ( 86246 ) on Monday August 18, 2003 @12:37PM (#6724012) Homepage
    Wow, a worm to do the work that the sysadmin should have done in the first place. That'll encourage those lazy sysadmins to just sit back and continue to do nothing.
  • by tinypillar ( 695021 ) on Monday August 18, 2003 @12:37PM (#6724015)
    Instead of quickly cleaning mblast last week from my network, I could have just sat around on my ass and played video games . . . and let this worm do all the work for me. Damn.
  • I did wonder (Score:3, Interesting)

    by Eluding Reality ( 691589 ) on Monday August 18, 2003 @12:37PM (#6724020)
    I have wondered for a while when this sorta thing would start happening, anti-virus coders that go after the virus coders.

    This could be something we see more of in the future, almost like a battle between the two groups, taking place on machines throughout the world while the majority of users are completly unaware.

    It could be pretty interesting to see the whole thing unfold!
  • by burgburgburg ( 574866 ) <splisken06.email@com> on Monday August 18, 2003 @12:37PM (#6724022)
    turning over my network to a well-meaning worm. I trust that it will properly protect my network. I believe that the teeth I put under my pillow magically are turned into quarters. I am confident that Microsoft has resolved this RPC implementation problem. I have faith that Microsoft's security initiatives are on track. I am sure that elves fix my shoes when I fall behind on my work.
  • Pretty cool (Score:5, Interesting)

    by thebatlab ( 468898 ) on Monday August 18, 2003 @12:37PM (#6724023)
    I think on numerous occasions it was debated here and in other places whether this was something that should be done or not. I think some people raised privacy concerns and other ethical things like that. Basically saying "a virus is a virus" (yeah, yeah it's a worm :)) However it can be sort of viewed in the way vaccines are. Harmless strains of virii used to boost the immune system. That's just what this worm does. It's a harmless strain that clears up an "infection" I think this is a worm I wouldn't mind my parents having on their computer. I'm almost positive they haven't patched their machine and now that DSL is in their rural area they're all the more vulnerable to it. If this can clean it up for them without me pulling my hair out while going over the update process then so be it :)
    • Re:Pretty cool (Score:5, Insightful)

      by MadCow42 ( 243108 ) on Monday August 18, 2003 @01:04PM (#6724408) Homepage
      >> However it can be sort of viewed in the way vaccines are

      Sure... but when was the last time a nurse jabbed you in the ass with a vaccine while you were walking down the street stuffing your mouth with dounuts?

      Even vaccines are voluntary things that have risks...

      MadCow.
  • by derrickh ( 157646 ) on Monday August 18, 2003 @12:38PM (#6724027) Homepage
    This is probaly the best internet virus news I've heard in a long time. Unfortunately, it's only a matter of time before the creator is tracked down and prosecuted for violation of internet security laws.

    D
    • by ChrisDolan ( 24101 ) <chris+slashdot.chrisdolan@net> on Monday August 18, 2003 @01:02PM (#6724381) Homepage
      If this worm is supposed to be Robin Hood, then picture Sherwood Forest overrun by about 30 million tights-clad archers running about, grabbing every person in sight, shaking them vigorously to see if they are rich, and cutting purses if jingling is detected.

      Let's just hope that jingle-detection algorithm is perfect, and the purse-cutting knife is sharp and true. Otherwise Sherwood is going to have a lot of pissed-off, penniless eunuchs.

      Vigilantism is a dangerous game. Innocent victims do get hurt. This worm is a very bad idea.
  • Core wars (Score:5, Interesting)

    by On Lawn ( 1073 ) on Monday August 18, 2003 @12:38PM (#6724033) Journal

    Something about this seems like a global scale Core Wars game. How scary, horrible and cool at the same time.
  • by tbase ( 666607 ) on Monday August 18, 2003 @12:39PM (#6724042)
    No good deed goes unpunished. Who's going to give odds that the writer(s) of the 'good' worm will get caught and strung up by the short hairs under the DMCA? As long as it only affects machines that haven't already been patched- great. But what if it's flawed and actually causes unintentional damage? And if the original authors of the Blaster worm's intent was to teach people who ignore warnings a lesson, might this not start a virus war, of sorts? Sounds cool, but I'm not convinced this is an entirely good thing.
  • by Jack William Bell ( 84469 ) on Monday August 18, 2003 @12:39PM (#6724048) Homepage Journal
    Last week we were discussing the MSBlast worm here in the office and I commented, rather offhandly, "I wonder how long it will take before someone writes a phage worm that uses the same hole, but eats MSBlast?"

    Apparently the answer is 'Four days at most...'

    The extent to which the Internet recapitulates evolution and biological systems is astounding!
    • > The extent to which the Internet recapitulates evolution and biological systems is astounding!

      Yeah, now all we need is a type of cancer that attacks cancer cells and turns them back into normal cells.

      And one that turns people who don't patch their machines into people who DO patch their machines! Oh yeah, that'd be sweet...
  • by Trolling4Dollars ( 627073 ) on Monday August 18, 2003 @12:41PM (#6724084) Journal
    "See? See?!! We don't need to patch our systems because Microsoft is doing it for us by mailing us the fix in e-mail! See?! I'm not afraid of worms because eventually someone will fix it for me!"
  • Begun, this worm war has.
  • by joedoe ( 12577 ) on Monday August 18, 2003 @12:45PM (#6724147)
    should provide a great test of the security savvy of university IT departments, as students return to the dorms and plug in their unpatched computers, the vast majority of which probably haven't been connected to the Internet in several months.

    Unsecured university networks could unleash a new wave of worm-infected machines on the Net. This could be fun to watch, for those of us who aren't uni sysadmins...

    --joedoe
  • Bad Idea (Score:5, Insightful)

    by JonathanX ( 469653 ) on Monday August 18, 2003 @12:51PM (#6724220)
    Let's see...

    Does it magically boot the system off known good media to check for
    rootkits/backdoors/trojans/[insert favorite evil here]???

    No.

    Does it magically monitor the traffic to and from the machine for a
    reasonable period of time to ensure that nothing is amiss???

    No.

    Does it reinstall the host OS from the original media and restore the last
    known good backup???

    No.

    So...what does it do?

    It patches the hole and wipes out the worm if present, then deletes itself
    in 2004. Great...except, MSBlaster wasn't the only thing that took
    advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
    no cause to take any of the above steps because from his view, sitting in
    his office running the latest eEye scanner, the machine was never
    vulnerable.

    When will folks figure out that these so called "good worms" are not a good
    thing? The failure of the author to take note of such fundamental flaws in
    his or her logic suggests that they have no business doing anything, much
    less volunteering to correct the world's problems. Of course, this could be
    a deliberate cover-up...but somehow I think it's just another security
    cowboy trying to save the world.
  • by DotWarner ( 56614 ) on Monday August 18, 2003 @12:54PM (#6724275)
    The Cheese worm [symantec.com] did this on compromised Linux systems a few years back. The antivirus industry, in accordance with Linux sysadmins everywhere, added detection for the worm. A virus is a virus, and any unauthorized access to a computer is a Bad Thing.
  • by Dynamoo ( 527749 ) on Monday August 18, 2003 @12:55PM (#6724279) Homepage
    NAI report [nai.com] that this is a self-removing worm after 1st January 2004.
  • by ixpro ( 648487 ) on Monday August 18, 2003 @01:00PM (#6724351) Homepage
    People who think this is a good idea, are you for real??? Do you know how much work goes into protecting large corporate networks, rigorous testing of each and every patch before it goes into production, reacting to IDS alerts, identifying potentially vulnerable environments, etc... The fact remains the same, both worms exploit the same vulnerability, both worms modify system data without user's consent, and both are potentially "lethal" because of unpredicted errors and patch compatibility issues. Let's not pee our pants trying to cheer. This is not white hacking. White hacking is identifying the vulnerability, and advising the user on how to protect themselves, but what do I know, feel free to flame, cause that seems to be the common trend on /. these days...
  • by Control-Z ( 321144 ) on Monday August 18, 2003 @01:02PM (#6724386)
    I've been getting a lot of firewalled ping activity today, must be that cleanup worm. Machines that the Blaster worm never even tried to hit. I wouldn't trust a cleanup worm one bit more than I would Blaster. Everyone knows (or should know) you can't count on good intentions on the Internet!

  • by xigxag ( 167441 ) on Monday August 18, 2003 @01:09PM (#6724464)
    "W32/Nachi.worm"...sounds like a new spinoff group from Japan's pop-idol Hello! Project [inter.net]
  • by htmlboy ( 31265 ) on Monday August 18, 2003 @01:12PM (#6724493)
    it patches the rpc hole and installs a tftp server on the saved machine. it then propogates to other machines, infecting them and patching the vulnerability so a later variant of the same worm won't be able to uninstall it.
  • COMING SOON (Score:5, Funny)

    by Multiple Sanchez ( 16336 ) on Monday August 18, 2003 @01:16PM (#6724547)
    - W32/Webster.Worm: Opens a command shell using the RPC VNC OpenHole ActiveX/rootsploit featurebug. Opens all MSWord and Works documents, fixes spelling and grammar, saves without a backup, then writes a polite "echo" line to AUTOEXEC.BAT gently chiding you to learn to read at a fourth grade level.

    - W32/PSCheezRemove.AutoTrojanMurderWorm: Attaches to exposed port 5555, downloads GOODTASTE.EXE from a predefined HTTP server, which it then executes. Scans Hard discs for PSD files that employ garish glows, drop shadows, and procedural 2D fire effects, and replaces those layers with a text layer containing the URLs of several reputable visual arts schools.

    - Existence/DrawerClean.Intruder: Waits until you leave for work, jimmies your bedroom window, and illegally enters your home. If he/she finds an underwear drawer, he/she folds and neatly stacks the contents of the drawer, quicksorting by color, then leaves. Symantec is reporting a variant, DrawerClean/FourStar, which leaves a mint on your pillow on the 16th of each month.
  • by erikdotla ( 609033 ) on Monday August 18, 2003 @01:19PM (#6724581)
    I feel there's only one possible author of this antiworm: Microsoft.

    Think about it. No average sysadmin would do it to clean up his systems - there's too much liability under DMCA. Idiot home users don't care. Non-Microsoft people are glad that they were to be attacked on Saturday. Who's left? The punk kids who write all the viruses? Why would they care about this? The only other possiblity would be some security company like eEye trying to gain reputation - but again, the DMCA issues would prevent them from disclosing that they ever wrote it.

    Hm... whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!
    • whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!

      No, I disagree.

      I can assure you that there are Microsoft zealots who are every bit as zealous as open source people. Perhaps even more so. Even worse, they claim that they are "unbiased". I know at least one.

      Microsoft could probably get into trouble for this. It is very unlikely that this is anything that the corporation has officially done. It might have been a Microsoft employee
  • by DukeyToo ( 681226 ) on Monday August 18, 2003 @01:30PM (#6724707) Homepage
    These worms are child's play; it is only a matter of time before someone decides to do something *really* nasty with a well thought out worm.

    There are probably thousands of programmers out there that could have written the blaster worm. Most did not want to do it. Of those that would, most seem to be content to write prankster-style worms. One individual decided to write an anti-worm-worm.

    What if one had decided to write a *really* malicious worm? In my mind, it is a 99% certainty that eventually some pissed off malcontent will do so. And they do not even have to be in the country.

    Imagine a malicious government, with 100 dedicated programmers.

    Or a well funded terrorist or anarchist.

    Imagine, multiple simultaneously spreading worms, helping each other by opening backdoors, targeting Windows systems, Apache web servers, hardware routers, telephone switchboards, and whatever else they can find. And the payload? Designed to inflict the most economical damage. Perhaps even a smokescreen to illicitly gain access to systems that manage power, water, electricity, and actually cause physical damage too.

    Governments need to sit up and take notice, this is serious stuff.
  • by Rogerborg ( 306625 ) on Monday August 18, 2003 @01:39PM (#6724810) Homepage
    • Under no circumstances is Nachi worse than Blaster.
    • If you're vulnerable to Nachi, you're vulnerable to Blaster. It's not a question of whether Johnny NoPatch gets Nachi, it's a case of whether he gets Nachi or Blaster.
    • The fix for Blaster will protect you from Nachi.
    • A virus checker that can remove Blaster can remove Nachi.
    • Getting Nachi will stop you getting Blaster, even if Nachi is removed.

    If Blaster wasn't in the wild, Nachi would be abhorent. But the thing is, Blaster is in the wild. It's folly to pretend otherwise.

    I can see the pragmatic value of this form of worm, as long as it follows the rule that it should under no circumstances do more damage than the worm that it blocks. Sure, I'd still like to kick the crap out of whoever released it, but I'd shake his hand first.

  • by m0smithslash ( 641068 ) on Monday August 18, 2003 @01:39PM (#6724811) Homepage Journal
    When you get right down to it, a worm or a virus is just a bit of code that updates your computer in some fashion. It allows your computer to perform some function it did not previously perform. In essence, it is no different than hitting windows update and hoping for the best.

    Well, of course there is a slight difference. With windows update, you ask for the update to happen. That is not the same as knowing what is really being changed. For example, the most recent windows update broke EI when it tries to talk to Squid. Also, I do not really know what is being updated by windows update, I just have to hope for the best.

    So, is leaving a port open any more of a security risk than pressing the "Windows Update" button? Either way I am giving people who I do not know and probably don't trust access to my computer.

    On the flip side, does a worm that improves my computer in some way any better than one that degrades my computer? Would it be ok for MicroSoft to release a worm that automatically upgrades EI? I think more right thinking people would agree that it is wrong, even if its for the right reasons. The end does not justify the means.

    Somewhere there is a line between right and wrong here. The problem of course is that there are so many people who do not understand what a worm or an update are, how can they possible do the right thing? Does a fix it worm make sysadmins lazy?
    Maybe. Does it help the little old lady who just wants to find out about her genealogy and does not know or care how her computer work? Absolutely. It also help those of us who have to help this little old lady out because she is out mother.

    Someday, the computer will be as easy to use as a microwave. Until then, I will take all the help I can get.
  • by JRHelgeson ( 576325 ) on Monday August 18, 2003 @02:09PM (#6725129) Homepage Journal
    This is really interesting. Worms have been released to exploit machines and spread. This is the first known worm to actually try and repair damage.

    There was some talk on the Full Disclosure lists of releasing a worm such as this. Now it appears that someone has done it. Kudo's to them. Now the question becomes: Do we let this worm just run freely out there? Do we try to stop it?

    Past worms haven't been able to load updates like this simply because the vulnerabilities weren't as big as the RPC/DCOM vulnerability that is being used on this exploit/patch.

    The whole internet worm thing has become rather booring. The security community has already learned the lesson to be taught: patch your machines. It looks like there is now something new to take notice of with the Nachi worm.

    Now we need to come up with phrases such as: Are you a good worm, or a bad worm? Or White worms vs. Black worms.

  • The Big Question (Score:5, Interesting)

    by 4of12 ( 97621 ) on Monday August 18, 2003 @02:15PM (#6725197) Homepage Journal

    ...is how good a job this worm does of

    • identifying susceptable machines without burning the network,
    • fixing exactly what needs to be fixed, no more, no less,
    and, most importantly, how does the quality of this unsolicited support per dollar compare with Windows Update or what private companies charge for this service?

    I've often thought that this is the proper way to clean up machines where sysadmins fail to do their own patching after a decent interval.

    In fact, if I were MS, I'd have someone do this, but disclaim any and all connection, for the obvious reason of legal liability.

    [But considering the extra powers authorities have in the case of human infection - witness the recent SARS outbreak - having a net Doctor authorized to release a vaccine for such a serious vulnerability as this RPC/DCOM, at some point after the general notification, seems reasonable to me.]

  • by Space cowboy ( 13680 ) on Monday August 18, 2003 @02:32PM (#6725369) Journal
    [I wish I'd seen this on Slashdot earlier, it probably won't get read now :-(]

    Some history:

    Waaay back in the mists of time (1988) I was a 1st-year undergrad in Physics. Together with a couple of friends, I wrote a virus, just to see if we could, and let it loose on just one of the networked machines in the year-1 lab.

    I guess I should say that the virus was completely harmless, it just prepended 'Copyright (c) 1988 The Virus' to the start of directory listings. It was written for Acorn Archimedes/BBC micro's (the lab hadn't got onto PC's by this time, and the Acorn range had loads of ports, which physics labs like :-)

    It spread like wildfire. People would come in, log into the network, and become infected because the last person to use their current computer was infected. It would then infect their account, so wherever they logged on in future would also infect the computer they were using then. A couple of hours later, and most of the lab was infected.

    You have to remember that virii in those days weren't really networked. They came on floppy disks for Atari ST's and Amiga's. I witnessed people logging onto the same computer "to see if they were infected too". Of course, the act of logging in would infect them...

    Of course "authority" was not amused. Actually they were seriously unamused, not that they caught us. They shut down the year-1,2,3 network and disinfected all the accounts on the network server by hand. Ouch.

    There were basically 3 ways the virus could be activated:
    • typing any '*' command (eg: "*.", which gave you a directory listing. Sneaky, I thought, since the virus announced itself when you did a '*.' When you thought you'd beaten it, you'd do a '*.' to see if it was still there :-)
    • The events (keypress, network, disk etc.) all activated the virus, and also re-enabled the interrupts, if they had been disabled
    • The interrupts (NMI,VBI,..) all activated the virus, and also re-enabled the events, if they had been deactivated.


    We hadn't really counted on just how effective this was. Within a few days of the virus being cleansed (and everyone settling back to normal), it suddenly made a re-appearance again, racing through the network once more within an hour or two. Someone had put the virus onto their floppy disk (by typing *. on the floppy rather than the network) and had then brought the disk back into college and re-infected the network.

    If we thought authority was unamused last time, this time they held a meeting for the entire department, and calmly said the culprit when found would be expelled. Excrement and fans came to mind. Of course, they thought we'd just re-released it, but in fact it was just too successful for comfort...

    Since we had "shot our bolt", owning up didn't seem like a good idea. The only solution we came up with was to write another (silent, this time :-) virus which would disable any copy of the old one, whilst hiding itself from the users. We built in a time-to-die of a couple of months, let it go, and prayed...

    We had actually built in a kill-switch to the original virus, which would disable and remove it - we didn't want to be infected ourselves (at the start). Of course, it became a matter of self-preservation to be infected later on in the saga - 3 accounts unaccountably (pun intended :-) uninfected... It wasn't too hard to destroy the original by having the new virus "press" the key combination that deleted the old one.

    So, everyone was happy. Infected with the counter-virus, but happy. "Authority" thought they'd laid down the law, and been taken seriously (oh if they knew...) and we'd not been expelled. Everyone else lost their infections within a few months ...

    Anyway. I've never written anything remotely like a virus since [grin]

    Simon.

  • A quick note (Score:4, Insightful)

    by dtfinch ( 661405 ) * on Monday August 18, 2003 @02:43PM (#6725452) Journal
    Although this looks like a great little worm, going after a nasty, poorly written worm, it effectively launches a DDOS attack against the real windowsupdate site, by downloading patches as it spreads at an exponentially increasing rate.
    • Re:A quick note (Score:3, Insightful)

      by valkraider ( 611225 )
      How can it spread at an exponentially increasing rate, since once it "infects" it fixes the hole? Wouldn't it by it's very nature then spread quickly at first but then begin to slow? I hope they built some sort of "timeout" into it though, so that if it doesn't find any open machines within x amount of time it stops. Otherwise we'll have a million machines sitting around trying to find a bunch of machines that have already been patched.
  • by wytcld ( 179112 ) on Monday August 18, 2003 @03:15PM (#6725814) Homepage
    The Seattle Post-Intelligencer, in an article on this, reports that "public safety systems in Seattle don't use Windows software [nwsource.com]." Talk about not recognizing a prophet in his home town....
  • Less aggressive idea (Score:3, Interesting)

    by petwalrus ( 645792 ) on Monday August 18, 2003 @03:25PM (#6725919) Journal
    Wouldn't it be an excellent idea for someone to set up a counter-attack program which is essentially a virus listener which responds only when it recieves the infection string from the Blaster virus, at which time it will reverse DNS the incoming address, then start sending out conter-attack packets to that machine, which will uninstall the Blaster virus, and turn that machine into a counter-attack node.

    This has the benefit of lowering the overall amount of traffic that is broadcast, and /.'ers would be happy to run these servers and eventually the viruses spread would logarithmically decay.

    I am of assuming that there is some way to re-infect a already infected machine with new code. This may or may not be possible.

  • by vandan ( 151516 ) on Monday August 18, 2003 @04:04PM (#6726298) Homepage
    Spoiled sports!
    Exactly what kind of cracker writes stuff like this?
  • by weave ( 48069 ) on Monday August 18, 2003 @04:11PM (#6726368) Journal
    Why does this anti-worm have to seek out new hosts to infect? Can't it just sit and listen for an attack from an infected host, then grab the source IP and then go attack and clean that host?

    If it did that, eventually it would self-kill all infected hosts until the few that remained can't find anyone else to infect.

    Might make a good math exercise. As a host is cleaned and listens for attacks, it cleans other hosts, then those hosts also assume vigilante role. Eventually you'd have less and less infected hosts searching for victims and more and more former victims waiting to be found. I would expect the count of infected hosts to reach zero at some point, given that the method to find new hosts is random enough. Question is, how many events would have to occur to reach zero!

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...