Slashdot Mirror
Fight Virus With Virus?
Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?
FYI, I have a normally reliable Cisco 675 router that Was repeatedly being infected with Code Red, requiring a reboot each time. Here's the easy fix:e d-worm-pub.shtml for more, and check your ISP's web site for the actual patch.
1) From the "cbos#" prompt*, input the command "set web disabled". I think you'll have to follow that up with the "write" command. That shuts off the router admin web-interface. If you really must have that interface, you can change the port instead.
2) Upgrade the CBOS to version 2.4.1. See http://www.cisco.com/warp/public/707/cisco-code-r
Hope that helps...
*Note: to get to the "cbos#" prompt, input the command "enabled" at the "cbos>" prompt.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
The problem -- as many knowledgeable folks have already reported -- is that admins are reluctant to update production servers, because of the fact that such updates can and do break those systems.
Do you really want to rely on Microsoft's updates to be reliable and correct? Updates are best installed on test servers and then migrated to production systems. The fact is that once an exploit is discovered, it typically takes several months for destructive software to be released that takes advantage of the export. Code Red came out much quicker and that has caused many of the problems we are witnessing.
www.timcoleman.com is a total waste of your time. Never go there.
I would like to point out that many if not most of the machines that are still being infected by the Code Red worms are operated by users who are not even aware that they are running IIS.
Case in point, my roommate bought a Dell Dimension L700cx with Windows 2000 about 6 months ago. He was surprized when I showed him that his machine is running IIS and serving the default web page on port 80. This person did nothing to install or activate IIS, the machine was shipped with that configuration.
I think this fact is important to keep in mind when trying to understand why so many machines remain vulnerable to the IIS attack.
PS: We run our LAN behind a firewall that denies port 80, so my friend's machine was not infected.
The Cheese Worm seems to constitute exactly what you want. Cheese actually sought out Linux hosts infected by the Lion worm and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known.
Another first for Linux and Open Source software!
A K5 user has provided the source to a proposed code-red anti-virus, which actively repairs remote systems infected with the code red virus. The legal implications of this are a bis issue, but it's certainly an interesting code example.
--CTH
--Got Lists? | Top 95 Star Wars Line
from the bugtraq post:
To: BugTraq
Subject: Infection Notification
Date: Sun Aug 05 2001 10:50:22
Author:
Message-ID:
If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:
IP ADDRESS DATE/TIME WITH TIMEZONE
Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
---end bugtraq post---
-f
www.blackant.net
That seems a bit like overkill. There is an Everything2 node on this subject with some simpler PHP code samples, including (full disclosure) one by me.
Google cache because it looks like the original site has been remove.
I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
(which you can do manually right now with the worm-installed back door.)
Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.
this isn't original, a friend found it posted somewhere, but you can call up an internet explorer window with the cert advisory(or the patch for that matter)byt usung the root.exe file. like such: http://the.fckd.up.host/scripts/root.exe?/c+explor er+htt p://www.cert.org/advisories/CA-2001-23.html
this works great for cable/dsl users who might not even know they have a webserver running. kinda tough to ignore explorer windows poping up, even on a MS computer.
Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.
Now there is ethics and there is ethics. Here is a scenario that occurred once in Baltimore. A house thief hot-wired a car. He jammed the steering wheel all the way to the side and floored the gas. The car spun and made lots of noise. Meanwhile, the thief broke into people's houses (that is besides the point). Am I ethical if I jump into the moving car and turn it off ?
The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.
As another example, suppose my neighbor's house is burning and his 10 year old is screaming at the window, and he is not around. Am I ethical in breaking in to save his child ? In this case the answer is really clear.
In the case of machines compromised with CodeRedII, consider the capability for MASSIVE DDOS directed at anybody launchable by anybody. Those machines are tools to be used by anyone for any reason they like. They can be used as launching points for hacks on military sites. They can be used to snoop for passwords etc. If you go onto those machines and simply remove them from the network by shutting them down (in an orderly fashion), I think you could argue rather strongly that you are taking such action in the interest of public safety.
Ethics is rarely so cut and dried that one could claim that you should NEVER alter someone else's property.
Also affected are Cisco 678's.
i rus.html
See http://www.qwest.com/dsl/customerservice/coderedv
The virus nVIR A was propagating the macintosh world.(1990) Someone created a second nVIR B to counter attack the nVIR A, to replace A with itself.
:-(
There were bugs into nVIR B, making the computer part unusable. and the nVIR B could propagate on a computer which wasn't infected by nVIR A.
Not everybody was happy
bye
Guees that means if my machine gets hacked here I have to give it over to whomever hacked it.
I'm the big fish in the big pond bitch.
Colorado (for positive) and many other states have a "make my day" law. If someone breaks into your home you can automatically assume you are in danger of grevious bodily harm or death and can shoot dead on the spot.
09F911029D74E35BD84156C5635688C0
Jesus loves you, I think you suck
http://news.cnet.com/news/0-1003-200-594940 1.html
http://news.zdnet.co.uk/story/0,,s2086609, 00.html
http://www.infowar.com/iwftp/icn/17May200 1_New_wor m_patches_linux_vulnerabilities.shtml
http://www. securitynewsportal.com/article.php?sid= 437 .
.
Also interesting for history buffs is the Internet Worm of 1988 that shut down the internet!
http://world.std.com/~franl/worm.html
The solution is twofold.
A: Microsoft needs to release more secure OS/Web servers.
B: People need to patch their system themselves or take it off the net.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin