Fight Virus With Virus? 697
Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?
works until.... (Score:2, Insightful)
Re:Why do favors? (Score:1, Insightful)
Just 13 years behind the times... (Score:5, Insightful)
The first such anti-virus virus, Den_Zuko, was discovered in 1988. Check out this article [vnunet.com] on VNUnet, which has more info on the history of such software and why it's a bad idea.
More recently, the Linux.Cheese.Worm has done similar things for Linux users infected by the Linux.Lion.Worm.
Re:You could do that, but don't! (Score:3, Insightful)
Possible? Yes, of course. (Score:4, Insightful)
Part of the problem with worms isn't just the malicious acts that they perpetrate, it's the bandwidth that they use.
A particularly virulent worm can bring servers and routers to their knees just propagating itself. That's before it even gets the chance to do any of its intended damage. (Remember Melissa, or The Great Internet Worm?)
Add to this very real concern the fact that striking back in this way, no matter the good intentions, is almost certainly illegal, and the whole idea is a definite no-no.
(Yes, it does have a certain appeal - but so do many other things that are bad ideas, too)
Cheers,
Tim
This has already happened (Score:4, Insightful)
Personally, I feel a virus is a virus, regardless if your intentions were good. You're not any better than the hundreds of losers out there creating this mess. If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.
Discussed before (Score:2, Insightful)
Why not? (Score:2, Insightful)
Now this just goes right back to the whole "but I thought a virus was bad" response that your typical user will tell you. For the most part, it could work wonderfully, but the big thing is, the only people who will need it are those who did not patch a system for the bug (since if they patched it, then the retrovirus (if you will) will not be able to use the same vulnerablilty). Those are most often the same people that opened 40 SirCam attachments even though they were warned ("But it came from my best friend!"). To these people, a virus is something to be afraid of, regardless of purpose. A virus is always a bad thing that will "break the computer" and we don't want to "break the computer" because we can't "fix the computer" <Cue ominous music>
But then again, if these people are so oblivious as to how they're infected, then it just may work as long as the media doesn't blow it out of proportion again.
It's not 'virii'! (Score:2, Insightful)
check out http://www.cknow.com/vtutor/vtplural.htm [cknow.com] for more information...
(rant mode off)
Darwinian Predator - Prey relationship on the net (Score:5, Insightful)
All you can do here is appeal to the logic of those who would pursue such an activity and suggest that they not undertake it, but regardless of how much you argue, convince and suggest, someone will eventually do it and there will be severe concequences - not all negative, but severe, with respect to how we look at technology and how we use it.
It could further be argued that those against such undertakings, need to ajust to changing technology and make the appropriate changes to their world view. This is what the recording industry is having to do, as well as companies in other well established industries. The same will eventually be true of how we look at software design (computer viruses), and biology (human cloning).
--CTH
Err (Score:1, Insightful)
Anybody think about the bandwidth implications of this? We'll have anti-viruses counteracting viruses, viruses counteracting the anti-viruses, etc. This will all eat up bandwidth just as bad as Sircam and Code Red have.
Illegal (Score:4, Insightful)
This means that unauthorized access in the attempt to do a "good deed" is just as illegal as black-hat unauthorized access.
For this to happen, someone with the antidote virus would have to break the law to spread it and apply it. Of course, Robin Hood was considered a criminal too.
Because... (Score:5, Insightful)
Seriously, folks, everybody who *could* write something like that either (a) recognizes that infecting someone's box is infecting someone's box, closing holes or not or (b) sees no problems in having the rooted boxen out there anyway. I doubt that anybody else actually has the skills to do it.
Re:DirectTV hacked the hacker.... (Score:2, Insightful)
Virus writers would close the door they came in in advance and write in another door that would be extremely hard to find. The worm would still infect other machines, and it would be a very long time before the other back door kicks in. People would think the worm they got was a purposeful fix worm, when in actuallity it only would be a matter of time before it became a zombie. Now that would be a smart virus. Of course, the hardest part would be giving the new back door the functionality needed while effectively hiding itself.
You could do that, but don't! (Score:4, Insightful)
Why not put up a webpage that people can use? (Score:5, Insightful)
All the viewer has to do is click a button at the bottom of the screen.
Just so happens that this particular button sends a request to
Afterall, they did click on the link, right?
Seriously though, if someone wants to get all pissy about you going to their box and fixing their screwup, threatening to sue and the like, I'd just countersue
Indexing server is essentially part of IIS (Score:2, Insightful)
The indexing server is bundled with IIS, and is one of the main reasons for choosing IIS -- searching is bundled right in. Comparing it with "some CGI script" is disingenuous.
It would be fair to compare it with Apache modules that are part of the standard distribution and are usually installed. Care to point out a recent hole in such a module?
Insightful, my foot. The pro-MSFT moderators are busy today.
Re:A K5 USer has published an anti-CodeRed virus (Score:2, Insightful)
...but it's a bad idea (Score:3, Insightful)
Re:This has already happened (Score:4, Insightful)
It's probable that you don't understand the difference between right and wrong.
Think of cops and robbers. We have bad guys with guns running around on the streets, and we have good guys with guns running around on the streets. Neither group is very bright, and both are liable to shoot you for pulling your wallet out too fast in a darkened doorway. Still, we know which group we're going to train and pay to protect us using their own judgment.
A neighbor who checks and locks my door is far more neighborly than one who walks in, spray paints grafitti on my walls, craps on my carpet, leaves a dead rat hanging between the old coats in the closet, and says "oh, you have a security problem, you should get that fixed before someone does something bad to you".
People who bought buggy software got ripped off, and you're discouraging conscientious software engineers from providing free, automatic service to those people, and preventing them from becoming unwitting dupes in spreading the bad viri around the world.
But you shouldn't live in fear that this will become epidemic. People who do know right from wrong and who do choose to do right understand that doing right is often mistaken for doing wrong by people who don't know the difference, and our system of justice isn't based on right and wrong, it's based on perception, so they won't take the chance of being railroaded, Good Samaritan law or no.
--Blair
Re:Why do favors? (Score:2, Insightful)
Re:Don't be a part of the problem (Score:4, Insightful)
ethics:
2. Being in accordance with the accepted principles of right and wrong that govern the conduct of a profession.
moral:
1. Of or concerned with the judgement of the goodness or badness of human action and character.
You want an ethical lawyer, but not one who applies morality. You want an ethical doctor, but not one who judges your morality.
Ethics is reflective, driving ones own behavior with respect for others. Morality is applied to others, and rarely implies respect for others.
Re:Don't be a part of the problem (Score:3, Insightful)
Arguably true, but the bigger issue is "what are correct ethics?" Some things nearly all people can all agree on: it isn't ethical to copy someone else's work and pass it off as your own. But there are a lot of other ethics issues that will be very decisive. For example:
"It is permissable to take a person's life if it is the only way to protect your life or the life of another."
I have had many arguments with people who think that there is never, ever a reason to take a life, whereas I believe that self-defense is a fundamental human right. In the case of a divisive topic such as this, an "ethics class" is useless at best -- and brainwashing at worst.
I think some kind of critical thinking training is a better idea. If you can think critically, you will develop your own ethical code.
There is another way... (Score:5, Insightful)
...though it's not quite as effective.
Since the start of this week, I've been running a Perl script as an hourly cron job that parses my firewall logs, gets the originating IP addresses of any Code Red scans, does a reverse lookup, attempts to extract a meaningful domain name and then mails a polite notification to postmaster and webmaster at that domain. The notification contains a link to the MS page with the details of the relevant patches.
Since doing so, I've had a number of responses from people thanking me for pointing out the problem and confirming that their server has now been patched. The response rate is only about 1%, largely due to the fact that around 90% of the problem servers are on dial-ups/cable modems/DSL, but it's better than nothing.
I'm not advocating that everybody, or even a large number of people, do this, as the amount of traffic it would generate would only add to the problem, but it seems like a more legal solution than another, white-hatted, worm.
Not necessary, if people would only research (Score:3, Insightful)
You'd spawn a war that hasnt escalated so far (Score:4, Insightful)
Re:Don't be a part of the problem (Score:4, Insightful)
When I was 4, I was in my apartment complex running around like a, well, screaming 4 year old. One of the residents (happened to be a RN) was watching me play with my brother and then called me over to him. He took a good look at me, grabbed my hand and took me to my apartment.
"Your son has the measles. Take him to the doctor, now."
There was a person, completely unrelated to me, who didn't even have kids whom I could "endanger" with my measles. Was he within his rights?
The original poster must realize that an infected machine has already been compromised by an intruder. If you walk past an apartment and see someone has forced the door open and is ransacking it, do you continue walking by? Or do you yell at the thief? Call the Cops?
Those "infected" machines are flooding the pipe that I'm paying for, so doesn't that make them some part of a "commons" that makes them part of everyone's responsibility?
If my neighbor is playing his music too loudly, don't I have the right to knock on his door and say "Hey, turn that down, please?"
If I'm being constantly probed by thousands of infected machines, my internet access greatly slowed down by all the garbage in the pipe, don't I have a right to find the owners and tell them "Hey, knock that shit off. Fix your damn machine, it's hurting everyone."
Furthermore, to pick on another pet peeve of
Just some thoughts...
Re:Its entirely possible (Score:4, Insightful)
There is really no single law that covers this so a lawyer would be useless in this case. You could get ten different opinions from five different lawyers and any or all of them could be right. Or wrong. That's what Judges do.
Now, with the PHP or CGI programs that do something to a computer, it would be a very grey area. After all, the 'attacking' computer is actualy requesting information from your machine. You are simply returning information. Then you can get into the motive of the requestor and the motive of the author and it gets even worse.
Basically, all a lawyer is going to tell you is his theory of how a set of laws will be interpretted. Only Judges can actualy do the interpretting.
net police (Score:5, Insightful)
Having good intentions is nice but consider this (fictional) scenario: A local cat keeps trying to have 'relations' with my cat and I dont know who the owner is, plus the owner is unaware of their cat's activity. I catch the cat and get it 'fixed' without the owner knowing. When the owner finds out I doubt they or the police would be too pleased about it. Swap 'cat' for 'web server' and you have this code red situation.
Yes the internet is unpoliced but I dont think the 'Do-Gooder' virus is a very good answer. Internet policing is an interesting new subject but traditional security ideas still apply - the owner of the house is the one responsible for making sure the door is locked. People need to be taught this applies to the internet too.
(And no jokes about unauthorised entries thank you very much)
Re:Its entirely possible (Score:1, Insightful)
Yeah, but you missed the point. Sure it's probably kosher to defend yourself against a stranger who's broken into your house by attacking him. What would not be kosher is to go to his house, break in, and throw away his coffee.
Re:IIS = Loaded Gun? (Score:1, Insightful)
Fun with guns is unnecessary. Guns kill people and should be banned no matter how "fun" they are.
What if my 'default.ida' was a program? (Score:2, Insightful)
Code red backdoor checker [aspsourcecode.com]
Re:Already been done (Score:4, Insightful)
Go <a href="default.ida">here</a> to check your server for the Code Red worm and remove it if found.
Unlike an actual anti-security-hole virus, in this situation you are providing a legitimate and documented response to an actual request. If you're not scanning other machines unless they actually ask (either by following the link or by attacking you), it's not really any more unethical than, say, active FTP (if you send this message, I will open a connection back to you and send some data over it). It is no more using the other person's machine than, say, slashdot forcing my machine to render an HTML document or an FTP server forcing my machine to store the document I download.
It has happened already (Score:2, Insightful)
Read This [thestandard.com]
Re:Its entirely possible (Score:5, Insightful)
Re:I Hope You Keep Bail Money Near Your Gun OT (Score:2, Insightful)
This is a Bad Idea (Score:4, Insightful)
No matter how good your intentions are (RTM just wanted to play around, right?) you cannot take the "law" into your own hands.
Ethical issues aside, it would be very dangerous to being publicizing that there was a beneficial worm available; immediately, we would get copycat worms everywhere, appearing the same (yes, this could probably be circumvented by MD5 checksums or something, but jeez, if the webmaster was going to go through THAT much trouble, they'd install the damn patch themselves!) but doing far worse things.
I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.
The defenses always have to be kept up - or else you have to start making judgment calls about which outside sources to give access to, which is a path no one wants to go down.
Re:Possible? Yes, of course. (Score:3, Insightful)
Good virus resides on your computer. Computer gets scanned; good virus cleans up offending computer, installs itself. Now, rather than sending out 300 requests at a time, the offending computer is sending out nothing, unless it is scanned as well.