Slashdot Mirror
"Cheese Worm" Fixes Broken Linux Systems?
Wakko Warner writes: "According to this article, a new Linux worm named "Cheese worm" has been spreading lately. The difference between this and other Linux worms is that Cheese worm attempts to fix backdoors added by other worms, removing malicious code and user accounts and scanning for other infected systems on the network. Now if someone would only release something like this for Outlook that turns off VBScript..."
That would make it an antibiotic rather than a virus, wouldn't it??? "The box said that it needed Win95 or better, so I installed Linux"
Ok you know the OS wars have gone too far when you compare who has better viruses.
First among these is that you agree not to operate your systems in a reckless or negligent fashion. This of course is vague and needs to be pinned down, but a good guideline is probably running systems outside the local firewall which have not been audited for unnecessary services and out-of-date patch sets within the past three months. It might also include running any software which contains well-known exploitable holes; from the time a vulnerability is announced you have 7 days to patch or disable the software in question. Of course, systems inside a suitable firewall are exempt from most of these requirements, which means that "suitable firewall" must be defined. All of these definitions are tricky both politically and technically, but the overriding goal is simple: be a responsible netizen, and recognize that your insecure systems represent a threat to others as well as yourself.
The obvious means of enforcement is post-mortem analysis - in 99% of all cases, any system used to propagate a worm, virus, or ddos attack has been inadequately secured. Therefore the burden should be (steel yourselves...) on the person whose system was compromised to prove that the attack was novel, or that adequate patches were not available, in which case the vendor assumes full liability for all such systems and any and all attacks based on the vulnerability. Unless it can be shown that the operator could not reasonably have prevented the attacks launched from his systems (not on his systems - a terminal attack is not covered by this, only those which are used for subsequent attacks), he must be disconnected from the network for a period of N months. Harsh? Hardly. Consider - a hotel proprietor allows violent criminals to stay in his hotel. If it can be shown that he knew, or should have known, that crimes were being committed at his hotel, he is guilty of negligence, harboring, and/or facilitation, depending on the specifics. There's an important distinction to be made here - an ordinary looking guy unknown to the proprietor who stays one night and quietly kills a man while there presents no liability; there was no reasonable way to have expected the crime. On the other hand, if the proprietor is aware that drugs are being sold, and he allows the guest to remain after that time, he incurs liability. It's the exact same thing - by allowing criminals refuge, lazy and incompetent operators are jointly responsible for actions of the criminals they harbor.
Understandably, these tough requirements will piss people off. Many who can't be bothered to learn how to secure systems and choose not to hire competent help will be cut off, forced to outsource their Internet presence to those who are more conscientious. There will be costs associated, as with any security initiative, and in some cases they may be quite high. But there is no reason we should all have to suffer service interruptions so that Joe Six Pack can run his unpatched Red Hat 6.0 system exposed to the world. Internet connectivity is a privilege, not a right. It's time to send the message that if you don't earn the privilege, you will lose it. This is what's called self-regulation. The Internet is a hierarchy - each provider need only be responsible for ensuring compliance by it's own customers and everyone will be covered. Or would you rather the governments step in and implement some wildly broken, hideously expensive scheme to "protect the children?"
I for one am ready to pull the plug on these jokers. You're on notice: maintain your systems or get the fuck off my network.
Isn't that what the Outlook Security patch more or less do? Granted it doesn't "turn off" VBScript but it stops someone from running them by doubleclicking an attachment. Plus it notifies the user if another program is trying to access the address list and let's the user decide.
I can't believe I am defending MS (shudder)
"Now if someone would only release
something like this for Outlook that turns off
VBScript..."
would go one step further and remove all
Microsoft Operating systems and applications.
The End!
Think about it: While this worm is doing good stuff, the users are getting all happy, but don't notice the other stuff (possibly bad stuff) the worm is doing. It would be the perfect coverup. It's almost like a nun robbing a liquor store, nobody would suspect her.
If you have any savvy at all, this worm will not hit you since you have patched your system yourself. This is designed for those without savvy. A protective angel. Protecting you while you don't realize.
The idea is brilliant.
I'd rather have fixer worms running amuck then hacked drones flooding things. If you're clean, it'll pass right by you, if you're dirty, it will attempt to cleanse you. If you were dirty and it fucked up your box cleaning you, then fix your holes quicker next time and you won't have to worry. This might sound cold but if admins were more aware, worms like this wouldnt spring to life.
You compare this to the Outlook worms, which is hardly a correct comparison. Those scripts that stupid users run in Outlook typically deliver a piddly payload (i.e. they don't r00t the box.) So they delete .JPGs and .MP3s, big deal. They still run within the context of security provided by the current user. Their real cause of damage is that they then access Outlook's address book and forward themselves to everybody, which in a corporate setting, can eventually cause the email server (any email server) to be overwhelmed and die.
How exactly does that compare to a worm that will enter the system through faults in daemons without user intervention or knowledge, r00t the box, and deliver literally any payload they want, good or bad? Certainly there are some similar vulnerabilities in Microsoft daemons, i.e. everyone's favorite IIS. But I guess I shouldn't expect that many people here to be able to make such a distinction.
Microsoft has long since released a patch to prevent COM automation of the address book, and future versions of Office prevent it by default. Should a worm of sorts be released to automatically download this patch and install it for the less-than-capable enduser? Hah! You know as well as I how quickly the slashdot crowd would interpret that as an invasion of privacy by the most evil and loathsome entity in the history of the world.
This worm looks good at first, but the problem is that a worm is a worm. I don't want any worm-style program doing anything to my machines, whether good or bad. As an administrator, I want to know every damn single thing that is done to the machine on the level that this worm operates at. This worm may look friendly, but the next one might not. Secure yourself to avoid all worms, not just bad ones.
Beware, Nugget is watching... See?
And finally China is secure...
--
WolfSkunks for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.keenspace.com";
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
This doesn't have to stop, are you nuts? until every person knows how to secure their boxes (never) things like this will do good, at least the ones that are meant to.
There will always be room for these "goody-2-shoes" worms in my world, because I know how to secure my own boxes against them. Whoever doesn't deserves what they get, good or bad.
naikrovek();
It's nice to see something like this out in the wild. Honestly I think I get a probe from a wormed machine at least once a day now, if not more. Good to see someone taking advantage of the situation to spread something good. Now if they'd distribute those Anna Kornukova pictures and the animation of Snow White and the Seven Dwarfs that the outlook viruses promised, I think the writers of this worm would be sainted. :)
or it could be some odd sort of new Antivirus software prototype (laugh!)
Naw, if the antivirus folks were behind it, it would also look for credit card numbers so they could charge you for the priveledge of having your system secured.
Chu vi parolas Vikipedion?
Yes, to go out and automatically tweak others machines without their consent is definately wrong.
/. article, real life probably has several good examples nobody's thought of.
I can think of one silly example why it would be a bad thing; What if somebody was testing network security software, thinking that this hole was unpatched on a target machine, and now, all of a sudden it isn't, then there's a bug in his security software that potentially goes undetected, and that security software gets sold and widely distributed. Can the dumb 'ol worm guarantee that all systems on the net from that point in time onward will be patched?
That's just a silly example of an unrealistic situation - but for every one of those I can think up in the 5 minutes it took to read this
The basis of testing, or even just running a computer, is having a known-good system state to run from. If some unknown element is being changed, for whatever reason, that's a variable that the operator is not aware of. And that's a bad thing.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
> I dont think anyone would "let" any worm into
:-) However, my concern is based on the fact that a LOT of people are lauding this as a great thing. "Hey, free security updates!" and such. However, regardless of whether the worm's payload is harmful or helpful, it is still using unauthorized resources.
> thier system on a voluntary basis, but if you
> read the story I believe it will tell you that
> the Cheese worm enters via a port that the 1ion
> worm leaves open. So, if you get the Cheese worm
> you have already been attacked and most likely
> didnt know about it.
Understood. I did read the article.
I have a hard time saying unequivocably that "this is a BAD THING(tm)", but I'm not exactly sure that it is exactly a Good Thing(tm) either. After all, it still takes advantage of a security flaw in an unauthorized manner. GRANTED, this will only affect people THIS TIME that a.) haven't patched systems for the Lion worm and b.) could have had Lion on their systems for MONTHS proving their incompetence at security. To those people, THIS worm is probably a good thing, since it will do the work that lots of people are either too lazy or stupid to do.
My concern is, NEXT TIME, somebody might release a worm that fixes one hole, while making two or three others. I just think it is a bad precedent for us (sysadmins) to say, "Hey, this Cheese worm thing is a good thing", because if we take a step in that direction, we'll get taken advantage of in the future. Trust no one, keep your guard up!
-Michael
> so what harm could it do?
l ogs. The next thing you know, the FBI is knocking on YOUR door wondering why you are scanning Company's IP-block.
:-)
The harm is this: after Cheese patches your system, it starts scanning other systems. Meaning, your IP address could very well show up in the logs at no-telling-what-Big-Company-that-keeps-very-good-
With all the prevalence of DoS attacks now-a-days, I know we keep a lot closer tabs of our logs and security stuff than we did a year ago. I'm sure other companies are doing this as well, and your IP address showing up in a security log is not generally a good thing.
So, while directly doing some good by patching holes, it maintains all the same appearances of a malicious worm, and if the people you end up scanning don't KNOW this already, you could end up getting reported or checked out really close.
Of course, if ppl would apply patches on a regular basis, you wouldn't have to worry about the Lion worm, and as a result, Cheese.
-Michael
The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?
Further, it is still using my system resources (bandwidth, etc.) to spread itself without my permission, which amounts to trespassing in my book, even if it is supposed to "help".
If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.
::cracks knuckles:: Time to feed the trolls...
;P
;P
Subject: Your an idiot
...and you don't use proper grammar - should be "You're an idiot"
The whole point is that A) Idiots dont secure there boxes. B) They won't be bothered to. C) Worms will hit them anyway. D) May as well make it so that when they do get hit, the hole is plugged.
A) I agree - there are many people who do not secure their boxes, even though it is tantamount to idiocy to not do so.
B) This is the kicker. If they're not even going to TRY, they deserve everything they get.
C) Given A and B, yes. I agree here as well.
D) I'm all for plugging security holes, wherever possible. I'm not all for use of other people's bandwidth without their permission, whether the use is benign or not.
So that makes you an idiot.
Maybe I was. I definitely was uninformed and ill-prepared. What I should have done was download the updated rpms from Windows, before beginning the install. Instead, I figured it would be "safe" to install, then download the updates. Live and learn.
The point is that I did something about it. I disconnected my system from the 'net, innoculated it, and downloaded the updates seperately, then updated before reconnecting to the 'net under linux. I wasn't totally helpless, and I knew how to diagnose and repair what was wrong. A lot of people don't.
For them, a simple modification of the "worm", to sterilize it, would work wonders. They'd just have to go to the site, and get scanned/innoculated. The innoculation process, because of the sterilization, wouldn't leave the worm itself on the user's system. It wouldn't suck up bandwith portscanning all their peers. It wouldn't break into other systems (previously cracked or not). It would simply innoculate, patch the hole, and delete itself.
To NOT be an idiot: 1) Read the article. 2) Repeat step 1 until you COMPREHEND the article's points, not just the title. 3) Read a few comments before you post.
I did read the article. I disagree with the use of other people's bandwidth without their permission, regardless of the purpose. If they give their permission to become a scanning node, that's fine. If they don't, it's not right to do it behind their back, even if you're just scanning for other, infected boxes, and spawning a fix.
Even if the bandwidth consumption is minimal for one machine, what happens when an entire corporate network gets infected? Several hundred machines constantly portscanning one another is COSTLY in terms of bandwidth.
Perhaps you should fully read comments before you respond and call someone an idiot.
Then again, you're a troll, so I suppose it's your job not to.
The problem is that it won't just affect previously compromised boxes - it will affect bandwidth. Bandwidth is not free - in fact, it can be quite expensive. All those portscans, successful or not, are still going to chew into the bandwidth of everyone on the subnet.
Now, if someone AGREES to become a scanning node, that's another matter. They're consenting to allowing their machine to portscan others. They're consenting to allowing the benevolent worm to use their bandwidth to propagate itself and help others. They're accepting responsibility.
If they didn't agree, then the worm has NO RIGHT to use their bandwidth, even if it is to help others, or clean up after malicious hackers. Unless someone has agreed to allow you to use their resources, it's stealing.
I think the concept is a good one, however. I think if the worm were "sterilized", so that it simply went in, innoculated, patched the hole, then quietly deleted itself - noone would have an issue. If the same worm emailed root@whatever.host with a url to download the propagation software, that would be cool too.
The problem with that last part is that the malicious worms could do the same thing, masquerading as "fixes".
Hmm...taking that example out of context...
;P
If a burglar has already broken a jewelry store window, gone in, stolen some stuff, and left, it's OK to enter through the same broken window, as long as you are just picking up the broken glass.
I'm sure the cops would just LOVE to hear that explanation
Either way, it's still an intrusion, whether it's benign or not.
If it propagates itself in the same way (portscanning, etc...) then it's still using bandwidth without permission, even if it is for a good cause.
Cool concept, Poorly thought-out execution.
Simple solution. Sterilize the worm. Make it non-replicating. That way, it goes in, innoculates, patches the hole, and then deletes itself, possibly sending an email to root saying "Hey, I noticed you were previously hacked, and undid the damage - logs attached - if you want to become a scanning node for this innoculator, contact [blah]"
That way, it still does the "nice" stuff, and leaves it up to the sysadmin as to whether or not to become a redistribution point for the fix.
Right - Windows Update just tells you what M$ says the patch is supposed to do. It doesn't actually let you read the patch.
So the linux collary would basically be an extention to apt that allows you to grab some information (changelogs) about the updates it's about to do?
That's a *nice* idea.
I'm sure the cops would just LOVE to hear that explanation ;P "
I think a better meta-for might be a robot wandering around a badly policed town and bording up broken store windows. It would leave a note explaining how it did it, when it did it, and what it did. This could prevent further looting. A robot is different than a human in that you don't have to trust it. If it's specs are sane and it dosn't malfuntion it does exactly what it is told.
And sanity checks in the wild are what signatures and checksums are for... right? If we trust them for other things, why not this?
Novel theory: Modern Man evolved from psychopath
Actually, the invention of the virus was done to help systems. They were meant to be autonomous mobile agents, examining the computer and tweaking it.
Engineering and the Ultimate
With regards to automatic patching, how would you feel about updating patches on 100 machines? How about 1000? Fact is, admins don't want to have to manually log in to hundreds of machines to apply patches, so an automatic roll-out is the way to go.
--
Excellent! Then world peace, practical fusion, true love, and non-troll/mispelt slashdot articles must exist out there somewhere.
(Oh.. you didn't say I could *find* it.. damn)
So what are you going to do? Put your unpatched antique box on the net and hope Cheese finds it before Ramen? Ahuk, ahuk, ahuk...
The bottom line is: if your security sucks, you default to trusting every Tom, Dick and Harry out there with your box. The usual term for this is ``data suicide''.
Got time? Spend some of it coding or testing
The name may have come from the program "queso" which is an augmented variant of nmap which was used specifically to look for trojans and OS type based on packet flags, etc etc, used extensively by script kiddies.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
Step 2: Send mail to postmaster@mailhost.
(If this doesn't work, you can try various other usernames, but their system is broken. RFC 822 requires that postmaster must be a valid address.)
Considering this might break login and other admin scripts, be extra sure you want to do this. If you administrate a large number of Windows machines you've just made your life potentially much more difficult.
Besides, it would be trivial to convert your typical Outlook virus into JavaScript, PerlScript, or even an VB EXE file. NOTAFIX.
Microsoft has had a security patch out which mitigates the problem for many months. Have you tried it?
--
Business. Numbers. Money. People. Computer World.
This is valuable not because it fixes a hole. It's valuable because it makes the community look cool.
/var/log/messages NOW!!!
Think about it. In the 'doze world, there's MS, the sheep...er..users, the Vendors and the hackers on a bad day. There is no sense of community...if you help your friend....you're likely breaking some kind of law.
On the other hand, with Open Source, here's an instance where some lone hacker takes a paradigm and smacks it upside the head for our mutual benefit. This is wonderful PR!!!
Just when MS gave a speech about how Open Source OS's are insecure, and the community aspects are negligible at best, this guy kills both birds with one stone. And it didn't cost any of us a "beer" dime.
You just can't buy publicity like that. I think I'll start preaching "Random acts of kind InfoWar". Really....this whole thing is a head scratcher we could use to our advantage.
oh.....check
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
is can you trust it?
Not so much that someone could give this a malicious payload (although that is possible), more that all software contains bugs, so even a 'good' worm could have unplanned unpleasant side effects.
On the Macintosh (a platform I am more familiar with), the vast majority of viruses were benign (as in did no deliberate damage), but many of those had bugs or resource usage that caused infected machines to have problems.
If I got this worm, I'd still have to treat the machine as compromised - of course that may be no great loss given that it only infects already compromised systems.
Roy Ward.
Sure, the idea of a worm in general might not be a good idea. But then, the only people who will be affected in a nontrivial way by this worm will be those who've been infected by another, malevolent worm anyway. Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong, if the one wrong meant there were all those compromised computers out there that could be used in Denial of Service attacks, and the second wrong took those out of the equation.
--
Editor Emeritus and Senior Writer, TeleRead.org
And how long before someone modifies the Cheese worm so that it still patches the system from 1i0n, leaves that exact same message, and then goes and deliberately opens up a brand new hole for exploitation? I'd say seven days is a conservative estimate. If it appears that your system has been "patched" by the Cheese worm, you're best off wiping your system and restoring from backups.
Cheers,
--
send all spam to theotherwhitemeat@ropine.com
What the hell? AOL uses Unix systems. Most of their network is based around Unix servers.
Yep NSDi.
Sorry, BSDi.
The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization.
In case of the US army it is the other way round.
To keep civilization away from the USA.
What a great deal of sand in the face for Microsoft to learn of the open-source community banding together to secure the systems of the untrained, locking them down against participation in DDoS attacks and such. As if they don't already need a bulldozer to get the sand out of their faces with all the high-publicity IIS compromises of late. =)
Sure, some of us don't want something like this getting onto our systems as it demonstrates that we've not locked it down well enough to begin with. But for those who truly *can* stop it from exploiting known vulnerabilities, we obviously don't need it. However, I'd wager that well over 90% of the people using Linux don't know what to do to lock their systems down.
Bravo!
(that is, until someone finds out that this worm is actually doing something malicious while pretending to patch the system)
Would be like a Unix worm turning off FTP or disabling mod_perl. It could potentialy improve security... but the people running the systems might not be so happy...
ReadThe ReflectionEngine, a cyberpunk style n
And Uv is used to erase Flash ROMs (the old style anyway). Coincidence?
Spookily enough, you're right. It is a coincidence.
deus does not exist but if he does
Seems to me that the logical thing to do is integrate a firewall option (receive "fixitworm=on")so that people that were security conscious (and were actually aware of such a feature) could turn it off and the worm wouldn't go there again, but ignorant people/sysadmins wouldn't know to turn it off, (this of course would be the poorer sysadmins who have unpatched security holes) ergo the worm would only affect the unwatched servers, kind of like having a default fixit worm with the option of rejecting it if you are confident.
seibed
And bandwidth would become the major factor if this escalated into a good-worm/bad-worm war. Both white-hat and black-hat worms would cruise the Net, each scanning for the same holes and trying to get to vulnerable boxes before the other side does. The only way to win such a war would be to have significantly more presence than your opponent, to propagate faster and more robustly, to scan more boxes, to dominate more pipeline. Both sides, realizing that, would ramp up their worm population, in the name of beating the competition.
I think if this good-worm idea becomes popular, we're going to see a vast increase in portscanning and surreptitious traffic. It might be better to just keep encouraging people to individually secure their boxes against malicious traffic rather than to send out white-hat worms to try to beat the baddies at their own game.
I've got a halfway there solution for that:
i p
http://home.earthlink.net/~simoncooke/SVDefuser.z
20kb of quick anti-script-virus bliss. Basically forces all script files to open in notepad by default, instead of run. You can still run them by selecting Open from the context menu though.
Simon
Coming soon - pyrogyra
Try root@[123.123.123.123] rather, but that's no guarantee.
-- Wodin
OK, color me clueless, but what does a port 111 scan indicate?
More like a dung beetle.
It's a dirty job, but someone's gotta do it
MrCreosote Meow!Thump!Meow!Thump!Meow!Thump! "You're right! There isn't enough room to swing a cat in here!"
your not a sys. admin....nuff said.
True. On the other hand, I am a Red Hat 7 user that, despite many, many attempts by the worms, hasn't been infected because I keep up with patches and updates.
Someday, you're going to die. Get over it.
It's rather sad to see a worm do the work for clueless sysadmins. I'm not a sysadmin in the least, yet somehow I do a fairly decent job keeping my DeadRat 7 box updated and locked down as much as I can.
A while back, I noticed a port 111 scan from what appeared to be a company's mailserver, setting off "worm" alarms in my head. Though I normally ignore such things, I was in a rather giving mood, and decided to alert the company of their potentially compromised box. Several bounces and lack of replies later, I gave up. The company just didn't seem interested in making it possible to report potential security holes or server problems - no addresses on their website, several possible leads gathered through bounces failed, and the whois lookup revealed a Hotmail address for the technical contact. I wonder how many other companies are as difficult to warn, and may not even care that their boxes are insecure.
Maybe I just don't understand how hard it is to be a sysadmin, but can it be that difficult to at least glance at your operating system vendor's updates site once a week to check for patches and warnings? Is it that hard to do a simple system lockdown after the initial install and reopen services as necessary? Or am I just clueless?
<Blatant flame>
Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...
</Blatant flame>
Sorry if I insulted anyone with that short rant, just thoroughly unimpressed by the number of port 111 scans I see coming from what should be very carefully watched boxes all over.
Someday, you're going to die. Get over it.
Nah, there's no cat, mouse, etc...
The Cheese Stands Alone...
--
"It's tough to be bilingual when you get hit in the head."
Someone modifies this one to do some other useful stuff, like say turn off and remove telnet, and vulnerable apps.
I had thought about this when the first linux worms this year started getting announced. I can see it now on securityfocus:
The worm installs itself on the macine, checks for the instalation version, logs into the bug report homepage for that distribution, and updates all of your packages or binaries from a set list of servers...
hmmmm?
Bah!
You know I'm going to have to go order the book now, don't you?
Mutter mutter mutter
> If these patches want to make your machine really
> secure then they would disconnect you from the
> internet. You cant get much safer than that
> unless the patch turns your machine OFF!
Hmmm, where is my copy of the power management API gone???
yes, I was tired but...
there could easily be a worm signing/ID verification feature. encryption signatures and whatnot can solve the good/bad worm problem.
sean
hmm...well, I'm intrigued. inhouse networks were the application I was thinking of also (they have fast ethernet connections, and are often hardest hit by worms anyway).
if you're interested, why don't you email me (canova@covad.net) and we can at least toss the idea around a little bit.
sean
hmm, I know this kind of worm is really a virus in itself and not a good idea or something to welcome, but I have to admit I kind of like the idea myself. it's nice to think of a benevolent force propagating itself out amongst the web. there are enough malevolent ones to go around.
sean
oh I get it, kind of like the "earth worm" of the computer virus world. it's a bug, yes, but you want it in your garden; it's good for the soil.
just don't believe people when they tell you that you can cut it in half and both halves live
sean
...right on the heels of Open Source's unified shot back at Microsoft, we have evidence that in the Open Source world, even the *viruses/worms* are beneficial! :) What next, Open Source code that mows your lawn, increases your sex life, and automatically sends presents and cards to your friends and relatives on their birthdays?
Too funny...
But seriously...maybe this'll nudge those black-hatters to actually compete with each other to *fix* holes.
It's 10 PM. Do you know if you're un-American?
If you read the article you would know that the worm enters your computer through the backdoor left behind by a malicious worm. Obviously if your machine is already backdoored you have no right to dis anyone who disables the it for you. No-one is suggesting that we all write hack-patch worms and propogate them constantly, they're simply saying, that if you machine is insecure enough to be actively penetrated by a malicious worm then you wont mind if we clean the worm off your machine and fix the bugs that it used to get into the machine in the first place. And if you do have a problem with that, I'm sure the 20 people who had their machine penetrated by someone using the worm's backdoor on your machine would have something to say about it. When your lame box is open to attack, you place me open to attack, even if it is just DDOS attacks.
How we know is more important than what we know.
The worm installs itself on the macine, checks for the instalation version, logs into the bug report homepage for that distribution, and updates all of your packages or binaries from a set list of servers...
It'll need to detect I've rebuilt Sendmail with regular expressions, and connect with some machine out on the net that has the same version of gcc, libraries, et cetra as I used on the build machine to create the binaries.
It'll do the same for SSH, turning on the ability to invoke it from inetd, and without opening the hole closed by turning off X forwarding.
It will need perhaps the skill to rebuild Apache properly to include mod_perl and OpenSSL.
Somehow it will know which of my two Perl binaries it will update.
I think I know what to name it.
If a version of this appeared that installed itself on old, insecurely configured versions of Norton PcAnywhere and similar software, as well as sticking itself up BackOrifaces, and closed the security hole involved?
Would they update to new software (for the desired installs, of course) or would most want to just reinstall the open barn door?
If you're making a conscious decision you would of course lock your door while on vacation. But if you didn't, it sure would be nice if the first stranger who discovered it locked it for you, and checked the gas and watered the plants while he was at it.
It's a bit like someone turning in a wallet he found instead of keeping the money for himself.
Got any data to back that up? I'd be interested to know exactly what it was supposed to do, and why it went wrong.
Solomon Grundy say wormy cheese... good going down, not so good coming up.
Kudos to the person who made this one, although I'd still be leary about with even this one "worm" especially when groups like s0ftproject keep creating these sometimes outrageous backdoors.
Someone should set out to write an informative document which isn't so bloated with too many tech terms for the newbie Linux admin that shows them how to lock down their Linux systems on an install. I wrote a lame one about 2 1/2 years ago, but never bothered following up on it.
Education, education, and more education. I wonder how come many complain about security, when so little take a few hours to actually inform themselves of the risks/fixes for typically easy problems.
2600 is being run by Peter Pan
Want Root?
i think this has something to do with the evolution of penguins' immune system...
--- sig moved for great justice.
# removes rootshells running from /etc/inetd.conf
# after a l10n infection... (to stop pesky haqz0rs
# messing up your box even worse than it is already)
# This code was not written with malicious intent.
# Infact, it was written to try and do some good.
Hey my company Dancris Telecom already made a anti worm for the netowrk VB Virus. It scans for machines with this virus, replaces the virus in the startup menu with it self then continues to scan for infected machines. On reboot in removes it self and leaves a message on the desk top that tells the end user that they need to not leave open file shares on their computer. i will make a follow up post later with a link to the source code so you can download it.
Probe for a rpc.statd attack.
Redhat Linux 6.x boxen have protmap runing by default, and rpc.statd has a hole in the defult install. Exploited by Lion, and adore (IIRC).
I can throw myself at the ground, and miss.
He was just referring to Netscape.
I can throw myself at the ground, and miss.
OH!
Oh, don't we wish for a wormy repairmen that will break into our house and fixes our dishwasher and washing machine?
This will only work until somebody figures out how to modify the proposed /etc/noantibodies to exempt their own virus from being patched.
DB
On the bright side, people have started talking about a bandwidth glut that's going to kill telecom competition. This sort of thing could be a real economy booster!
B-)
DB
There was a worm back then that was spread by data disks and tapes called animal. Now animals like to eat. They also store food for the winter. So animal would slowly grab any and all available memory *of any kind* it could find. Until the mainframe choked due to insificiant memory. The cure was a worm called hunter. Now hunters, hunt animals and kill them. What hunter would do is replicate itself onto disks and tapes and first look for animals. If it found one it killed the animal and then would lie in wait until it saw anouther one. I also would like to report that within a few weeks the animals were all extinct.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
I wondered if someone would catch that - that was my very first thought - this could be the beginning of a set of 'net wars - people write new viruses, sec teams write new patches, and they roam the net breaking and fixing boxes. Benefit is that you can't break a box that has been fixed.
Problem is that 1. I do _not_ want those worms coming in to my boxes. Granted, if they hit me, I'm probably not keeping up with patches. And it's my own fault. But still. 2. Bandwidth. If this really did take off, you'd have hundreds of worms flying around the net constantly, sucking up bandwidth, generating traffic, making firewall logs _insane_. Just not good, I'd say.
Perhaps if you got a nice little email, sent to root@yourip, that informed you of the virus.
It's a nice idea, but ultimately a problem, I think. I know we have a need for secure boxes, and that if Joe Q. Admin's box gets hit, mine are more vulnerable, but still....
Any technology which is distinguishable from magic is insufficiently advanced.
The posts I'm reading seem to be divided into two camps: those who thing it's a good thing, and those who think it's a bad thing.
/really/ wanted this problem to go away, you'd advocate outlawing networked computing. How likely is that?
Put the ethics of the situation aside for a moment. The fact is, creating this type of exploit is possible. No amount of preaching will make this type of exploit go away. Like nuclear power, the cat's out of the bag.
So shouldn't the discussion be more along the lines of "what do we do now?", rather than "I like, I don't like."? If you
With that in mind, I have to come down on the side of favoring this particular worm. If we're going to have an evolutionary arms race, I'd like the good guys to win, after all. Ethics matter, but it's too late to go back.
--Lawrence Lessig for Congress!
As in really, really old.
Wander around to every box or write an app that will do what I need it to, then find connected machines it has access to, replicate itself to them and then deactivate itself?
So what're the odds that this worm running on one distribution versus another will torch it?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Ultraviolet light is good against viruses.
--
Azrael - The Angel of Death
posted with: Mozilla (0.9+)
Yes. UV can kill a virus even if it is inside the body. But this would require you slicing yourself thin enough so that the UV came into contact with the virus. Or finding some other way to get the UV _into_ the cells of your body. Sitting on the sun perhaps?
--
Azrael - The Angel of Death
posted with: Mozilla (0.9+)
Man, reading all these replies, I may as well be reading Shockwave Rider. Straight out of the book.
I wouldn't trust this would secure my system. The only way to do it is to go through the security bulletins, patch, patch, patch and conf like mad.
Obviously. If you KNEW you were compromised, you would reinstall if you had half a brain.
However, if you did not KNOW you were compromised, it might be nice to have the "white" virus remove the holes before more malice comes to your box.
I think that is the entire point.
Isn't a worm......bait?
Who is going to bite?
Imagine your system hanging from a line, while the fisherman takes a snapshot of it for his trophy case
As with most chartered fishing trips what will the cost be?
Integrity is what you are when nobody is looking.
I developed something similar the day after our office party last week (well, it's that kind of a thing to do, innit).
Don't bother flaming the lameness of the worm, I know it could be optimised, but it's available at http://groups.yahoo.com/group/anoraks/message/6463 .
Of course, I will disclaim again that I **do not** condone the release of a worm that clogs up systems and stuff. I refuse to be held responsible for any damage caused by the release of this code or any derivation of it. This code was developed for academic purposes only.
Autonomous code bits ranging through a network is considered by some to be the Next Big Thing in security. Try a google search on "intelligent agents security."
---
"This message is composed of 100% recycled electrons."
I know :)
Chaos, Mayhem, and Destruction: Not
Well, I did kind of misread your post to be suggesting something of a 'autopatching' idea. But, you misread my response as a 'make it difficult' patching system. But, we can find problems with *any* level of patching system. What happens if someone sets off your car alarm everynight, but doesn't break in the car? After a while, you start ignoring it. The real problem is the software itself. Many software products have this 'more more more' mantra and don't worry about things like bugs. I'd suggest a weekly 'patch check' for systems. Not often enough for someone to get annoyed by it (windoze critical update fails that one) and still often enough to stay current. (I'd suggest more often, but once again, people get numb.) I think this would be a good 'Ask Slashdot' question. What kind of patching system provides the best balance of security and effectiveness.
And yes, I agree that hacking a patch server would be a considerable challenge, but the risk is too high. I think the best 'fix' is to stop shipping distros with services enabled. If you need it, you'll turn it on. If you don't, you won't. Not a great solution, but it would blanket quite a few of those 'lazy' users. Essentially, I don't think it should be 'difficult', but it shouldn't be 'trivial', since, given the word, would make it something that didn't matter.
Look at RedHat's errata page (hmm. I havn't in years) and you'll find a bajillion patches. Who the fuck wants to download a bajillion patches? Personally, I *wouldn't* spend 2 hours downloading and applying patches, it just isn't worth it. I'd quickly find something better. I better stop now, since I am rambling...
Chaos, Mayhem, and Destruction: Not
Well, obviously it isn't that simple. But, what can you do? It really isn't easy to protect against exploits that aren't public. But keeping up-to-date with patches is a start. The goal is to make yourself a harder target. I did oversimplify it, but hell this is /.
/. crowd)
A good firewall, good admins who keep up with security, encrypted communication, Intrusion detection systems, physically secure machines, and proper management of services won't make you 'unhackable', but you quickly seed out most of the script kiddies like you mentioned. I could talk about security all night and I still would leave things out. Like minimizing effectiveness of a hack (chroot jails, physically read only binaries, etc) or even transparent bridging where the machine doesn't have an ip. We can both agree that 'security' is an unreachable goal, but every step away from 'insecurity' reaps positive results. Besides, you know how it works and my comment wasn't directed at you. It was directed at those who really have no idea about the importance of security. (which is fear is a *large* percentage of the
Chaos, Mayhem, and Destruction: Not
Of course, systems inside a suitable firewall are exempt from most of these requirements, which means that "suitable firewall" must be defined.
:) Not even getting hacked will convince people to take security seriously.
Hmm. Think how hard it would be to make a trojan like program where it contacts a http server (which would most likely have no problems with a firewall) and then gets instructions from the attacker's site. Perhaps downloading tools to attack the firewaill from the inside (not everyone secures the firewall from the inside) or perhaps sends the contents of a directory listing inside a form.
Such is the problem with security. Kinda reminds me of Dubbyah's missle defense system. Build a rock-solid defense and not many will test it out. Instead, they'll try to get around it. Plus, if any ISP were to create 'mandatory security' policies, one of two things would happen: People would secure their boxes or AOL would gain quite a few more customers.
Chaos, Mayhem, and Destruction: Not
Why not make a worm that installs OpenBSD on other machines? It would save time. I don't think a worm would be 'smart' enough to patch all 200+ exploits in the latest RedHat distro. Oh well....Security isn't magical or mystical. All you have to do is stay current with exploit advisories and patches.
On the flip side. This worm is still using other machines unauthorized and I am sure the author could get in considerable trouble with the law. Shit...what about all those nice honeypot networks that are supposed to be all messy and bad. (redhat full istall..boom honeypot)
Nevertheless, this will probably get negative spin:
"Linux Users are so mindless about security, that vendors have to release worms against their users to protect them from hackers."
You shouldn't try to force people to be interested in security, especially against their will. It's like using the ATM in the worst part of town at 3 AM. Not a good idea. Once you get mugged, you will start worrying about security.
Chaos, Mayhem, and Destruction: Not
Sorry, I wouldn't say that Debian is more secure than Win2k. Find a Win2k admin that thinks security is an important issue and compare him with a debian admin who doesn't. The results will show up. It works both ways. Look at OpenBSD. 4 Years without a remote exploit in the default install. This comes from 2 things: a source audit for bugs (any bugs. since exploits can appear from places previously thought unexploitable.) and they don't have a base install that turns *everything* on by default. I seriously think linux security would jump a few notches if they just didn't turn all that crap on by default. I've seen people install RedHat and have DNS, Web, Mars, Samba, nntp, ntpd, nfsd, ftpd, telnetd, and countless other services and they couldn't even tell me what 4 of them did. "why not, I might need them later." is the usual response. what the fuck? Learn what it is, then learn how to turn it on. Maybe in that step, you'll realize that you don't need DNS running from every box on the network (especially that nasty, bug-filled bind 8.) I've said it many times: There is no absolute security. The only thing you can do limit access, run only what is necessary, and keep up with patches and the like. I figure your comment was just for humor, but Debian ain't a uber-secure system either. Shit, it responds to pings sent to the broadcast addy by default. Just what we need.
Chaos, Mayhem, and Destruction: Not
I agree with most of your points except one, which I *really* disagree with.
Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.
Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc suppport...do they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.
Chaos, Mayhem, and Destruction: Not
I was wondering is there a site that actually gives you a list of typical ports that are being scanned? Granted you could look at the TPC port list but there seems to be typical ones bad guys/ script kiddies try involving trojans that don't necessarily show up on the lists.
This is not a morality issue, this worm ( and idea) is now in the wild, worring about the morality of it is pointless waste of energy.
We need to harness this idea to the benefit of all.
..I'm the one with the anti viral software.
With apologies to Bruce ,
Campbell that is.
Reality is just a clever Hack, and the Planck constant is the refresh rate.
I don't know very much about how Windows Update works, but are you really allowed to "read" the patch before you installed it? I thought they mostly didn't release source code.
Cheers //Johan
Installed the Bubblemon yet?
Someone please step up to the mic and confirm or deny... I think this is quite similar to how gene therapy works today. If I recall correctly, we don't have a good method for sending packets of info into the body for DNA fixes, we have to rely on viruses to act as a vector (delivery system) for the fix. We remove the virus' own bad RNA and replace it with our designed RNA (the patch). Seems like cheese acts in much the same way, using a delivery system designed to do harm with a payload that helps to do good (TM) things.
I ate my sig.
I'm sorry, it sounds cool but it has many problems in my mind.
1. Lack of Transparancy. I don't like the idea of something that runs at a priviledged level or modifies my system without my permission. Do I get a chance to view the source code before it patches to ensure its good intent?
2. MAD. This will start a war of attrition. Worms scanning and invading systems. How long before a worm says 'if I can't have it - neither can you!' and wipes the hard drive.
3. Evolution. This will cause mutation in the malignant worms that will make it harder for patches to be created. Think anti-bacterial resistance.
4. Automation. People say this is great and automated and the admin doesn't have to even wake up. What would happen to the Internet if Windows automatically installed patches without your permission? Just think of all those IIS sites disappearing when the service pack screws up and no-ones there to monitor it! Hang on, perhaps thats not such a bad idea :)
The risks in my mind really outweigh the potential rewards. The only people who see this as cool are those who are too lazy to have some form of management process to maintain their security.
I do like a system similar to the MSFT update whereby my installed software is audited, and I am notified of any patches available, and then given the options to read, and install the patch - if I chose.
Cheers RedIguana
the ethics are debateable, but its incredible to think someone actually did take the time to make a 'good' virus.
Well, if you have people who actually do take the time to make bad viruses... this is not surprising at all. At least it's constructive work. :)
--
This space left intentionally blank.
While this is interesting, and it's surprising to find someone wrote a worm that is possibly helpful instead of harmful, I still feel this is an example of the need for securing your boxen.
I prefer not to have anyone or anything other than me making changes to my box, and this is why I have both a firewall and a NATed router. Folks, don't count on others to secure your systems for you, and don't trust that this worm will do only good. It might repair damage done by 1i0n, but what kind of back door might it be leaving behind and for what purpose?
If it's truly beneficial only, then the guy who wrote it is to be commended for his attitude but needs to change his methods. A better solution would have been to make his fix available but not invasive.
Kez
It's certainly a nice idea, but rather misguided. It's generating traffic that people who do maintain and check firewall logs would rather not deal with, and doesn't fix the core problem -- machines that aren't kept up-to-date with security fixes. You'd think that with all the press these self-replicating worms are getting that people'd be more vigilant about updating their systems. Hell, I was gone for a week and was nervous about not having the systems constantly up-to-date.
I used up all my sick days, so I'm calling in dead.
A root'ed machine should be taken off line. But, vigilantism (sp?) isn't the solution. The real solution is not an after the fact solution.
A lot of people say that security is an on going process. That's half right, it is also an initiating process. Before a machine is ever brought on line it should be secured. After that it should be constantly monitored for security and updated.
The idea that this will be of any help, even amusingly is ridiculous. For the initiates (newbies) this will give them a false sense of security that someone has broken into their machine and then some other person has also broken into their machine to fix it.
For some one who is interested in security (perhaps because of being broken into) something like this removes the ability to diagnose and examine the effects on the machine. You don't visit crime scenes for this exact reason.
Norris/Palin 2012
Fact: We deserve leaders who can kick your ass and field dress your carcass.
Well, this cheesy virus can "infect" only boxen that got the virus and stay unpatched for a long, long time. These are likely to be unattended or purely adminned boxes. They can become a breeding ground for a new wave of DoS attacks, but now they are fixed as easily as they were br0ken into.
This is a totally new, proactive approach to Internet security. As soon as new virus is found it gets rev-engineered and an "antibody" is released (officially, from very official Web site, cryptographically signed if you like). This can be permitted by laws.
This antibody then may check certain file in certain place, like /etc/please_no_antibodies, and if this file does not contain a valid gpg-signed request to bug off then it proceeds, cleans up the virus, creates log of changes and mails it to the box owner.
Thinking commercially, this can be even a subscription service. You register IPs of your boxen on the Net, and the service scans your boxes (from a central server) from time to time; if the box is r00ted with known virus then it will inform you.
Even if you don't like this "commercial" approach, I hereby transfer this business plan into public domain. Logs of /. and Google will preserve it forever. Patent this! :-)
Now we some new parasites (unhacking worm) coming out that have a symbiotic relationship with their host (linux machine).
Dude - it was a joke.
--
-- @rjamestaylor on Ello
--
-- @rjamestaylor on Ello
So, would this eventualy become an open source project? I can imagine the uses of a worm that was "good" fighting "evil" worms and fighting viruses for you.
.sdrawkcab si gis siht
-------
-------
"don't smoke, don't drink, don't fuck
at least i can fucking think"
Minor Threat
Doesn't Microsoft have something like this already? Isn't there a Trojan horse in Windows 98 that periodically contacts Microsoft HQ and downloads patches?
Network Ice, makers of the BlackICE firewall, has a great site that contains all sorts of free information on typical exploits, ports attacked, etc.
http://advice.networkice.com/Advice/default.htm
The platform SDK is actually fairly well documented now... its gone from abysmal to nearly excellent in the last five years. (I'm sure people that were playing with this stuff before five years ago will say it was even worse before NT4 was released)
But IIS its a very complicated thing to evaluate because in addition to auditting the usermode code, its spud.sys actually registers a new system call table for use by IIS... so you have to audit those system calls' behavior within the kernel in addition to the normal NT system calls called by IIS, along with the usermode code and all of its places it interacts with extensions.
But for killing a crashed service, it should die if it doesn't have an exception handler registered from a __try block... unless you have a non-default system debugger set (I've had numerous cases where services have died from unhandled exceptions... perhaps there more to the problem than it apparent initially: have you verified which thread is crashing?). If there's a reason you need to be catching your exceptions with a __finally or an __except, you might be able to support to your service control handler routine to detect the problem and return a SERVICE_STOPPED status on a SERVICE_CONTROL_INTERROGATE request so that some other watching service can learn thats stopped and restart it.
As for a fork(), yes, the lack of an equivalent in the Win32 API has definitely been a royal pain on occasion... more than a pain, actually. One solution you might look at, if you don't mind using the native API, is Gary Nebbett's example in chapter six of his book with does a fairly thorough implementation of fork() for Win32 processes. Its a bit painful... the native api's process routines definitely make Win32's already painful CreateProcess() look trivial, but if you need a fork(), it might by one solution.
Another interesting approach to fork() is cygwin's... its not as elegant, as they're confined to the Win32 API, but it does work, though you'll want to strip out the cygwin-specific stuff.
On the lighter side, this must really tweak the folks at the Honeypot Project. "Dammit - just when we got the network nice and insecure, those cheese bastards fixed it! Where's that RH6.0 CD?" They'll be in the unenviable position of having to protect their systems against worms just so that they can be 0wn3d by script kiddies.
On the darker side, this reminds me of the "toner wars" in Diamond Age , where good and evil nanites ("mites") battled in the air, and the carnage was horrific. Going outside during a toner war was like breathing straight graphite powder. Is this the future of security? The future battleground for white hats and black hats?
It's a cute idea, really, but it has to stop. All property rights aside, we cannot afford to fight this war in this arena. The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization. But in some ways the battleground already is the property we need to protect; worms are in a real way terrorist rather than military. What's to be done? Education, and lots of it. Hope it's enough.
question: is control controlled by its need to control?
answer: yes
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
What the hell? AOL uses Unix systems. Most of their network is based around Unix servers.
Clever spoofing though.
Computer self vaccination!
Already done. Paste this into a
They that quote Benjamin Franklin on liberty and safety deserve neither.
---=-=-=-=-=-=---
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
A Linux virus that fixes things, as opposed to the majority of virii (which are windoze based) that do damage.........
I'm sure there is something about this which can be used to express the advantages of open source, but I can't quite think of it right now. I'm too busy laughing my ass off.
Feed The Need[goatse.cx]
I wouldn't trust this would secure my system. The only way to do it is to go through the security bulletins, patch, patch, patch and conf like mad.
I really dont like the idea of worms like thi. I sure as hell dont like the idea of ANY worm or any mutant program trying to do something to my systems without me knowing. Whatever reason it was done for, thanks, but no thanks. I'd rather secure my system the old fashioned way.
"Old Rallydrivers never die - they just fail to book in on time"
We actually figured out how to solve this problem at one company I worked for. It consists of a single one-line VBScript:
MsgBox "You're Fired. Clean out your desk and leave within thirty minutes."
We didn't actually implement it, but we feel that if we had, we could count on people learning not to click on random VBScripts.
Law is whatever is boldly asserted and plausibly maintained. -- Aaron Burr
Why is this an argument against automatic patching? The same thing would happen to everyone who manually goes to their vendor's patch server and applies what's there. What criteria could a person applying a patch manually use to determine that the latest patch RPM is malicious, that an automatic patch script could not use?
The real good I see in it: if this shows up on your computer, you know that you haven't been taking appropriate safety precautions. Count yourself lucky that nothing bad happened, and fix it.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
Hey, I've got a thought. Let's write a security patch for IIS. Wait a sec, am I supposed to rewrite a dll? To do this, I would need the api for the dll. have you seen the MS SDK? There are so many partially documented functions, not to mention evidence of undocumented functions as far back as Windows 3.1, possibly farther. You can't rewrite the dll since you don't know what the undocumented functions are doing. Believe me, there have been many _many_ times I wish I could fix NT's inability to kill a crashed service. A service that crashes when a thread tosses the ms equivalent of a SIGSEGV. I would also do my best to add a POSIX.1 pid_t fork (). I am in no way proseltyzing, just presenting facts.
As for the SDK documentation, it is almost adequate, not execellant, and I use the one on msdn.microsoft.com, I assume that will always be the most recent. If you want an example of an excellently documented SDK, check out man. You will never, ever, never run across stuff like: "this variable is undocumented," which exists in the SDK.
As for fixing problems in MS, turning off VBScript isn't the solution. Seems to me that perl, tcl, python, and other equivalents do not have the same security problems as VBS. I think the main problem lies in vbrun*.dll.
that's my point. VBScript isn't the problem, vbrun*.dll is. The only beef I have with VBS itself is the 'B,' not that it is inherently evil. The evil is in the implementation not the language.
it's nice to know that I don't have to worry about keeping my box secure anymore. I can just wait around for capta1n inf3ct0 to send out the anti-worm every once in a while!
huh?
Does anyone know of something like this in Windows? This is a great example why I recomend Linux to people. Community. People willing to help. Logon to IRC and ask, someone will help, search google for your problem and you'll find a answer or at least a clue.
Try to search "Windows NT unknown error" on google!
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
Too many security holes to patch up.
I guess it wouldn't be a virus then, it'd be an antibody...
"if someone would only release something like this for Outlook that turns off VBScript..."
Hey, wait just a minute there. I get paid good money to do that. Don't go replacin' me with no worm.
I should not be posting, as I am quite drunk on Yagermeister. BUT -- being a Linux/Windows sysadmin (is that bi?) I find this article particularly hilarious/intriguing/hopeful. So there are alot of script kiddies out there just prone to doing damage and otherwise very fscked up shiite. Why not work for the right side of the force? I happen to work for a company (name withheld - faux humility) whose product, although profitable for us, is a noble and useful thing. Companies that are wise enough to use it often save half a million and up -- Mainly helping geeks like ourselves as well as others to be gainfully employed in a fraction of the time it might normally take. All the fluff aside - we are a mixed linux/windoze environment and to be frank, ILOVEYOU seriously kicked our asses for at least 3 hours. Just the thought that someone would write an anti-worm gives me great hope, even FAITH in the human condition. Some folks deserve massive downtime, I agree, but some definitely do not. More power to this digital angel I say! Linux renewed my faith in computing - but I have found that the ones today who really have huevos are those who are truly platform independent. And that does mean Windoze. And VBS. And Activex.(excuse my vomit).
I feel like a geek Rodney King here - but the goddamn salespeople have got to use something they can somewhat understand! Lusers or not. Am I not right?
I'm getting off subject - great post though. Got me fired up.
-= jester =-
If you've read /. long enough, the relevant memes have already conquered your brain.
Seems to me a smart way to fix a large network without loggin into every machine. I think i already heared of such a bug-removing-strategy. ...
Maybe a sysadmin used this worm, and then it slipped
..is different from installing linux how?
:)
I actually tried the install of RH...I laughed at the X-based install...it was sooo cute...and then my jaw dropped as i seen what it considered "default applications"...installing stuff you dont want or need is no different than this worm fixing backdoor's w/o your consent or knowledge..
all aside, it's pretty sad that it takes a worm to patch a server...
(smell something? I do, it's called flamebait
NO SPORK
Appended to the end of comments you post. 120 chars.
You can schedule it to compare available Hotfixes with what is already installed on an IIS box. Not exceedingly impressive, but better than nothing.
Is this sig nificant?
You suggest a mouse worm that would use security holes that the cheese worm missed, but if the cheese worm missed a hole/bug the it would be no different than if the Cheese Worm had never visited.
If these patches want to make your machine really secure then they would disconnect you from the internet. You cant get much safer than that unless the patch turns your machine OFF!
On the other hand if the Cheese Worm was not smart enough, its attempt at patching the system could expose or cause more security holes.
The suggestion of a worm to "fix" MS Windows could in fact be seen as disabling *snigger* useful features. Anyone who applied the Security patch to Microsoft Oulook last summer may remember all the features it disabled, you could barely open or save any attachments, it was way better from a security point of view but the program was essentially crippled. (When i say "fix" i mean as you would "fix" a small puppy to stop it from breeding)
I suspect your friend may have read The Dilbert Future by Scott Adams, odds are that most things you think of have already been thought of by someone else, invention is incremental. There are theories of shared genetic memory. A a corollery to this theory it is suggested that once one person has invented something once it is more likely that some one else will independently come up with the same idea. Take the inventing of the Radio by Marconi and Tesla for example.
Aside from the waste of bandwidth, patch worms worms are not such a bad thing. Lots of bandwidth gets wasted anyway and if you accept the inevitabilty of virii then you may as well accept the patch virii. Security is an endless battle ongoing battle.
Yeah, I've heard of Lion, that is the damage that this work is attemting to fix.
Enigma
Enigma
Now if someone would only release something like this for Outlook that turns off VBScript...
Why would you want to do M$'s work for them? Besides, wouldn't linux zeal- uh, I mean, advocates no longer be able to wave that particular weakness around when proseltyzing? Just a thought.
--
Freeper Logic
If your system has been infected by the 1iOn worm, it was insecure. Most admins with infected systems who didn't notice the intrusion right away probably only become aware of the situation when their system is used in some other attack. Now here comes the Cheese worm, plugs the hole and leaves a message. You read the message. Should you trust your system after that? Not at all. It has been compromised by one worm and then another one. There is no reason to believe that the first one was successfully removed, the second one was really white hat or that these were the only intrusions, since anyone could have used the same backdoor through which the Cheese worm came in and have his own additional backdoor in place. If you see the message, wipe the system and install a clean and hopefully safer system. The message already implies that the purpose of the Cheese worm isn't repairing systems and saving the admins some work. It's purpose is to take the systems with undetected intrusions out of the skript kiddies' hands. It fights fire with fire only where water is unavailable. There is only one thing I don't like about this worm: It looks and feels exactly like an attack. In consequence, admins spend time pursuing the (automatic) offenders and systems might get overloaded with scans if the worm gets out of "control".
How many incompetent system administrators actually read email sent to those addresses? How many have a system in place to forward root@everybox to some place where it gets read? If these guys/gals were reading CERT or Bugtraq, they would know about these vulnerabilities and fix them. If they aren't reading those lists, they probably just stick computers on the Internet without giving a thought about "uhhh, where's postmaster mail gonna go?"
Our IDS is showing more and more port scans all the time--I'm glad to know why I've seen a jump in scans of late, the increase agreeing with the arrival of this new worm (scans to port 10008). How much bandwidth are we going to use if we have thousands of machines all over the 'net port scanning thousands of other networks all over the 'net? We'll have the worms port scanning along with all the anti-worms. That's the only way to find out which machines may be infected, by just random port scanning. Doesn't sound very scalable to me.
No, what we need to do (and what I do) is blackhole networks that don't have decent clue at the helm. :-) *plonk*
- Internet Anti-Bodies
Just a thought
If we don't make light of everything, we are just stumbling in the dark - Blank
This is a whole new concept for the linux community, now you can help look after other careless peoples mistakes and make linux more secure!
This would be great as a full-time project for someone. It works kind of like a distributed effort and is completely automated. When someone releases a new toy for the script kiddies it should be even easier to release the patch, but a MOBILE patch in this case. Awesome..
Oh but I would suggest that the roaming patches like this worm only inform the owner of the box of a URL where a disinfectant can be obtained, that way the 'good' worm won't damage some systems by accident.
"just connect this to..."
BZZT.
Liberty.
This makes me think of the recent stream of Hybris virii for Windows. What if this supposedly beneficial worm had jazzy code to update itself from a newsgroup or freenet, and eventually morphed into a weapon of pure evil ? We all know that for every intelligent foreward-thinking geek there are hundreds of idiots, and those idiots would be just the type to leave such a thing on their systems because "It's not doing any damage so it's not a priority"... and then.. BAM! the worm goes postal! A scary thought, is it not ?
-Billco, Fnarg.com
It may use your CPU cycles, but if you were remise enough to fail to patch well-known security holes then you should be grateful someone is using your CPU time to stop your PC from being used in malicous ways. This worm will help deplete the number of boxes which script kiddies are able to use to crack other systems - which can only be a good thing.
--
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Every time I scan the /. page I parse this as "'Chinese Worm' Fixes Linux Systems?"
Time for more coffee. *shakes head*
--
All opinions presented here aren't mine.
Serious question: Can UV light help fight a virus that's already inside the human body? Would going to the beach and catching some rays help me fight off my cold virus?
Drat. I was hoping I could take a trip to the beach and still claim it as a sick day. :)
Antibiotics usually aren't effective against viruses. Innoculation as the result of vaccination can protect one against them, but not antibiotics. (The over prescription of antibiotics against viruses is part of the cause of drug resistant bacteria and viruses, according to this story on NPR, about 2/3 of the way down, "Antibiotics use")
However, I do not see where and why you make a distinction between the author of the Cheese worm, because this is exactly what the Cheese worm author is doing - chasing down all other systems that try to lock into his system.
I'm still trying to figure out what people mean by 'social skills' here.
I would even argue that OSes with secuirity holes should refuse to install, forcing the user to either install a more secure OS or manually click through the license agreement essentially accepting the liability for acting like a moron.
I just checked my logs, and I've only had three hits on 10008. One from Canada, another from Korea, and the third from Sweden. That was three days ago, in a six hour period. So at least it doesn't look like this thing is going to melt down the internet.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
I think his point was, there is a helpful virus for linux. How many helpful viruses do you know of (in the wild) for windows? Not the lack of destructive viruses, although if 1/4 of linux worms are helpful (Ramen, Lion, Adore, Cheese) that's a hell of a lot more then on a windows based platform.
You seem to of missed the big point with this worm. It only gets in though a back door left by the l1on (or whatever) worm. Therefore, if you secured the system in the first place neither would of gotten though
Those people who object to it purely because it is a worm are idiots.
I think it's a great idea. Perhaps, if instead of modifying your system for you, it sent an email to postmaster, webmaster or root with a detailed explanation of what it found and how it could be fixed, this would take care of many of the complaints I see here.
The neat thing that I see here is that this is a step closer to a "self-healing" system. If this worm were updated and released by a serious security organization which keeps track of the latest cracks with drop-dead dates to ensure that only the latest version is spreading, then this is a step closer to a more secure internet for all of us. Maybe trying to actually fix the system was a bit too ambitious because nobody will (should) trust it.
- Pointless sig.
When Autostart worms were going around sneaking their way onto CD's and spreading across networks a mysterious variant showed up on a MacAddict cd that did pretty much all that execpt it removed all the others and protected you against them. It also removed it self on Christmas day.
A friend had decribed to me how one wily Windows worm worked. Instead of spamming everyone in the address book all at once, it just waited until you sent mail to someone, and then sent them a second message with the worm attached. To prevent dupes, it kept a list of everyone it had sent itself to in a file, in the clear. We thought it would be Way Kewl to write a worm that disinfected a system, and e-mailed itself to everyone the original worm had gone to. It's nice to see that someone has actually implemented a variant of this.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
So, someone actually did it. They wrote a worm that did good rather than bad. Cool, but it still trespasses onto my box, uses my CPU cycles and bandwidth to propogate itself.
This may be a white hat release, or it could be some odd sort of new Antivirus software prototype (laugh!) but in reality it's just a virus/worm like any other. The payload is just some wierd combination of benign and melignant (but not militious per se). I still object to any software that modifies my system configuration for me, regardless of it's moralistic approach.
--CTH
--
--Got Lists? | Top 95 Star Wars Line
Surprised nobody noticed some of the glaring holes
/. Example from the above article:
in the technical quality of this article. Its really sad that tech writers on average have such a lousy grasp of what they're talking about and/or that they end up garbling facts trying to talk-down to the level of the average joe public.
Its also sad that so many of these articles end up on
"Web browsers wait for data on port 80 and 8080"
Maybe I'm just being persnickity - but I've never had mozilla running from my inetd.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
I agree completely and would probably reload an infected machine from backup just to be safe...
That being said, I have thought about makign similar programs with limited spreading abilities (i.e. only able to transverse private IP networks, not cross the internet, etc.) as a self-policing action within a network.
LedgerSMB: Open source Accounting/ERP
Is this the first form of distributed security?
This kind of worm would probably get in through a known exploit and then patch the exploit behind it... kinda screws up software darwinism, yes?
I thought they did that about a decade ago - something called "Linux" wasn't it? It's obviously working because I still keep hearing about it.
UNIX? They're not even circumcised! Savages!
This worm is welcomed just like 'PingPong' virus. I still remember everybody in our lab got one of this harmless virus just to watch a 'O' bouncing on screen when doing DOS homework.
"Virus? You mean it's a virus?"
"I would rather not have anything that comes in uninvited and messes with my computers," he said.
Said by an idiot who has his boxes infected with The tHing, SubSeven, NetSphere, Deep Throat,Master Paradise, Silencer, Millenium, Devil, NetMonitor, Streaming Audio Trojan, Socket23, Gatecrasher, Net Control, Telecommando, Gjamer, IcqTrojen, Priotrity, Vodoo, Netspy, ShockRave, Stealth Spy, Pass Ripper, Attack FTP, GirlFriend, Fore, Schwindler, Tiny Telnet Server, Kuang, Senna Spy Trojans, WhackJob, Phase0, BladeRunner, IcqTrojan, InIkiller, PortalOfDoom, ProgenicTrojan, Prosiak 0.47, RoboHack, Silencer, Striker, TheSpy, TrojanCow, UglyFtp, WebEx, Backdoor, Phineas, Psyber Streaming Server, Indoctrination, Hackers Paradise, Doly Trojan, FTP99CMP, Shiva Burka, BigGluck, NetSpy, Hack?9 KeyLogger, iNi-Killer, ICQKiller, Portal of Doom, Firehotcker, Master Paradise, BO jammerkillahV, AOLTrojan1.1, Hack'a'tack, The Invasor, SpySender, The Unexplained, Bla, FileNail, ShitHeep, Coma, Bla1.1, HVL Rat5, BackConstruction1.2, Kuang2 theVirus, Xtcp 2.00 + 2.01, Schwindler 1.82, Doly trojan v1.35, Doly trojan v1.5, Vampire, DeltaSource, Trojan Spirit 2001, Maverick's Matrix 1.2 - 2.0, Total Eclypse 1.0, OOTLT + OOTLT Cart, Eclipse 2000, NetMetro 1.0, Illusion Mailer, InCommand 1.0 + 1.3 + 1.4, NeTadmin, Logged!, Shitheep, Schoolbus 1.6, Schoolbus 2.0, Chupacabra, TheThing 1.6, AimSpy, NetMetropolitan 1.04, Transcout 1.1 + 1.2, SoftWar, Ambush, Der Spaeher 3, Insane Network, The Prayer 1.2 + 1.3, Host Control 1.0, Yet Another Trojan, NetRaider, TCPShell.c, PC Crasher, Mini Command 1.2, Mosucker, Rat 1.2, FakeFTP, Intruse Pack 1.27b, Snid X2, Freak 88, Asylium 0.1&0.11&0.12&0.13, Prosiak, Traitor 2.1, Connection, Host Control 2.6, BIONET, Rux.PSW, CrazyNet, Rux.Backdoor, Infector 1.x.
*phew*
a friend of mine got hired to do that with VBScript actually, because an entire company had melissa or one of those nasty outlook ones.
---
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
How about one that emailed the owner of the computer about holes, giving them ideas on how to fix it, rather then fixing it itself? Now, that wouldn't actually have to break into the computer, would it? Or would it?
Look out!
Should 'white hat' hackers help the hapless with worms that patch known vulnerabilities? Does this make the lazy more lazy? Is it helpful to plug someone's machine and then put that machine to use scanning for other vulnerable machines? Do you (if you're too lazy to patch your server) want your machine wasting resources to help others who are also lazy?
It's all Hood
Uh, yeah, of course I think this is extreme.
The only real answer is for us to forceably demand that OS vendors become much more diligent about security.
Almost every problem we've seen recently can be laid squarely at the feet of the admins who don't update their systems when advised by the vendor. But you seem to realize this because you then say:
So, lets say I run google.com. There is an advisory for Apache. What do I do? I sure don't let the OS download a new version of Apache and install it without my intervention. It could have some conflict and not work or could have any number of other problems. I sure don't let the OS turn off port 80 because it thinks I'm "a moron." If it does this while I'm not around, in the time it takes to get a cup of coffee my company has lost $thousands.
What I do is get the patched version, test it out on a few prototype machines, and then when I'm confident it works, roll it out in an orderly fashion across the whole server farm.
That said I'd like to see the equivalent of "Windows Critical Update Notification" for Linux. I also will agree with you on your points about shipping with too many services turned on.
those are Linux worms. destructive worms.
You think one can use those to express the advantages of open source? (i may be stupid, or maybe it's because i haven't slept at all, but i fail to see your point..)
i had a sig, once..
The war of the patch-virii.
A friend of mine suggested to me that whatever you look for on the Internet, it will seemingly spring into being simply by the fact of you looking for it. That same friend came up with this idea of patch viruses that break into and repair security holes. And **Poof**, it exists.
Be careful what you look for...
Remember back in September, when Slashdot was hacked? The guys that did it apparently just wanted the experience of hacking Slashdot; they posted a victory story and emailed Taco will full details about how they did it.
/".
But Taco & company decided to rebuild the entire system as though they had maliciously took over.
Similarly, even if this "good" worm hits me, I'll treat it like a bad one. You never know, it would be ingenious for some l4m3 (or whatever the numeric abbreviation is) hackers to release a version that looks like "Cheese" but actually does a "rm -rf
--------------------------------
The reason why I believe this will work is the social hypothesis that many hackers are principally motivated by technical challenge rather than a desire for anarchic destruction. It would seem sensible to embrace the efforts of such people by providing a safe mechanism by which they can showcase their talents on live systems (which should be assumed to be under attack in any case.) If this were to be coupled with a standard strategy for distributing patches and updates to software, then it would seem harmless enough to allow "hackers" to keep tally of the number of systems each "vaccine virus" had successfully attacked, and which now had the security deficiency patched - thereby replacing the drudgery of securing systems with an engaging game which could be played by anyone with sufficient time, knowledge and inclination. Finally, an opt-in strategy would ensure the ostriches of this world are not offended, and in a sense 'legalise' non-malicious hacking.
I would like to spread a Social Engineering worm to fix VBS worms (most often spreading with Outlook). The problem is not Outlook persay but Windows Scripting Host.
To prevent the spread of VBS worms on your computers, simply change the VBS extension in Explorer to something else like SBV. This way there will be no association with VBS and Windows Scripting.
If you want to run a script of your own, use the SBV extension instead of VBS. If enough of us change the extension, especially you who are IT prof. on corporate computers then VBS worms will be less harmfull.
It really is good to see people finally doing something towards a good cause, rather than attempting to create destruction. I certainly hope it continues.
try spell-check
Cutting edge is sharp, avoid contact.
And Uv is used to erase Flash ROMs (the old style anyway). Coincidence?
-----------------
www.lucernesys.comHorizon: Calendar-based personal finance
It might be ideal if you could make rules that would be followed. But the biggest issue i see with all the automated hacking and/or worms on the internet is that it simply swamps the human resources available. I get a bunch of legitimate intrusion attempts every day. I couldn't possibly report them all. And I guarantee the ISP's aren't anywhere close to having enough people to respond to the problem. Even the low amount of email they get now goes unanswered unless the abuse is gross.
Default security will go a long way to fixing that. But with attacks against core services common (bind, iis, ftpd) that may be intentionally configured, default security is not the only answer. People need to patch boxes, there need to be patch servers, and I think any notion that using opt-in email and a web browser and a sysadmin typing 'aptget blah blah' is somehow a better secured system than a default alerting system is misguided. Just because it's the way we do it now doesn't make it infallible, as similar attacks (imagine if i replaced the SP2 binary at microsoft right now) could happen just as easy or easier right now.
Really you are using the same mechanisms right now, it's just harder to use.
Think about this:
alert system: email list
patch server: updates.redhat.com
PKI: pgp signature
key revocation: urgent email
patch application: download & run rpm -u
So... why not make it easier so that compliance goes from xx% to 95% ?
While your opinion that security patches should be somewhat difficult to install to make the admin learn more about the system is a valid one, I think that it's pretty unrealistic. The ones who run open bsd, keep up with security patches and source patch the systems aren't the ones getting owned all over the place. It's the folks that don't know there is even a patch, or are too lazy to download it even in binary form that are causing 99% of the problems.
While I agree that no patch should be 100% automatically applied, I think the typical gloom and doom story about the patch box being owned is somewhat overblown. A very secure system can be arranged using public keys and key revocation, coupled with close monitoring of the patch box. Any serious OS vendor could manage this if they made it a real priority. As it is now, standard update methods are indeed less secure than this now.
Regardless of whether you agree with the implementation, I find it had to believe you truly think that patching security holes should be a hard job. It needs to be made as easy as possible, so that you get the closest to 100% usage as possible. Right now you get nothing like that.
I know the author had semi-good intents, but the effort is really mis-guided. Worm proliferation has become significant in the last year (really, six months). A number of effective worms are out there that target both linux and windows. Watching my firewall logs on a variety of hosts (cable, and several colo ISPs) show that the number of intrusion attempts (or at leasts scans, but 90+% of this has to be worm traffic) has increased for me by a factor of 10 since the 1st of the year.
This kind of traffic, whether good or bad intentioned, adds to network congestion, makes running an IDS challenging at best, and has made the ISP's effectively throw their hands up at having any kind of enforcement about hacking attempts. I don't know if anyone has tried reporting the sources of intrusions to their ISP's, but such reports now fall on dead ears almost all the time. Plus, it decreses the S/N ratio on the network security wise considerably. It is much harder to back-track or IDS post-mortum a REAL threat/attack with all of these other attacks going on at the same time. While worms may pose a minimal threat as far as their attack sophistication, a skillfill hacker can use all this worm traffic as an effective cloak.
Even though you can argue that it's all relatively low traffic, that you need a good firewall, and that IDS should only be run inside those firewalls, you still have the possibility of serious network problems of the horizon. It's not un-thinkable that in the near future a large percentage of linux boxes will have multiple worms, exploiting multiple vulnerabilities all running and infecting other boxes. The fallout from this could be severe. Throw in a few anti-worms, and a few bugs caused by the interactions of it all, and could have a real hellstorm, quietly building now. Surely people remember the morris worm in '89? While bandwidth was more easily swampable at that point, we are perhaps only a few years away from waking up to that kind of destruction one morning.
The only real answer is for us to forceably demand that OS vendors become much more diligent about security. If I was a national government I would truly consider this a serious threat to my infrastructure. While OS vendors have become more responsible across the board, we need to shoot for a higher bar. OS vendors need to provide very paranoid installations as default, with software firewalls enabled. The user should have to be asked for each service to be enabled. 100% available services such as ICMP echo should be required to be sandboxed or stack protected. OS's need to provide as a default security update monitoring, and easy, semi-automatic processes for installing new security related patches quickly, even if the admin is prone to do nothing. Nag the hell out of them to update. I would even argue that services with secuiryt holes should be automatically disabled by the OS, forcing the user to either update the service or manually restart the service essentially accepting the liability fo acting like a moron.
I'm sure a lot of you will think I have an overly extreme opinion, and that things are mostly fine. I can't argue that I think the situation is out of control now. But with our infrastructure as vulnerable as it is right now, it will only take one or two really good worms to show everyone how it should be done. The only thing that has really saved us so far is the fact that no one has done it... It is easily accomplishable.
You know what would be great though, and be essentially the same code? Something that listened to your firewall logs, detected worms that scanned you, and then went out to their hosts and basically ran it's course, disabling the other worm and closing security holes. But not leaving code to proliferate itself.
I know this would be no different legally, but I would sure feel 100% better about it. How poetic is it to detect a scan and then hack in to shut it down to keep it from scanning anymore. Without any scanning yourself.
Any takers on a modified cheese worm?
the ethics are debateable, but its incredible to think someone actually did take the time to make a 'good' virus.
[news for me, stuff that doesn't matter]
Mmmm.. Sad that the FBI caught up with him..
GreyPoopon
--
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
There are many, mighty-proud cows tonight...
Berk Watkins
Can we PLEASE turn this worm loose on all APNIC owned IP blocks and upgrade every machine in .jp, .kr, .cn, etc with a newer non-open relay version of Sendmail or Postfix? Please?!?! Considering that's where 95% of the spam I get comes from, I'd welcome something like that. :P~
yes, but then you would be using it on a windows system and would be hit my a million more windows viruses. besides... its AOL... *snicker*
The answer to your next question will be 'not likely'.
"I would rather not have anything that comes in uninvited and messes with my computers,"
Two words: Microsoft Windows
----
--
[insert witty one-liner here for your own pleasure]
Does this remind anyone immediately of the positive viruses in Red Dwarf which conferred good luck, sex appeal and such?
"We kill to cure, with cures that kill" - Skinny Puppy
From said article;
"But Roger Thompson, technical director of malicious code research for security services firm TruSecure, stressed such programs are generally a bad idea.
'I would rather not have anything that comes in uninvited and messes with my computers,' he said. "
I feel the same way, but I applaud whoever thought of using a WORM to do something useful for society! Commendation for original thinking!!
Besides, 1i0n sounds like one of those obscure infectants that you find weeks or months after the fact.
everywhere you look you will see this. it's classic good vs. evil. Freedom (implies linux) is the good. I beleive the spirit of linux and the "linux community" is embodied in this, however it was done within the context of deprecated ideals: As long as evil exists, we must engage in the enemy with countermeasures. This leads to new agression . countermeasures. new agression.
we're dealing with exactly the same issue in the US when talking about the proposed missile defence system. an arms race will occur. countermeasures. . . new agression . countermeasures. new agression.
we should engage ourselves in answering the following question: how is it possible to move away from these destructive thought patterns. This worm definatley wears a halo, but the evil around it's ankles is in the way of thinking.
Freedom is exponential!
qubithaze
I wrote one of these last week, after reading the homepage source.
Its just a vbs script that essentially changes the default Windows action for a number of script file types to be 'edit' instead of 'open'. This mostly stops all those email-attachment clickers from running code indiscriminately.
I contemplated adding the next step, of accessing the address book and forwarding itself onwards, in the hopes that anybody still silly enough to execute script files via email will commit the final necessary act to stop this from happening again.
In the end, I decided not to distribute this because of its potential for jamming up mail servers and generally causing a nuisance for people who already know better and dont allow outlook to execute such code in the first place.
Les
If I had a DeLorean... I would probably only drive it from time to time.
Perhaps RedHat and others can have this as a value added service. Customers can sign up and every month RedHat will scan them and fix their security problems or email what patches need to be applied?