Forgot your password?
typodupeerror
The Internet

Fight Virus With Virus? 697

Posted by Hemos
from the cleaning-up-the-mess dept.
Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?
This discussion has been archived. No new comments can be posted.

Fight Virus With Virus?

Comments Filter:
  • My approach would be educate in a real-world situation. If someone has too much time on his hands and wants to do this, well here's a suggestion:

    Lock the screen in black, disable ctrl-alt-delete on any OS, and type this a bit below average reading speed in white:

    "Boo... I'm a virus, you know what you did was really dumb?... You're lucky this time, you will lose no data, I won't send anything critical by email without your knowledge, and your operating system will stay intact... in exchange you'll have to bare with this message for a few minutes.

    Clicking on attachments in your email when you don't even know where it comes from = Stupid.

    Clicking on attachements of which you don't even know the extension = Dumb.

    Opening a file that you don't know about in your [download] directory = Asking for trouble

    Did you know that running an operating system without updated antivirus file, or without antivirus at all is bad when you're a rookie? (you ARE a rookie since you are reading this, please don't consider yourself bright or IT-man 2001 because if you ARE actually working in IT, you're even dumber than a rock, reason #1? a rock wouldn't catch this virus)

    If you typed CTRL-AlT-DELETE anytime while this was displayed, you diserve to be wiped and bitchslapped you selfish log, if you don't care about the damages you can get, think about the damages you can create by spreading your stupidity?

    Now find a way to remove me, else I'm gonna repeat this every xx minutes, and in the end, I might actually end up doing something bad.

    Regards, retard!"

    howzat? :)
  • I would like to point out that many if not most of the machines that are still being infected by the Code Red worms are operated by users who are not even aware that they are running IIS.

    Case in point, my roommate bought a Dell Dimension L700cx with Windows 2000 about 6 months ago. He was surprized when I showed him that his machine is running IIS and serving the default web page on port 80. This person did nothing to install or activate IIS, the machine was shipped with that configuration.

    I think this fact is important to keep in mind when trying to understand why so many machines remain vulnerable to the IIS attack.

    PS: We run our LAN behind a firewall that denies port 80, so my friend's machine was not infected.

  • Old idea (Score:2, Interesting)

    by Gruturo (141223)
    It already happened about 15 years ago or so... it was called "Vacsina" and actually cured 1701/Cascade, 1704/format and Jerusalem, if I recall correctly. It was even auto-updating: different vacsina versions would recognize each other and the most recent would overwrite the older. Sadly, a few "nasty" strains came out too....
  • The Cheese Worm [cert.org] seems to constitute exactly what you want. Cheese actually sought out Linux hosts [linuxsecurity.com] infected by the Lion worm [whitehats.com] and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known [theregister.co.uk].

    Another first for Linux and Open Source software!

  • by iapetus (24050) on Wednesday August 08, 2001 @12:25PM (#2121584) Homepage

    The first such anti-virus virus, Den_Zuko, was discovered in 1988. Check out this article [vnunet.com] on VNUnet, which has more info on the history of such software and why it's a bad idea.

    More recently, the Linux.Cheese.Worm has done similar things for Linux users infected by the Linux.Lion.Worm.

  • Sircam autoresponse? (Score:3, Interesting)

    by iabervon (1971) on Wednesday August 08, 2001 @02:59PM (#2121595) Homepage Journal
    It might be possible to make a program that, given a sircam-infected file, would send something to the originator of the message. It could send a message with an attachment that looked for sircam, and, if it found it, removed it and installed the program. That way, it would take a sircam-infected machine and make it respond to future attacks by spreading to the originating machine but do nothing to anyone else.

    The message could even say that was what it was doing.

    "My advise is to run this script to remove the virus and to pass the information on to other people"

    This wouldn't really be a virus at all: the people receive it in response to a request for advice and it is something you actually think they should be running. It doesn't try to infect other machines, except by advising their users to use it; no more illegal than Norton responding to a download request with a program.
  • by Speare (84249) on Wednesday August 08, 2001 @12:15PM (#2122162) Homepage Journal

    Why do schools neglect an ethics curriculum?

    Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.

    If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.

    • "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
    Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.

    If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

    It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.

    • Find infected machines and popup a warning Window on each machine telling them they're infected.

      I don't agree with doing it whatsoever, but that would wake up a lot of sysadmins.
    • Is this part of the problem?

      I have a friend who works for a company that's doing just this. They are funded by the government to write intelligent agents ("agents" in the sense of mobile code) for security purposes. So rather than merely setting up a firewall, the goal of this is to write software that can move from machine to machine, like a virus, and stomp out viruses, trojans, and fight off other attackers.

      Call it a white blood cell.

      So is developing a counter-virus, an antibody, a white blood cell being part of the problem? I don't think so. Once a computer's been hacked, it's already been hacked. It's already been violated. If you don't want people to write counter-viruses, for heaven's sake, don't let you computer get infected in the first place! Viruses are preventable.
    • If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

      Well with certain diseases, we DO force people to take medicine, even before they get the disease. FORCED immunizations. Do you agree that that is just as wrong?

    • Ethics is all about the shades of grey between black and white. Legality however should have no shades of grey.

      Something may be ethical, but not legal, and vice versa. In this case, a white-hat worm would most certainly be illegal, because you are modifing someone's property without their concent, but to simply say it isn't ethical doesn't look at the whole picture.

      What has to be asked is do people benifit more from your actions than the harm being caused? If this is so, you can ethically justify your actions. If by modifing one person's machine you prevent 50 from being infected, you're doing overall good, and while still outside the law, you are benifitting society.

      If a white-hat worm were to be released into the wild and become widespread and clean up code red's damage, I think it would spark a lot of conversation on the potential of other such worms and the regulation of them for their possible future and benificial use.

    • It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

      A couple points:

      1. The infected party doesn't know they're infected. Kind kills the analogy.

      2. Lots are cable modem users whose TOS does not let them run servers to begin with.

      3. They're causing a communal problem - excessive network lag. Why let the authority figures make all the decisions when you can just use the exploit to net send them a message telling them their infected.

      If more people became part of the problem, we'd have a more informed group of users and tighter security.
    • by blakestah (91866) <blakestah@gmail.com> on Wednesday August 08, 2001 @12:40PM (#2149153) Homepage
      Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.


      Now there is ethics and there is ethics. Here is a scenario that occurred once in Baltimore. A house thief hot-wired a car. He jammed the steering wheel all the way to the side and floored the gas. The car spun and made lots of noise. Meanwhile, the thief broke into people's houses (that is besides the point). Am I ethical if I jump into the moving car and turn it off ?

      The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.

      As another example, suppose my neighbor's house is burning and his 10 year old is screaming at the window, and he is not around. Am I ethical in breaking in to save his child ? In this case the answer is really clear.

      In the case of machines compromised with CodeRedII, consider the capability for MASSIVE DDOS directed at anybody launchable by anybody. Those machines are tools to be used by anyone for any reason they like. They can be used as launching points for hacks on military sites. They can be used to snoop for passwords etc. If you go onto those machines and simply remove them from the network by shutting them down (in an orderly fashion), I think you could argue rather strongly that you are taking such action in the interest of public safety.

      Ethics is rarely so cut and dried that one could claim that you should NEVER alter someone else's property.
      • I think you could argue rather strongly that you are taking such action in the interest of public safety.

        I think you could argue that rather strongly too, but I also think that the prosecution will make mincemeat of it unless you have a really good lawyer arguing rather strongly alongside you, in which case the prosecution will have to settle for making something less finely ground, such as Dinty Moore beef stew, of it.

      • by Rinikusu (28164) on Wednesday August 08, 2001 @04:05PM (#2149915)
        Hell, I'd give even another example.

        When I was 4, I was in my apartment complex running around like a, well, screaming 4 year old. One of the residents (happened to be a RN) was watching me play with my brother and then called me over to him. He took a good look at me, grabbed my hand and took me to my apartment.

        "Your son has the measles. Take him to the doctor, now."

        There was a person, completely unrelated to me, who didn't even have kids whom I could "endanger" with my measles. Was he within his rights?

        The original poster must realize that an infected machine has already been compromised by an intruder. If you walk past an apartment and see someone has forced the door open and is ransacking it, do you continue walking by? Or do you yell at the thief? Call the Cops?

        Those "infected" machines are flooding the pipe that I'm paying for, so doesn't that make them some part of a "commons" that makes them part of everyone's responsibility?

        If my neighbor is playing his music too loudly, don't I have the right to knock on his door and say "Hey, turn that down, please?"

        If I'm being constantly probed by thousands of infected machines, my internet access greatly slowed down by all the garbage in the pipe, don't I have a right to find the owners and tell them "Hey, knock that shit off. Fix your damn machine, it's hurting everyone."

        Furthermore, to pick on another pet peeve of /., doesn't the consumption of bandwidth by infected machines remind one of the arguments *against* spam? "I pay for my access, I don't want to pay for spam." Twist that into "I pay for my access, I don't want to pay for some virus propagating at my expense..."

        Just some thoughts...
    • by CharlieG (34950) on Wednesday August 08, 2001 @12:31PM (#2149251) Homepage
      You say:
      It is up to the infected party to take the medicine, and it would be unethical to seize the unwitting victim and force the medicine into their bodies.


      The thing is they CAN seize you and force you to take medicine IF you are determined (Usually by 2 doctors) to be a danger to yourself or others. Ever hear the term "Involuntary Commitment"
      There ARE times when you are forced to do things
    • I think it's YOUR ethics that are broken. Anyone who has to be *schooled* in ethics has already lost the battle.

      There are cases that it would be wrong to 'fix' someone's computer... If, for example, they ran a thriving business from it and you were being annoyed by a trojan that ran occasional port-scans, stopping their business by crashing their machine is unwarranted...

      But, in the case mentioned, a worm could be written which would seamlessly upgrade the affected computers, and close the backdoors permanently. Consider that these backdoors allow (and very likely will be used) attackers to control the machine for a DDoS, port-scanning, continued spreading of the infection, and with some of the later bugs, full access to the machine which would potentially allow all sorts of electronic theft. In this case, you're almost guilty by your inaction.

      The huge ammount of damage that can be caused by each infected machine, both to the owner, and to the rest of the internet completely outweighs the owners right to have their computer configured in a certain way.

      In many jurisdictions, inaction can be a crime. If, for instance, you see someone in mortal danger and you could have warned them, but didn't, you can often be charged with murder. (House on fire, you know someone's inside, but don't bother trying to alert them or call for help.)

      People like you really frighten me. You have a twisted sense of ethics and you want to force other people to be indoctrinated in them. Ugh.
      • Anyone who has to be *schooled* in ethics has already lost the battle.

        Arguably true, but the bigger issue is "what are correct ethics?" Some things nearly all people can all agree on: it isn't ethical to copy someone else's work and pass it off as your own. But there are a lot of other ethics issues that will be very decisive. For example:

        "It is permissable to take a person's life if it is the only way to protect your life or the life of another."

        I have had many arguments with people who think that there is never, ever a reason to take a life, whereas I believe that self-defense is a fundamental human right. In the case of a divisive topic such as this, an "ethics class" is useless at best -- and brainwashing at worst.

        I think some kind of critical thinking training is a better idea. If you can think critically, you will develop your own ethical code.
  • by Tim C (15259) on Wednesday August 08, 2001 @12:22PM (#2123919)
    A good idea? Absolutely not.

    Part of the problem with worms isn't just the malicious acts that they perpetrate, it's the bandwidth that they use.

    A particularly virulent worm can bring servers and routers to their knees just propagating itself. That's before it even gets the chance to do any of its intended damage. (Remember Melissa, or The Great Internet Worm?)

    Add to this very real concern the fact that striking back in this way, no matter the good intentions, is almost certainly illegal, and the whole idea is a definite no-no.

    (Yes, it does have a certain appeal - but so do many other things that are bad ideas, too)

    Cheers,

    Tim
    • How the fuck does this increase bandwidth use? I've seen several comments like this modded up; what am I missing?

      Good virus resides on your computer. Computer gets scanned; good virus cleans up offending computer, installs itself. Now, rather than sending out 300 requests at a time, the offending computer is sending out nothing, unless it is scanned as well.
  • by zpengo (99887) on Wednesday August 08, 2001 @12:16PM (#2127104) Homepage
    Why not take the Symantec Sircam cleanup utility, patch it to make it self-propagating, and then e-mail it out with the message "Hi there! I send you this because you're a stupid fscking idiot. :)"
  • by cnkeller (181482) <cnkellerNO@SPAMgmail.com> on Wednesday August 08, 2001 @12:17PM (#2127108) Homepage
    A while ago (months?) someone had a "beneficial" virus, that was making the rounds and fixing security holes in Windows I believe. The name escapes me. The author (who publicly claimed responsibility) caught quite a bit of flak over it. Who knows what kind of hidden payload your packaging in addition to the helpful features.

    Personally, I feel a virus is a virus, regardless if your intentions were good. You're not any better than the hundreds of losers out there creating this mess. If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.

    • by blair1q (305137) on Wednesday August 08, 2001 @12:38PM (#2148903) Journal
      >Personally, I feel a virus is a virus, regardless if your intentions were good.

      It's probable that you don't understand the difference between right and wrong.

      Think of cops and robbers. We have bad guys with guns running around on the streets, and we have good guys with guns running around on the streets. Neither group is very bright, and both are liable to shoot you for pulling your wallet out too fast in a darkened doorway. Still, we know which group we're going to train and pay to protect us using their own judgment.

      A neighbor who checks and locks my door is far more neighborly than one who walks in, spray paints grafitti on my walls, craps on my carpet, leaves a dead rat hanging between the old coats in the closet, and says "oh, you have a security problem, you should get that fixed before someone does something bad to you".

      People who bought buggy software got ripped off, and you're discouraging conscientious software engineers from providing free, automatic service to those people, and preventing them from becoming unwitting dupes in spreading the bad viri around the world.

      But you shouldn't live in fear that this will become epidemic. People who do know right from wrong and who do choose to do right understand that doing right is often mistaken for doing wrong by people who don't know the difference, and our system of justice isn't based on right and wrong, it's based on perception, so they won't take the chance of being railroaded, Good Samaritan law or no.

      --Blair
  • Discussed before (Score:2, Insightful)

    by egjertse (197141)
    This has been discussed before, among other places on Bugtraq [securityfocus.com]. The concept has many flaws:
    • The morality aspect - you are "taking control" of someone elses hardware/software
    • The legal aspect - this still constitutes "cracking" as you have illegally gained access to a computer system that is not yours. Breaking into someones house is not OK just because you only intended to do their dishes.
    • The practical aspect - the worst side effect of internet worms is not primarily damage done to the infected systems, but bandwidth consumed and resources depleted as a result of the worm spreading.
    I don't know of any real-life implementations of this (I somehow have the feeling I have heard of it, but it escapes me right now), but the concept has been debated at length during prior "worm attacks". There are probably many other reasons why this is not a good idea, but I think these are the most signifficant.
  • Why not? (Score:2, Insightful)

    by Aerog (324274)
    I don't see how it could be a problem, I mean, logically only something like a DoS attack or the like can't be "undone". If it's a bug in the individual system then it should be able to be fixed. The problem arises with the media stigma of a virus.

    Now this just goes right back to the whole "but I thought a virus was bad" response that your typical user will tell you. For the most part, it could work wonderfully, but the big thing is, the only people who will need it are those who did not patch a system for the bug (since if they patched it, then the retrovirus (if you will) will not be able to use the same vulnerablilty). Those are most often the same people that opened 40 SirCam attachments even though they were warned ("But it came from my best friend!"). To these people, a virus is something to be afraid of, regardless of purpose. A virus is always a bad thing that will "break the computer" and we don't want to "break the computer" because we can't "fix the computer" <Cue ominous music>

    But then again, if these people are so oblivious as to how they're infected, then it just may work as long as the media doesn't blow it out of proportion again.

  • Remember the DirectTV [slashdot.org] anti-hack on the hackers? Seems like this is the same idea. Anti-virus the virus...

    Hey, if it worked for DirectTV, it should work here...

    Actually, this may start a "best of the best" competition with virus writers. They'll come back with a virus to counteract the anti-virus, and on and on.... might be interesting...
    • Ok, what direcTV did is not exactly the same. They were much nastier. also, the people who were effected by direcTV were not hosts to some virus. They were willing participants. An equivalent would be the DVD CCA putting out a virus to kill DeCSS. If a company like microsoft were to do something like this to viruses, it would only close the door for that virus. It wouldn't kill the machine, or write "Game Over" or anything fun like that. It also wouldn't close any other doors, as they would still be unknown. As far as an arms race goes, it would be no different than now. Except, now that I think about it...

      Virus writers would close the door they came in in advance and write in another door that would be extremely hard to find. The worm would still infect other machines, and it would be a very long time before the other back door kicks in. People would think the worm they got was a purposeful fix worm, when in actuallity it only would be a matter of time before it became a zombie. Now that would be a smart virus. Of course, the hardest part would be giving the new back door the functionality needed while effectively hiding itself.
  • Recall that there was the "white hat" Cheesy Worm that fixed the "linux worm" or "linux virus" (or however the BIND worm was misreported).

    See this link [newsfactor.com] for examle.

  • ...it's Viruses. VIRUSES! VIRUSES!

    check out http://www.cknow.com/vtutor/vtplural.htm [cknow.com] for more information...

    (rant mode off)

  • I don't care about the legality, ethics, morals, etc. of this. If some idiot, after weeks of warnings in the popular press, still has not installed the patch, he better find a way to keep from the virus on his system from attempting to infect my computer. Otherwise, his system is fair game as far as I am concerned. Since the legal system is not punishing these people, I might.

    Let's also drop the insane analogies comparing this to someone threatening a family member's life. It's just a bunch of computers.

  • Illegal (Score:4, Insightful)

    by 3prong (241218) on Wednesday August 08, 2001 @12:18PM (#2134422)
    I keep seeing people talk about how invading a server in some cases is legal, because "the intent was good". That is an incorrect interpretation of the word intent. Intent only refers to the crime itself, i.e. did the criminal intend to break-and-enter or was it accidental.

    This means that unauthorized access in the attempt to do a "good deed" is just as illegal as black-hat unauthorized access.

    For this to happen, someone with the antidote virus would have to break the law to spread it and apply it. Of course, Robin Hood was considered a criminal too.

  • Because... (Score:5, Insightful)

    by 11223 (201561) on Wednesday August 08, 2001 @12:14PM (#2135943)
    Everybody with the ability to do something like that and the lack of ethics to consider it realistically actually wants the rooted boxes for themselves?

    Seriously, folks, everybody who *could* write something like that either (a) recognizes that infecting someone's box is infecting someone's box, closing holes or not or (b) sees no problems in having the rooted boxen out there anyway. I doubt that anybody else actually has the skills to do it.

  • I don't get it. We all think Batman is cool [slashdot.org], but mobody likes the idea of a virus fighting against evil?

    Of course, the author can't go around claiming responsability (or posting stories on slashdot), that's not cool.

  • Go ahead and do it. (Score:2, Informative)

    by atrowe (209484)
    I don't see why it couldn't be done. The CodeRed worm has already been modified several times and re-released. The original source can be found here [google.com]

    Google cache because it looks like the original site has been remove.

    I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.

  • Making a worm to fix the worm is just going to create more problems. My main slowdown of service comes from all the ARP requests from the think scanning my neighboorhood.

    Instead, (idea from another ./ reader) make a CGI script called default.ida that fixes just that machine that tried to attack your server. Make sure it can deal with Code Red 1, otherwise once 2 is dead, 1 will be able to swing back easially to the unpatched servers. Also make sure it sends a bill to the company for "IT Consulting".
  • The Fish virus, IIRC, would remove the Stoned/Michaelangelo virus if it was found, and then infect the machine itself.

    Further info about the virus is found here [f-secure.com] from Datafellow's [datafellows.com] virus database.

  • Preferable method (Score:3, Informative)

    by Snowfox (34467) <snowfox@nOSpam.snowfox.net> on Wednesday August 08, 2001 @12:19PM (#2144950) Homepage
    I'd rather it used the IIS log file to try to spread itself to every system that had tried to infect it, then executed a
    %windir%\System32\rundll32.exe user32.dll,exitwindows

    (which you can do manually right now with the worm-installed back door.)

    Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.

  • by Mendax Veritas (100454) on Wednesday August 08, 2001 @12:15PM (#2147800) Homepage
    A "white hat worm" of this sort could be made, but its deployment would be just as illegal as the original "black hat worm" it was created to fight. You're still making unauthorized use of someone else's computer. It doesn't matter that you have good intentions. And what if a bug in your code crashes some machines? How do you prove it wasn't intentional, and that your "white hat worm" isn't really a "black hat worm" in disguise?
    • Yes, that appears to be the prevalent ethical standard.

      But I think people are overlooking a more ominous repercussion, technically and ethically: Setting a precedent. If the precedent were set that it's OK to loose countercode upon the world, think of what might result.

      In other words, if counterviruses and antiworms became commonplace, it would turn the internet into one big war zone for autonomous code. And I can't even imagine what might result if an arms race broke out in that contest, though I expect some of its fruits would be quite frightening. I've already drawn the analogy to Core War in a previous thread.

      • In other words, if counterviruses and antiworms became commonplace, it would turn the internet into one big war zone for autonomous code. And I can't even imagine what might result if an arms race broke out in that contest, though I expect some of its fruits would be quite frightening. I've already drawn the analogy to Core War in a previous thread.

        ...A war which would have no direct effect on those practicing safe computing, and which would encourage everyone to join that group as quickly as possible. In a network of properly secured machines, both 'good' and 'bad' agents would starve.

  • I've heard -- and this may be apocryphal so please correct me if I've got this wrong -- that the narcotics that we all know and love had an interesting evolution over the course of the last 150 years or so.

    Apparently, it seems that in the early 1800s, there was a general problem with people smoking too much opium, so people came up with a supposed cure for it -- morphine! Of course in hindsight this wasn't any better than opium, but at least it had a pain relieving effect so there was some medical use for it (and still is). Sure enough, former opium smokers got hooked on morphine, and a new cure was needed. What did we get? Heroin! This was much worse, had no worthy side effects, and has generally been a huge headache ever since. What was the solution? Go cold turkey? Of course not, we came up with yet another new drug -- methadone. This one seems to have the great benefit of not being worse or more addictive than it's predecessor, but that just means that people don't want to stop using heroin in favor of methadone, so while methadone may not be worse, it does little good either.

    Like I say, this may not actually be true, but I think it illustrates the point very well. Even if it isn't true, there are still similar examples all over the place -- people that give up cigarettes for nicotine gum, etc.

    This sort of suggestion has the same critical flaw: it might look good on paper, but in practice you're just trading one nasty thing for another. Sending out a benevolent trojan sounds like a nice idea, but how do you know that it'll be benevolent anyway? Are you sure it isn't going to be vulnerable to some flaw that will do more harm than good? You've checked all your buffers and are careful in what your program accepts and strict in what it sends out? Moreover, you're confident that, even if it *is* perfectly benign (which, let's be honest, is a tricky assertion at best, and very hard to verify) once it's out in the wild can you guarantee that your code isn't going to get hijacked by someone less saintly or all-knowingly proficient as you surely are?

    I doubt it.

    These sorts of proposals sound nice but are fraught with danger and likely to come to a bad conclusion, both technically and, let's not forget, legally. This sort of idea comes up every now and then -- K5 is debating it right now, too [kuro5hin.org] -- but it's never a good idea and in practice it will never reliably work. It's clever & tempting, but raises more problems than it solves, just like trading morphine for heroin...

  • by clinko (232501)
    A funny story from where I work. Some guy took the code from the melissa virus and tried to do the same thing. While doing it, he accidentally ran it and set off his screwed up version of it accross our network. Big fun :)
    • by hillct (230132) on Wednesday August 08, 2001 @12:43PM (#2124450) Homepage Journal
      A K5 user has provided the source to a proposed code-red anti-virus [kuro5hin.org], which actively repairs remote systems infected with the code red virus. The legal implications of this are a bis issue, but it's certainly an interesting code example.

      --CTH
      • See Everything2 (Score:2, Informative)

        by l-ascorbic (200822)
        That seems a bit like overkill. There is an Everything2 node [everything2.com] on this subject with some simpler PHP code samples, including (full disclosure) one by me.
      • by BigBlockMopar (191202) on Wednesday August 08, 2001 @01:11PM (#2147990) Homepage

        The legal implications of this are a bis issue, but it's certainly an interesting code example.

        Yeah, it's a great idea. It would be wonderful to see someone do it, but at the same time, if you did, you're as bad as the virus writers, since this would propagate everywhere and make changes on their systems without their consent.

        For me to even academically consider such a virus, it would also have to have automatically e-mail the (l)user whose machine has just been patched, and state "You are an idiot. You've been negligent in the maintenance of your webserver. A benevolent UNIX/Linux geek wrote a virus which propagates by the same method as Code Red and it has now fixed this vulnerability on your machine. To learn about real webservers, go to www.apache.org."

        But based on what I'm seeing from the description (I haven't unzipped/untarred it yet), I suspect it's more along the lines of what I've been wanting to do. If I get a request from a IIS-infected machine, why not have it force a reboot of that machine? Through the negligence of the system's owner, it attacked me. Why can't I merely force a reboot, clear the virus from the memory, and hopefully alert the imbecile involved that he's got a problem?

        Take a look at my webserver log (link from my sig). I seem to be getting hit by the same IIS-infected hosts over and over. I'm sure the IIS-infected machines are getting hit by the same other machines over and over. If I were to force a reboot of those machines which attempt to infect my Apache server, then they'd promptly be reinfected, and since Code Red II scans within a tighter range of IP addresses, I'd probably take that machine down again. Of course, the cycle would repeat, and infected machines where I'm within their scanning range would be coming up and going down all day. Surely the owner would eventually realize something was wrong?

        I'd love to do this, but I still don't like the legal implications. Stealing a car to prevent someone driving while drunk is still illegal, and this is a lot less clear-cut.

      • As the infected server is requesting an action from your server by contacting you in the firstplace, you could say that this is a obvious request for you to fix there machine.
  • Already been done (Score:4, Interesting)

    by Xeger (20906) <slashdot.tracker@xeger@net> on Wednesday August 08, 2001 @12:34PM (#2148244) Homepage
    I thought of doing this a few days ago and I started coding. I got as far as a script to automatically reboot attacking machines, to help slow the spread of Code Red.

    I had begun work on a worm called Code Blue that would infect Code Red machines and clean them of Code Red. This kind of work is very laborious since it involves writing Intel assembly code that uses the Win32 API and runs in a Windows environment.

    Before I could finish, my best friend (who is a security consultant) informed me that somebody has already done this. There is a perl CGI script going around that you can put into your root directory and name "default.ida" so that infected machines will cause it to execute.

    The script connects to the IP of the attacking machine, uses the Code Red II backdoor to clean the system of trojanned files. Then it uses the very same buffer overflow exploit used by Code Red to send a binary to the server that patches IIS, removes Code Red-related registry entries and reboots the machine.
    • Re:Already been done (Score:4, Interesting)

      by startled (144833) on Wednesday August 08, 2001 @01:29PM (#2149063)
      2 things.
      1. Where's the script?
      2. Shouldn't it be modified to install itself? Otherwise, it'll get drastically outpaced.

      Note: yeah, yeah, ethics and so on. Disclaimer, and another one.
    • by iabervon (1971) on Wednesday August 08, 2001 @02:41PM (#2150521) Homepage Journal
      While you're at it, why not set up your server to document that it does that? E.g.

      Go <a href="default.ida">here</a> to check your server for the Code Red worm and remove it if found.

      Unlike an actual anti-security-hole virus, in this situation you are providing a legitimate and documented response to an actual request. If you're not scanning other machines unless they actually ask (either by following the link or by attacking you), it's not really any more unethical than, say, active FTP (if you send this message, I will open a connection back to you and send some data over it). It is no more using the other person's machine than, say, slashdot forcing my machine to render an HTML document or an FTP server forcing my machine to store the document I download.
  • I have spent the last week thinking this over, and spent some time coding a test. Working with a known named hole, I ran a vulnerable version of named on a few of my machines.

    I obtained some script kiddy code to open up a shell on the alternate machine and started to modify it. Since I have no desire to be assused of starting a virus of any kind, I have no intention of finishing or releasing this, but I want to have the concept proven in case someone with more guts than I decided to release something similar.

    No matter how you look at it, I believe that releasing this worm would be illegal, at least in the US where I live. Knowing this, I'm not going to concern myself with legal issues, but with ethical ones. The purpose of this prototype worm is to exploit the named deamon and obtain a shell on the victim computer. Then it will send over a copy of the worm, along with a nonvulnerable version of named.

    On the victim's side, it will make a copy of all programs and configuration files it needs to change and replace them with safe versions. It will then send a message to root on that machine explaining exactly what was done and why, how to reverse the changes in case the worm broke something, and what to do in the future to avoid the same or similar problems. The worm will then
    find and exploit 256 more systems within the same network level, one in each subnetwork. For instance, if the worm is currently working at the class A level for the 24.0.0.0/8 network, it will try to find one system in the 24.1.0.0/16 network, one in the 24.2.0.0/16 network, etc. Each progression will work one level lower. This will prevent the same machine from being hit more than twice for every pass the virus makes over the internet. After finding 256 systems, the worm will shut itself down and remove itself.

    The important factors of this worm is the fact that it will ONLY be beneficial. If it causes more problems than it solves, it will be seen as another nuisence instead of fixing security holes as it is intended. It is important that root on the machine is notified of any changes. This gives the administrator the opportunity to fix other potential problems and if necessary reload the system. There must be a way that an administrator can leave configuration files on the machine so the worm will function in a limited capacity. The machine operator can therefore prevent the worm from making changes although they will still be notified if there's a security risk.

    The worm will only search for and detect a single flaw in a single program, and only use that specific program to exploit the system and only replace that single program. Updating an entire package to fix one program may actually introduce other security problems into the system. Programs
    deployed on the system should also be either compiled on that system or staticly linked to prevent any library conflicts.

    On a side note, the worm might also want to check for a root kit on the machine and notify root if one exists. If the machine has already been comprimised (which is possible if there are vulnerable programs running), then the machine will need to be reloaded and root needs to know about it. Fixing one program won't make any difference.

    Am I completely off my rocker here? Comments?

    -Restil
  • by Keeper (56691) on Wednesday August 08, 2001 @12:23PM (#2148574)
    Just put up a website on your computer that advertises the ability to automatically clean the CodeRedII virus off of the viewer's system, if present.

    All the viewer has to do is click a button at the bottom of the screen.

    Just so happens that this particular button sends a request to /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (etc), which then scans the sender's IP and proceeds to start a command session, download the patches, and do whatever else is needed to done to vanquish the worm.

    Afterall, they did click on the link, right? :)

    Seriously though, if someone wants to get all pissy about you going to their box and fixing their screwup, threatening to sue and the like, I'd just countersue ... afterall, they tried to hack your box first. ;)
  • by RobertGraham (28990) on Wednesday August 08, 2001 @12:47PM (#2148673) Homepage
    I created a program that automatically checked for the backdoor upon receipt of a /default.ida attack (/scripts/root.exe?). It didn't work: the CodeRedII worm is DoSing itself - after enough reinfections, the server stops being able to respond with requests.

    As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc [robertgraham.com]. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.

    You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).

    You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.

    CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.

  • I remember seeing a /. blurb about just such a thing. If I remember right, after it invaded the system, it patched a security hole, copied itself onto whatever removable media was in the computer and deleted itself. Unfortunately I couldn't find the article in the archives.

    In the meantime, this sort of program is pretty trivial, aside from invading a secured host. I've heard talk in various organizations about writing maintenance viruses to crawl the network's hosts and do whatever updating needed to be done. Such ideas are usually tanked because everyone's a little nervous about independent critters running loose, doing things on their computers. Besides, there are more reliable automated ways to install patches and updates. In the meantime, writing one of these as a good samaritan deed would likely get you prosecuted because, 1) You don't own the computers you're infecting 2)You don't know what the configuration is on the machines and your virus might screw 'em up, 3)What if you missed a bug in your code?

  • by FatOldGoth (207461) on Wednesday August 08, 2001 @12:30PM (#2149315) Homepage

    ...though it's not quite as effective.

    Since the start of this week, I've been running a Perl script as an hourly cron job that parses my firewall logs, gets the originating IP addresses of any Code Red scans, does a reverse lookup, attempts to extract a meaningful domain name and then mails a polite notification to postmaster and webmaster at that domain. The notification contains a link to the MS page with the details of the relevant patches.

    Since doing so, I've had a number of responses from people thanking me for pointing out the problem and confirming that their server has now been patched. The response rate is only about 1%, largely due to the fact that around 90% of the problem servers are on dial-ups/cable modems/DSL, but it's better than nothing.

    I'm not advocating that everybody, or even a large number of people, do this, as the amount of traffic it would generate would only add to the problem, but it seems like a more legal solution than another, white-hatted, worm.

    • by friscolr (124774) on Wednesday August 08, 2001 @02:00PM (#2134258) Homepage
      You don't need to do the lookups/etc yourself. You can help security focus send out the mail.

      from the bugtraq post: [securityfocus.com]

      To: BugTraq
      Subject: Infection Notification
      Date: Sun Aug 05 2001 10:50:22
      Author:
      Message-ID:

      If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:

      IP ADDRESS DATE/TIME WITH TIMEZONE

      Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.

      --
      Elias Levy
      SecurityFocus.com
      http://www.securityfocus.com/
      Si vis pacem, para bellum

      ---end bugtraq post---

      • Ehmmm,
        For those of you participating in the DOS attack against Securityfocus...

        Although, they did not launch a posting to this, in the mailing list they said that they were going to discontinue taking mailings from people.

        When I went to get the link for this message I found that they are having a hard time responding to HTTP requests... Perhaps caused by the slashdot community?

        Lando
    • this isn't original, a friend found it posted somewhere, but you can call up an internet explorer window with the cert advisory(or the patch for that matter)byt usung the root.exe file. like such: http://the.fckd.up.host/scripts/root.exe?/c+explor er+htt p://www.cert.org/advisories/CA-2001-23.html this works great for cable/dsl users who might not even know they have a webserver running. kinda tough to ignore explorer windows poping up, even on a MS computer.
  • by SirSlud (67381) on Wednesday August 08, 2001 @12:41PM (#2149681) Homepage
    Actually, there's nothing like a challenge to a virus writer .. so I'll bet if you started spreading a good one, you'd just start escalating the war. Sometimes I believe viruses havn't caused major catastrophes yet because we dont fight viruses with viruses. Think of guns .. since we fight guns with guns, it really ends up coming down to who has the most/biggest guns. Do we really want to find out who has the most time and haxoring genius, the black hats or the white hats?
  • net police (Score:5, Insightful)

    by SKicker (27704) on Wednesday August 08, 2001 @03:32PM (#2149957)
    If these worms are illegal because they gain unauthorised entry then of course making a 'friendly' virus is illegal because it is doing the same thing.

    Having good intentions is nice but consider this (fictional) scenario: A local cat keeps trying to have 'relations' with my cat and I dont know who the owner is, plus the owner is unaware of their cat's activity. I catch the cat and get it 'fixed' without the owner knowing. When the owner finds out I doubt they or the police would be too pleased about it. Swap 'cat' for 'web server' and you have this code red situation.

    Yes the internet is unpoliced but I dont think the 'Do-Gooder' virus is a very good answer. Internet policing is an interesting new subject but traditional security ideas still apply - the owner of the house is the one responsible for making sure the door is locked. People need to be taught this applies to the internet too.

    (And no jokes about unauthorised entries thank you very much)
  • by Mustang Matt (133426) on Wednesday August 08, 2001 @02:47PM (#2150745)
    The solution is twofold.
    A: Microsoft needs to release more secure OS/Web servers.
    B: People need to patch their system themselves or take it off the net.
  • by baptiste (256004) <mike@@@baptiste...us> on Wednesday August 08, 2001 @12:14PM (#2152686) Homepage Journal
    CodeRed II leaves a huge hole - the virtual C and D drives so even if they remove the root.exe file, as long as the explorer.exe is infected, you can access any file via /c or /d in your GET request (ie /c/winnt/system32/cmd.exe?any cmd you want)

    I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

    Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?

    • by Shoten (260439)
      A case cannot be made for self-defense, and here is why.

      If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort. And I won't even go into the notion of the "danger to life and limb" that is present in that scenario, but suffice it to say that generally speaking, you can do things you can't otherwise get away with if it's for the purpose of saving a life.

      When it comes to your web server, nobody's going to die if you get defaced, rooted, bent over, etc. It costs some money to fix, ok, but that does not give you carte blanche to break the law at a similar level. Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access." It doesn't matter WHY you're doing it, just that you know you're not supposed to be there. And if you're basing your code upon a notorious worm...well...good luck trying to say "I didn't know!" :)

      Final point, you have other options. Keep up with your patches. Install IDS and watch the logs. Yes, this takes work, but so does writing a counter-worm every time a new worm comes out, and at least this way you can be protected BEFORE it hits, not after. And if all those Code Red-nailed boxen are knocking any of your systems offline, I gotta tell ya, you need to do something about your network, because as severe as the scanning is, I haven't heard from a single client who has actually had downtime from it.

      • > I haven't heard from a single client who has actually had downtime from it.

        At work, we had a Lotus Domino server that would crash whenever someone requested an non-existant Web URL from it (don't ask...). As most access to it are done from programs, or from links & bookmarks, this hasn't actually been a problem until recently...

        Since the beginning of August it started crashing every hour or so, making it rather difficult to work with. Then, this week it crashed every ten minutes... Initially we assumed that unknowingly a coworker was mistyping an URL, or doing some bizarre tests which crashed it. Then we understood what was really happening: it was CODE RED! Does that qualify as client having downtime due to Code Red?

        However, in retrospect, this whole story had a good thing to it: it encouraged the guy in charge of Notes to find out why exactly it was crashing when asked for a non-existing URL... And he did indeed find the faulty config option and fixed it.

        Ok, now on the next task: another of our Domino servers crashes whenever somebody enters a bad password into the HTTP password dialog box for protected pages (yeah, yeah, I know...). Now that the weekend is approaching, and the kiddies are putting their final touches onto their new creations, could somebody please include an Authorization: Basic Tm90ZXM6c3V4b3Jz0 into the HTTP headers of the probes of his Code Red III, so that we have an excuse to fix that problem too? ;-)

    • by ryanvm (247662) on Wednesday August 08, 2001 @01:07PM (#2136197)
      I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

      The problem is that 'self defense' only exists in a situation where your personal safety is at risk - like the above scenario.

      It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?

      Basically, you can't violate someone else's rights unless your own safety is in danger.

    • by Sun Tzu (41522)
      After all, how do you tell a 'good' virus from a bad one? It might be harder than you realize, if you're a virus scanner, for example. There is an article here [librenix.com] that deals with some of the other issues that 'good' viruses raise.
    • by johnwbyrd (251699) on Wednesday August 08, 2001 @12:37PM (#2151997) Homepage
      Slashdot desperately needs is a full-time lawyer. It's a great site for Internet geek stuff but nobody on the site has the first fucking clue about liability law. That in itself would not necessarily be awful if it were not the case that all discussions here invariably end up with a bunch of laymen talking legal theory. Lawyers, help!
      • There are a lot of good legal resources out there, both internet law libraries, the supreme court web site, and actual "meatspace" libraries. If people would just do a little research before posting, we would have a lot fewer "it seems to me that" posts and a lot more informative "if we apply the ruling in blank V blank" posts. I can dream, can't I?

      • by VivianC (206472) <internet_update@ ... minus physicist> on Wednesday August 08, 2001 @06:23PM (#2149918) Homepage Journal
        IANAL but....

        There is really no single law that covers this so a lawyer would be useless in this case. You could get ten different opinions from five different lawyers and any or all of them could be right. Or wrong. That's what Judges do.

        Now, with the PHP or CGI programs that do something to a computer, it would be a very grey area. After all, the 'attacking' computer is actualy requesting information from your machine. You are simply returning information. Then you can get into the motive of the requestor and the motive of the author and it gets even worse.

        Basically, all a lawyer is going to tell you is his theory of how a set of laws will be interpretted. Only Judges can actualy do the interpretting.
  • This is a Bad Idea (Score:4, Insightful)

    by Satai (111172) on Wednesday August 08, 2001 @12:19PM (#2156567)
    This is a very Bad Idea. First of all, unauthorized access to a computer is, by definition unauthorized. Any worm which spreads changes is illegal and as such a Bad Idea.

    No matter how good your intentions are (RTM just wanted to play around, right?) you cannot take the "law" into your own hands.

    Ethical issues aside, it would be very dangerous to being publicizing that there was a beneficial worm available; immediately, we would get copycat worms everywhere, appearing the same (yes, this could probably be circumvented by MD5 checksums or something, but jeez, if the webmaster was going to go through THAT much trouble, they'd install the damn patch themselves!) but doing far worse things.

    I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.

    The defenses always have to be kept up - or else you have to start making judgment calls about which outside sources to give access to, which is a path no one wants to go down.

"Your mother was a hamster, and your father smelt of elderberrys!" -- Monty Python and the Holy Grail

Working...