Slashdot Mirror
"Cheese Worm" Fixes Broken Linux Systems?
Wakko Warner writes: "According to this article, a new Linux worm named "Cheese worm" has been spreading lately. The difference between this and other Linux worms is that Cheese worm attempts to fix backdoors added by other worms, removing malicious code and user accounts and scanning for other infected systems on the network. Now if someone would only release something like this for Outlook that turns off VBScript..."
You compare this to the Outlook worms, which is hardly a correct comparison. Those scripts that stupid users run in Outlook typically deliver a piddly payload (i.e. they don't r00t the box.) So they delete .JPGs and .MP3s, big deal. They still run within the context of security provided by the current user. Their real cause of damage is that they then access Outlook's address book and forward themselves to everybody, which in a corporate setting, can eventually cause the email server (any email server) to be overwhelmed and die.
How exactly does that compare to a worm that will enter the system through faults in daemons without user intervention or knowledge, r00t the box, and deliver literally any payload they want, good or bad? Certainly there are some similar vulnerabilities in Microsoft daemons, i.e. everyone's favorite IIS. But I guess I shouldn't expect that many people here to be able to make such a distinction.
Microsoft has long since released a patch to prevent COM automation of the address book, and future versions of Office prevent it by default. Should a worm of sorts be released to automatically download this patch and install it for the less-than-capable enduser? Hah! You know as well as I how quickly the slashdot crowd would interpret that as an invasion of privacy by the most evil and loathsome entity in the history of the world.
Yes, to go out and automatically tweak others machines without their consent is definately wrong.
/. article, real life probably has several good examples nobody's thought of.
I can think of one silly example why it would be a bad thing; What if somebody was testing network security software, thinking that this hole was unpatched on a target machine, and now, all of a sudden it isn't, then there's a bug in his security software that potentially goes undetected, and that security software gets sold and widely distributed. Can the dumb 'ol worm guarantee that all systems on the net from that point in time onward will be patched?
That's just a silly example of an unrealistic situation - but for every one of those I can think up in the 5 minutes it took to read this
The basis of testing, or even just running a computer, is having a known-good system state to run from. If some unknown element is being changed, for whatever reason, that's a variable that the operator is not aware of. And that's a bad thing.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?
Further, it is still using my system resources (bandwidth, etc.) to spread itself without my permission, which amounts to trespassing in my book, even if it is supposed to "help".
If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.
So what are you going to do? Put your unpatched antique box on the net and hope Cheese finds it before Ramen? Ahuk, ahuk, ahuk...
The bottom line is: if your security sucks, you default to trusting every Tom, Dick and Harry out there with your box. The usual term for this is ``data suicide''.
Got time? Spend some of it coding or testing
Considering this might break login and other admin scripts, be extra sure you want to do this. If you administrate a large number of Windows machines you've just made your life potentially much more difficult.
Besides, it would be trivial to convert your typical Outlook virus into JavaScript, PerlScript, or even an VB EXE file. NOTAFIX.
Microsoft has had a security patch out which mitigates the problem for many months. Have you tried it?
--
Business. Numbers. Money. People. Computer World.
This is valuable not because it fixes a hole. It's valuable because it makes the community look cool.
/var/log/messages NOW!!!
Think about it. In the 'doze world, there's MS, the sheep...er..users, the Vendors and the hackers on a bad day. There is no sense of community...if you help your friend....you're likely breaking some kind of law.
On the other hand, with Open Source, here's an instance where some lone hacker takes a paradigm and smacks it upside the head for our mutual benefit. This is wonderful PR!!!
Just when MS gave a speech about how Open Source OS's are insecure, and the community aspects are negligible at best, this guy kills both birds with one stone. And it didn't cost any of us a "beer" dime.
You just can't buy publicity like that. I think I'll start preaching "Random acts of kind InfoWar". Really....this whole thing is a head scratcher we could use to our advantage.
oh.....check
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
And how long before someone modifies the Cheese worm so that it still patches the system from 1i0n, leaves that exact same message, and then goes and deliberately opens up a brand new hole for exploitation? I'd say seven days is a conservative estimate. If it appears that your system has been "patched" by the Cheese worm, you're best off wiping your system and restoring from backups.
Cheers,
Would be like a Unix worm turning off FTP or disabling mod_perl. It could potentialy improve security... but the people running the systems might not be so happy...
ReadThe ReflectionEngine, a cyberpunk style n
It's rather sad to see a worm do the work for clueless sysadmins. I'm not a sysadmin in the least, yet somehow I do a fairly decent job keeping my DeadRat 7 box updated and locked down as much as I can.
A while back, I noticed a port 111 scan from what appeared to be a company's mailserver, setting off "worm" alarms in my head. Though I normally ignore such things, I was in a rather giving mood, and decided to alert the company of their potentially compromised box. Several bounces and lack of replies later, I gave up. The company just didn't seem interested in making it possible to report potential security holes or server problems - no addresses on their website, several possible leads gathered through bounces failed, and the whois lookup revealed a Hotmail address for the technical contact. I wonder how many other companies are as difficult to warn, and may not even care that their boxes are insecure.
Maybe I just don't understand how hard it is to be a sysadmin, but can it be that difficult to at least glance at your operating system vendor's updates site once a week to check for patches and warnings? Is it that hard to do a simple system lockdown after the initial install and reopen services as necessary? Or am I just clueless?
<Blatant flame>
Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...
</Blatant flame>
Sorry if I insulted anyone with that short rant, just thoroughly unimpressed by the number of port 111 scans I see coming from what should be very carefully watched boxes all over.
Someday, you're going to die. Get over it.
and, thinking more about it, this has possibilities. this could be used as a distribution system for almost instant bug fixes, via "worming" the systems together. participation in the chain would be voluntary, of course. but, like another poster already suggested, it resembles the human immune system. and using this kind of "swarming" bug fix/patch distribution system would result in exponentially faster bug fixes. the admin doesn't even need to be awake.
and new systems would be patched immediately, no more hunting down and downloading a bunch of old fixes every fresh install.
imagine bands of roving web worm maintaining and managing the security of the net. am I just tired, or does this sounds really cool?
sean
oh I get it, kind of like the "earth worm" of the computer virus world. it's a bug, yes, but you want it in your garden; it's good for the soil.
just don't believe people when they tell you that you can cut it in half and both halves live
sean
...right on the heels of Open Source's unified shot back at Microsoft, we have evidence that in the Open Source world, even the *viruses/worms* are beneficial! :) What next, Open Source code that mows your lawn, increases your sex life, and automatically sends presents and cards to your friends and relatives on their birthdays?
Too funny...
But seriously...maybe this'll nudge those black-hatters to actually compete with each other to *fix* holes.
It's 10 PM. Do you know if you're un-American?
# removes rootshells running from /etc/inetd.conf
# after a l10n infection... (to stop pesky haqz0rs
# messing up your box even worse than it is already)
# This code was not written with malicious intent.
# Infact, it was written to try and do some good.
I agree with most of your points except one, which I *really* disagree with.
Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.
Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc suppport...do they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.
Chaos, Mayhem, and Destruction: Not
I'm sorry, it sounds cool but it has many problems in my mind.
1. Lack of Transparancy. I don't like the idea of something that runs at a priviledged level or modifies my system without my permission. Do I get a chance to view the source code before it patches to ensure its good intent?
2. MAD. This will start a war of attrition. Worms scanning and invading systems. How long before a worm says 'if I can't have it - neither can you!' and wipes the hard drive.
3. Evolution. This will cause mutation in the malignant worms that will make it harder for patches to be created. Think anti-bacterial resistance.
4. Automation. People say this is great and automated and the admin doesn't have to even wake up. What would happen to the Internet if Windows automatically installed patches without your permission? Just think of all those IIS sites disappearing when the service pack screws up and no-ones there to monitor it! Hang on, perhaps thats not such a bad idea :)
The risks in my mind really outweigh the potential rewards. The only people who see this as cool are those who are too lazy to have some form of management process to maintain their security.
I do like a system similar to the MSFT update whereby my installed software is audited, and I am notified of any patches available, and then given the options to read, and install the patch - if I chose.
Cheers RedIguana
Now we some new parasites (unhacking worm) coming out that have a symbiotic relationship with their host (linux machine).
On the lighter side, this must really tweak the folks at the Honeypot Project. "Dammit - just when we got the network nice and insecure, those cheese bastards fixed it! Where's that RH6.0 CD?" They'll be in the unenviable position of having to protect their systems against worms just so that they can be 0wn3d by script kiddies.
On the darker side, this reminds me of the "toner wars" in Diamond Age , where good and evil nanites ("mites") battled in the air, and the carnage was horrific. Going outside during a toner war was like breathing straight graphite powder. Is this the future of security? The future battleground for white hats and black hats?
It's a cute idea, really, but it has to stop. All property rights aside, we cannot afford to fight this war in this arena. The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization. But in some ways the battleground already is the property we need to protect; worms are in a real way terrorist rather than military. What's to be done? Education, and lots of it. Hope it's enough.
question: is control controlled by its need to control?
answer: yes
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Actually, there have been many problems with that patch. Besides, it doesn't address the core issue, the scripting features (while possibly very useful) can be used to easily make viruses.
Excuse the blantent plug, but instead of telling users to hack into their Windows registry (not soemthing most users are capable of), I devised a program, Script Sentry, that seizes control of the VBS extension (as well as quite a few others, but only after you approve it of course). This way, when the script is run, Script Sentry opens up, scans the script for possibly malicious code, and then alerts the user.
For example, in a momentary lapse of judgement, I open that "Love Letter" attachment I recieved. Instead of being infected though, Script Sentry alerts me that the "Love Letter" would have deleted files, edited my registry, and accessed Outlook. I tell Script Sentry not to run the script and crisis averted.
Oh, and the program is 100% free (although I have a means for people to "donate" if they feel it's worth the $$$).
In case anyone's interested, the URL is http://www.jasons-toolbox.com/scriptsentry.asp
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
It may use your CPU cycles, but if you were remise enough to fail to patch well-known security holes then you should be grateful someone is using your CPU time to stop your PC from being used in malicous ways. This worm will help deplete the number of boxes which script kiddies are able to use to crack other systems - which can only be a good thing.
--
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
So, someone actually did it. They wrote a worm that did good rather than bad. Cool, but it still trespasses onto my box, uses my CPU cycles and bandwidth to propogate itself.
This may be a white hat release, or it could be some odd sort of new Antivirus software prototype (laugh!) but in reality it's just a virus/worm like any other. The payload is just some wierd combination of benign and melignant (but not militious per se). I still object to any software that modifies my system configuration for me, regardless of it's moralistic approach.
--CTH
--
--Got Lists? | Top 95 Star Wars Line
I agree completely and would probably reload an infected machine from backup just to be safe...
That being said, I have thought about makign similar programs with limited spreading abilities (i.e. only able to transverse private IP networks, not cross the internet, etc.) as a self-policing action within a network.
LedgerSMB: Open source Accounting/ERP
Is this the first form of distributed security?
The war of the patch-virii.
A friend of mine suggested to me that whatever you look for on the Internet, it will seemingly spring into being simply by the fact of you looking for it. That same friend came up with this idea of patch viruses that break into and repair security holes. And **Poof**, it exists.
Be careful what you look for...
I know the author had semi-good intents, but the effort is really mis-guided. Worm proliferation has become significant in the last year (really, six months). A number of effective worms are out there that target both linux and windows. Watching my firewall logs on a variety of hosts (cable, and several colo ISPs) show that the number of intrusion attempts (or at leasts scans, but 90+% of this has to be worm traffic) has increased for me by a factor of 10 since the 1st of the year.
This kind of traffic, whether good or bad intentioned, adds to network congestion, makes running an IDS challenging at best, and has made the ISP's effectively throw their hands up at having any kind of enforcement about hacking attempts. I don't know if anyone has tried reporting the sources of intrusions to their ISP's, but such reports now fall on dead ears almost all the time. Plus, it decreses the S/N ratio on the network security wise considerably. It is much harder to back-track or IDS post-mortum a REAL threat/attack with all of these other attacks going on at the same time. While worms may pose a minimal threat as far as their attack sophistication, a skillfill hacker can use all this worm traffic as an effective cloak.
Even though you can argue that it's all relatively low traffic, that you need a good firewall, and that IDS should only be run inside those firewalls, you still have the possibility of serious network problems of the horizon. It's not un-thinkable that in the near future a large percentage of linux boxes will have multiple worms, exploiting multiple vulnerabilities all running and infecting other boxes. The fallout from this could be severe. Throw in a few anti-worms, and a few bugs caused by the interactions of it all, and could have a real hellstorm, quietly building now. Surely people remember the morris worm in '89? While bandwidth was more easily swampable at that point, we are perhaps only a few years away from waking up to that kind of destruction one morning.
The only real answer is for us to forceably demand that OS vendors become much more diligent about security. If I was a national government I would truly consider this a serious threat to my infrastructure. While OS vendors have become more responsible across the board, we need to shoot for a higher bar. OS vendors need to provide very paranoid installations as default, with software firewalls enabled. The user should have to be asked for each service to be enabled. 100% available services such as ICMP echo should be required to be sandboxed or stack protected. OS's need to provide as a default security update monitoring, and easy, semi-automatic processes for installing new security related patches quickly, even if the admin is prone to do nothing. Nag the hell out of them to update. I would even argue that services with secuiryt holes should be automatically disabled by the OS, forcing the user to either update the service or manually restart the service essentially accepting the liability fo acting like a moron.
I'm sure a lot of you will think I have an overly extreme opinion, and that things are mostly fine. I can't argue that I think the situation is out of control now. But with our infrastructure as vulnerable as it is right now, it will only take one or two really good worms to show everyone how it should be done. The only thing that has really saved us so far is the fact that no one has done it... It is easily accomplishable.
You know what would be great though, and be essentially the same code? Something that listened to your firewall logs, detected worms that scanned you, and then went out to their hosts and basically ran it's course, disabling the other worm and closing security holes. But not leaving code to proliferate itself.
I know this would be no different legally, but I would sure feel 100% better about it. How poetic is it to detect a scan and then hack in to shut it down to keep it from scanning anymore. Without any scanning yourself.
Any takers on a modified cheese worm?
the ethics are debateable, but its incredible to think someone actually did take the time to make a 'good' virus.
[news for me, stuff that doesn't matter]
I wrote one of these last week, after reading the homepage source.
Its just a vbs script that essentially changes the default Windows action for a number of script file types to be 'edit' instead of 'open'. This mostly stops all those email-attachment clickers from running code indiscriminately.
I contemplated adding the next step, of accessing the address book and forwarding itself onwards, in the hopes that anybody still silly enough to execute script files via email will commit the final necessary act to stop this from happening again.
In the end, I decided not to distribute this because of its potential for jamming up mail servers and generally causing a nuisance for people who already know better and dont allow outlook to execute such code in the first place.
Les
If I had a DeLorean... I would probably only drive it from time to time.