"Cheese Worm" Fixes Broken Linux Systems?

Wakko Warner writes: "According to this article, a new Linux worm named "Cheese worm" has been spreading lately. The difference between this and other Linux worms is that Cheese worm attempts to fix backdoors added by other worms, removing malicious code and user accounts and scanning for other infected systems on the network. Now if someone would only release something like this for Outlook that turns off VBScript..."

But do I trust it?

[mikl]

The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?

Further, it is still using my system resources (bandwidth, etc.) to spread itself without my permission, which amounts to trespassing in my book, even if it is supposed to "help".

If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.

Re:Good worm, Bad worm.

[niekze]

I agree with most of your points except one, which I *really* disagree with.

Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.

Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc suppport...do they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.

Evolution of Life

[Trinition]

so let me get this straight. First there were computer systems. Then there were parasites (trojans/viruses/etc.). Like biological systems, these parasites were mostly specific to one species (platform).

Now we some new parasites (unhacking worm) coming out that have a symbiotic relationship with their host (linux machine).

Two sides ...

[legLess]

On the lighter side, this must really tweak the folks at the Honeypot Project. "Dammit - just when we got the network nice and insecure, those cheese bastards fixed it! Where's that RH6.0 CD?" They'll be in the unenviable position of having to protect their systems against worms just so that they can be 0wn3d by script kiddies.

On the darker side, this reminds me of the "toner wars" in Diamond Age , where good and evil nanites ("mites") battled in the air, and the carnage was horrific. Going outside during a toner war was like breathing straight graphite powder. Is this the future of security? The future battleground for white hats and black hats?

It's a cute idea, really, but it has to stop. All property rights aside, we cannot afford to fight this war in this arena. The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization. But in some ways the battleground already is the property we need to protect; worms are in a real way terrorist rather than military. What's to be done? Education, and lots of it. Hope it's enough.

question: is control controlled by its need to control?
answer: yes

Re:Is this really a good thing?

[phaze3000]

It may use your CPU cycles, but if you were remise enough to fail to patch well-known security holes then you should be grateful someone is using your CPU time to stop your PC from being used in malicous ways. This worm will help deplete the number of boxes which script kiddies are able to use to crack other systems - which can only be a good thing.

--

Good worm, Bad worm.

[sleeper0]

I see a lot of tacid support for this worm here. Really, it's not surprising to see. Earlier linux worms have started the practice of patching the holes, if for no other reason than to make sure they have full reign on the box and won't be stepped on by the next leet worm to come along.

I know the author had semi-good intents, but the effort is really mis-guided. Worm proliferation has become significant in the last year (really, six months). A number of effective worms are out there that target both linux and windows. Watching my firewall logs on a variety of hosts (cable, and several colo ISPs) show that the number of intrusion attempts (or at leasts scans, but 90+% of this has to be worm traffic) has increased for me by a factor of 10 since the 1st of the year.

This kind of traffic, whether good or bad intentioned, adds to network congestion, makes running an IDS challenging at best, and has made the ISP's effectively throw their hands up at having any kind of enforcement about hacking attempts. I don't know if anyone has tried reporting the sources of intrusions to their ISP's, but such reports now fall on dead ears almost all the time. Plus, it decreses the S/N ratio on the network security wise considerably. It is much harder to back-track or IDS post-mortum a REAL threat/attack with all of these other attacks going on at the same time. While worms may pose a minimal threat as far as their attack sophistication, a skillfill hacker can use all this worm traffic as an effective cloak.

Even though you can argue that it's all relatively low traffic, that you need a good firewall, and that IDS should only be run inside those firewalls, you still have the possibility of serious network problems of the horizon. It's not un-thinkable that in the near future a large percentage of linux boxes will have multiple worms, exploiting multiple vulnerabilities all running and infecting other boxes. The fallout from this could be severe. Throw in a few anti-worms, and a few bugs caused by the interactions of it all, and could have a real hellstorm, quietly building now. Surely people remember the morris worm in '89? While bandwidth was more easily swampable at that point, we are perhaps only a few years away from waking up to that kind of destruction one morning.

The only real answer is for us to forceably demand that OS vendors become much more diligent about security. If I was a national government I would truly consider this a serious threat to my infrastructure. While OS vendors have become more responsible across the board, we need to shoot for a higher bar. OS vendors need to provide very paranoid installations as default, with software firewalls enabled. The user should have to be asked for each service to be enabled. 100% available services such as ICMP echo should be required to be sandboxed or stack protected. OS's need to provide as a default security update monitoring, and easy, semi-automatic processes for installing new security related patches quickly, even if the admin is prone to do nothing. Nag the hell out of them to update. I would even argue that services with secuiryt holes should be automatically disabled by the OS, forcing the user to either update the service or manually restart the service essentially accepting the liability fo acting like a moron.

I'm sure a lot of you will think I have an overly extreme opinion, and that things are mostly fine. I can't argue that I think the situation is out of control now. But with our infrastructure as vulnerable as it is right now, it will only take one or two really good worms to show everyone how it should be done. The only thing that has really saved us so far is the fact that no one has done it... It is easily accomplishable.

Re:Someone actually did it. Awsome

[sleeper0]

I really can't stand behind the release of that kind of worm... While it's entertaining, and certainly well-intentioned... I just can't condone worm proliferation.

You know what would be great though, and be essentially the same code? Something that listened to your firewall logs, detected worms that scanned you, and then went out to their hosts and basically ran it's course, disabling the other worm and closing security holes. But not leaving code to proliferate itself.

I know this would be no different legally, but I would sure feel 100% better about it. How poetic is it to detect a scan and then hack in to shut it down to keep it from scanning anymore. Without any scanning yourself.

Any takers on a modified cheese worm?

Re:Melissa virus fix

[LesFerg]

I wrote one of these last week, after reading the homepage source.

Its just a vbs script that essentially changes the default Windows action for a number of script file types to be 'edit' instead of 'open'. This mostly stops all those email-attachment clickers from running code indiscriminately.

I contemplated adding the next step, of accessing the address book and forwarding itself onwards, in the hopes that anybody still silly enough to execute script files via email will commit the final necessary act to stop this from happening again.

In the end, I decided not to distribute this because of its potential for jamming up mail servers and generally causing a nuisance for people who already know better and dont allow outlook to execute such code in the first place.

Les