Fight Virus With Virus?

Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?

Re:Don't be a part of the problem - Cisco fix

[Koda]

FYI, I have a normally reliable Cisco 675 router that Was repeatedly being infected with Code Red, requiring a reboot each time. Here's the easy fix:
1) From the "cbos#" prompt*, input the command "set web disabled". I think you'll have to follow that up with the "write" command. That shuts off the router admin web-interface. If you really must have that interface, you can change the port instead.
2) Upgrade the CBOS to version 2.4.1. See http://www.cisco.com/warp/public/707/cisco-code-re d-worm-pub.shtml for more, and check your ISP's web site for the actual patch.

Hope that helps...

*Note: to get to the "cbos#" prompt, input the command "enabled" at the "cbos>" prompt.

Re:Its entirely possible

[Tassach]

Plus, lawyers have to be careful about what they say in a forum like this -- a lawyer cannot give "official" legal advice to someone who is not his or her client. This is why any legitimate law-related web site has a disclaimer like "this is not to be construed as legal advice".

Re:Don't be a part of the problem

[Ctrl-Z]

The problem -- as many knowledgeable folks have already reported -- is that admins are reluctant to update production servers, because of the fact that such updates can and do break those systems.

Do you really want to rely on Microsoft's updates to be reliable and correct? Updates are best installed on test servers and then migrated to production systems. The fact is that once an exploit is discovered, it typically takes several months for destructive software to be released that takes advantage of the export. Code Red came out much quicker and that has caused many of the problems we are witnessing.

Many infected users don't know they're running IIS

[fearlessfreddy]

I would like to point out that many if not most of the machines that are still being infected by the Code Red worms are operated by users who are not even aware that they are running IIS.

Case in point, my roommate bought a Dell Dimension L700cx with Windows 2000 about 6 months ago. He was surprized when I showed him that his machine is running IIS and serving the default web page on port 80. This person did nothing to install or activate IIS, the machine was shipped with that configuration.

I think this fact is important to keep in mind when trying to understand why so many machines remain vulnerable to the IIS attack.

PS: We run our LAN behind a firewall that denies port 80, so my friend's machine was not infected.

The Cheese Worm did this for Lion-infected hosts

[Philbert Desenex]

The Cheese Worm [cert.org] seems to constitute exactly what you want. Cheese actually sought out Linux hosts [linuxsecurity.com] infected by the Lion worm [whitehats.com] and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known [theregister.co.uk].

Another first for Linux and Open Source software!

A K5 USer has published an anti-CodeRed virus

[hillct]

A K5 user has provided the source to a proposed code-red anti-virus [kuro5hin.org], which actively repairs remote systems infected with the code red virus. The legal implications of this are a bis issue, but it's certainly an interesting code example.

--CTH

Re:There is another way...

[friscolr]

You don't need to do the lookups/etc yourself. You can help security focus send out the mail.

from the bugtraq post: [securityfocus.com]

To: BugTraq
Subject: Infection Notification
Date: Sun Aug 05 2001 10:50:22
Author:
Message-ID:

If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:

IP ADDRESS DATE/TIME WITH TIMEZONE

Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

---end bugtraq post---

See Everything2

[l-ascorbic]

That seems a bit like overkill. There is an Everything2 node [everything2.com] on this subject with some simpler PHP code samples, including (full disclosure) one by me.

Go ahead and do it.

[atrowe]

I don't see why it couldn't be done. The CodeRed worm has already been modified several times and re-released. The original source can be found here [google.com]

Google cache because it looks like the original site has been remove.

I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.

Preferable method

[Snowfox]

I'd rather it used the IIS log file to try to spread itself to every system that had tried to infect it, then executed a

%windir%\System32\rundll32.exe user32.dll,exitwindows

(which you can do manually right now with the worm-installed back door.)

Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.

just pop up an explorer window for cert.com

[Gkeeper80]

this isn't original, a friend found it posted somewhere, but you can call up an internet explorer window with the cert advisory(or the patch for that matter)byt usung the root.exe file. like such: http://the.fckd.up.host/scripts/root.exe?/c+explor er+htt p://www.cert.org/advisories/CA-2001-23.html this works great for cable/dsl users who might not even know they have a webserver running. kinda tough to ignore explorer windows poping up, even on a MS computer.

Re:Don't be a part of the problem

[blakestah]

Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.


Now there is ethics and there is ethics. Here is a scenario that occurred once in Baltimore. A house thief hot-wired a car. He jammed the steering wheel all the way to the side and floored the gas. The car spun and made lots of noise. Meanwhile, the thief broke into people's houses (that is besides the point). Am I ethical if I jump into the moving car and turn it off ?

The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.

As another example, suppose my neighbor's house is burning and his 10 year old is screaming at the window, and he is not around. Am I ethical in breaking in to save his child ? In this case the answer is really clear.

In the case of machines compromised with CodeRedII, consider the capability for MASSIVE DDOS directed at anybody launchable by anybody. Those machines are tools to be used by anyone for any reason they like. They can be used as launching points for hacks on military sites. They can be used to snoop for passwords etc. If you go onto those machines and simply remove them from the network by shutting them down (in an orderly fashion), I think you could argue rather strongly that you are taking such action in the interest of public safety.

Ethics is rarely so cut and dried that one could claim that you should NEVER alter someone else's property.

Re:Don't be a part of the problem - Cisco fix

[Anne_Nonymous]

Also affected are Cisco 678's.

See http://www.qwest.com/dsl/customerservice/coderedvi rus.html

it has already happened

[node3667]

The virus nVIR A was propagating the macintosh world.(1990) Someone created a second nVIR B to counter attack the nVIR A, to replace A with itself.

There were bugs into nVIR B, making the computer part unusable. and the nVIR B could propagate on a computer which wasn't infected by nVIR A.

Not everybody was happy :-(

bye

Re:Its entirely possible

[jgerman]

It's not necessarily true that an American citizen can respond with deadly force to criminal trespass. That varies state by state. Here, in MD, for example, if someone breaks into your home and threatens you, you must make every effort to vacate the home. You can not just shoot him for trespassing, breaking and entering, or anything else.

Guees that means if my machine gets hacked here I have to give it over to whomever hacked it.

Re:I Hope You Keep Bail Money Near Your Gun

[brunson]

Colorado (for positive) and many other states have a "make my day" law. If someone breaks into your home you can automatically assume you are in danger of grevious bodily harm or death and can shoot dead on the spot.

Cheese Worm

[robt]

This exploit has already been done, closing unsecure ports on Linux systems, as reported here:

http://news.cnet.com/news/0-1003-200-594940 1.html

http://news.zdnet.co.uk/story/0,,s2086609, 00.html

http://www.infowar.com/iwftp/icn/17May200 1_New_wor m_patches_linux_vulnerabilities.shtml

http://www. securitynewsportal.com/article.php?sid= 437 .

.

Also interesting for history buffs is the Internet Worm of 1988 that shut down the internet!

http://world.std.com/~franl/worm.html

Could it still happen?

That doesn't solve the problem.

[Mustang Matt]

The solution is twofold.
A: Microsoft needs to release more secure OS/Web servers.
B: People need to patch their system themselves or take it off the net.

Re:I Hope You Keep Bail Money Near Your Gun OT

[urtica]

For more stats and analysis on guns than you could possibly want, see Tim Lambert's archive of his postings to talk.politics.guns [unsw.edu.au]

Country % at-home % gun homicide
burglaries ownership rate
Netherlands 48 2 0.9
England 26-59 5 0.7
Australia 10 20 2.0
Canada 10 31 2.1
USA 14 49 8.8

The Australian "at-home" burglary rate is actually for Victoria. The range given for England is because the rate is 59% for attempted burglaries and 26% for completed burglaries, so the overall rate must be somewhere in between.

When one looks at the Australian and Canadian figures, the relationship between gun ownership and "at-home" burglaries isn't so clear as some like to make it out. The correlation between gun ownership and homocide rate is much clearer.