Fight Virus With Virus? 697
Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?
Re:Don't be a part of the problem - Cisco fix (Score:2, Informative)
1) From the "cbos#" prompt*, input the command "set web disabled". I think you'll have to follow that up with the "write" command. That shuts off the router admin web-interface. If you really must have that interface, you can change the port instead.
2) Upgrade the CBOS to version 2.4.1. See http://www.cisco.com/warp/public/707/cisco-code-r
Hope that helps...
*Note: to get to the "cbos#" prompt, input the command "enabled" at the "cbos>" prompt.
Re:Its entirely possible (Score:3, Informative)
Re:Don't be a part of the problem (Score:2, Informative)
Do you really want to rely on Microsoft's updates to be reliable and correct? Updates are best installed on test servers and then migrated to production systems. The fact is that once an exploit is discovered, it typically takes several months for destructive software to be released that takes advantage of the export. Code Red came out much quicker and that has caused many of the problems we are witnessing.
Many infected users don't know they're running IIS (Score:2, Informative)
I would like to point out that many if not most of the machines that are still being infected by the Code Red worms are operated by users who are not even aware that they are running IIS.
Case in point, my roommate bought a Dell Dimension L700cx with Windows 2000 about 6 months ago. He was surprized when I showed him that his machine is running IIS and serving the default web page on port 80. This person did nothing to install or activate IIS, the machine was shipped with that configuration.
I think this fact is important to keep in mind when trying to understand why so many machines remain vulnerable to the IIS attack.
PS: We run our LAN behind a firewall that denies port 80, so my friend's machine was not infected.
The Cheese Worm did this for Lion-infected hosts (Score:2, Informative)
The Cheese Worm [cert.org] seems to constitute exactly what you want. Cheese actually sought out Linux hosts [linuxsecurity.com] infected by the Lion worm [whitehats.com] and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known [theregister.co.uk].
Another first for Linux and Open Source software!
A K5 USer has published an anti-CodeRed virus (Score:4, Informative)
--CTH
Re:There is another way... (Score:4, Informative)
from the bugtraq post: [securityfocus.com]
To: BugTraq
Subject: Infection Notification
Date: Sun Aug 05 2001 10:50:22
Author:
Message-ID:
If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:
IP ADDRESS DATE/TIME WITH TIMEZONE
Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
---end bugtraq post---
See Everything2 (Score:2, Informative)
Go ahead and do it. (Score:2, Informative)
Google cache because it looks like the original site has been remove.
I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.
Preferable method (Score:3, Informative)
(which you can do manually right now with the worm-installed back door.)
Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.
just pop up an explorer window for cert.com (Score:2, Informative)
Re:Don't be a part of the problem (Score:5, Informative)
Now there is ethics and there is ethics. Here is a scenario that occurred once in Baltimore. A house thief hot-wired a car. He jammed the steering wheel all the way to the side and floored the gas. The car spun and made lots of noise. Meanwhile, the thief broke into people's houses (that is besides the point). Am I ethical if I jump into the moving car and turn it off ?
The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.
As another example, suppose my neighbor's house is burning and his 10 year old is screaming at the window, and he is not around. Am I ethical in breaking in to save his child ? In this case the answer is really clear.
In the case of machines compromised with CodeRedII, consider the capability for MASSIVE DDOS directed at anybody launchable by anybody. Those machines are tools to be used by anyone for any reason they like. They can be used as launching points for hacks on military sites. They can be used to snoop for passwords etc. If you go onto those machines and simply remove them from the network by shutting them down (in an orderly fashion), I think you could argue rather strongly that you are taking such action in the interest of public safety.
Ethics is rarely so cut and dried that one could claim that you should NEVER alter someone else's property.
Re:Don't be a part of the problem - Cisco fix (Score:2, Informative)
See http://www.qwest.com/dsl/customerservice/coderedv
it has already happened (Score:2, Informative)
There were bugs into nVIR B, making the computer part unusable. and the nVIR B could propagate on a computer which wasn't infected by nVIR A.
Not everybody was happy
bye
Re:Its entirely possible (Score:5, Informative)
Guees that means if my machine gets hacked here I have to give it over to whomever hacked it.
Re:I Hope You Keep Bail Money Near Your Gun (Score:2, Informative)
Cheese Worm (Score:1, Informative)
http://news.cnet.com/news/0-1003-200-594940 1.html
http://news.zdnet.co.uk/story/0,,s2086609, 00.html
http://www.infowar.com/iwftp/icn/17May200 1_New_wor m_patches_linux_vulnerabilities.shtml
http://www. securitynewsportal.com/article.php?sid= 437 .
.
Also interesting for history buffs is the Internet Worm of 1988 that shut down the internet!
http://world.std.com/~franl/worm.html
That doesn't solve the problem. (Score:3, Informative)
A: Microsoft needs to release more secure OS/Web servers.
B: People need to patch their system themselves or take it off the net.
Re:I Hope You Keep Bail Money Near Your Gun OT (Score:2, Informative)