Fight Virus With Virus?

Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?

Re:Its entirely possible

[Shoten]

A case cannot be made for self-defense, and here is why.

If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort. And I won't even go into the notion of the "danger to life and limb" that is present in that scenario, but suffice it to say that generally speaking, you can do things you can't otherwise get away with if it's for the purpose of saving a life.

When it comes to your web server, nobody's going to die if you get defaced, rooted, bent over, etc. It costs some money to fix, ok, but that does not give you carte blanche to break the law at a similar level. Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access." It doesn't matter WHY you're doing it, just that you know you're not supposed to be there. And if you're basing your code upon a notorious worm...well...good luck trying to say "I didn't know!" :)

Final point, you have other options. Keep up with your patches. Install IDS and watch the logs. Yes, this takes work, but so does writing a counter-worm every time a new worm comes out, and at least this way you can be protected BEFORE it hits, not after. And if all those Code Red-nailed boxen are knocking any of your systems offline, I gotta tell ya, you need to do something about your network, because as severe as the scanning is, I haven't heard from a single client who has actually had downtime from it.

Re:This has already happened

One example of something similar is the "noped" virus, which scans for child pornography and then emails any suspect files to law enforcement authorities. A good description on the possible legal implications is located here http://www.infosecuritymag.com/digest/2001/05-31-0 1.shtml

Re:The law's not on your side

[acidrain]

What about just disabling the viris as a response to the scan? As Code Red boxes advertise themselves as infected and vulnerable, you don't need to probe the net for infected/vulnerable computers. Besides, releasing _any_ scan-and-infect worm on the net is a bad idea.

Is automatically patching someones box for them (as compared to infecting it) a valid form of self defence? I can't see being sued for it.

If you wanted to go a little further overboard, you could install a defensive-response worm in response to an attack. It would only spread as far as the origional infection and place minimal load on the net.

Old idea

[Gruturo]

It already happened about 15 years ago or so... it was called "Vacsina" and actually cured 1701/Cascade, 1704/format and Jerusalem, if I recall correctly. It was even auto-updating: different vacsina versions would recognize each other and the most recent would overwrite the older. Sadly, a few "nasty" strains came out too....

Sircam autoresponse?

[iabervon]

It might be possible to make a program that, given a sircam-infected file, would send something to the originator of the message. It could send a message with an attachment that looked for sircam, and, if it found it, removed it and installed the program. That way, it would take a sircam-infected machine and make it respond to future attacks by spreading to the originating machine but do nothing to anyone else.

The message could even say that was what it was doing.

"My advise is to run this script to remove the virus and to pass the information on to other people"

This wouldn't really be a virus at all: the people receive it in response to a request for advice and it is something you actually think they should be running. It doesn't try to infect other machines, except by advising their users to use it; no more illegal than Norton responding to a download request with a program.

Don't be a part of the problem

[Speare]

Why do schools neglect an ethics curriculum?

Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.

If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.

• "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin

Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.

If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.

Re:Don't be a part of the problem

[CharlieG]

You say:

It is up to the infected party to take the medicine, and it would be unethical to seize the unwitting victim and force the medicine into their bodies.

The thing is they CAN seize you and force you to take medicine IF you are determined (Usually by 2 doctors) to be a danger to yourself or others. Ever hear the term "Involuntary Commitment"
There ARE times when you are forced to do things

Re:Don't be a part of the problem

[WNight]

I think it's YOUR ethics that are broken. Anyone who has to be *schooled* in ethics has already lost the battle.

There are cases that it would be wrong to 'fix' someone's computer... If, for example, they ran a thriving business from it and you were being annoyed by a trojan that ran occasional port-scans, stopping their business by crashing their machine is unwarranted...

But, in the case mentioned, a worm could be written which would seamlessly upgrade the affected computers, and close the backdoors permanently. Consider that these backdoors allow (and very likely will be used) attackers to control the machine for a DDoS, port-scanning, continued spreading of the infection, and with some of the later bugs, full access to the machine which would potentially allow all sorts of electronic theft. In this case, you're almost guilty by your inaction.

The huge ammount of damage that can be caused by each infected machine, both to the owner, and to the rest of the internet completely outweighs the owners right to have their computer configured in a certain way.

In many jurisdictions, inaction can be a crime. If, for instance, you see someone in mortal danger and you could have warned them, but didn't, you can often be charged with murder. (House on fire, you know someone's inside, but don't bother trying to alert them or call for help.)

People like you really frighten me. You have a twisted sense of ethics and you want to force other people to be indoctrinated in them. Ugh.

Re:Don't be a part of the problem

[laertes]

It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

And this would be unethical how? By violating some inalienable right people have to carry disease? That's a new one. People who do not patch up their servers (or take medicines) are being negligent. If a person allows them self to get sick, and they get other people sick, I would prefer that they get held responsible.

Frankly, I'm getting sick of Code Red myself. I use DSL, and it crashes my modem, a lot. Nor can I write a little script; the modem needs a hard reboot. I don't even use windows, and those irresponsible system administrators are costing me more than a little pain and greivance.

The internet is a self-policing system. Since there are no formal channels to use to force people to upgrade their servers, this extreme course of action is being pursued.

Why do schools neglect an ethics curriculum?

Whose ethics do we teach? Yours?

This reminds me of the Fish Virus....

[AhNewBis]

The Fish virus, IIRC, would remove the Stoned/Michaelangelo virus if it was found, and then infect the machine itself.

Further info about the virus is found here from Datafellow's virus database.

Re:A K5 USer has published an anti-CodeRed virus

[BigBlockMopar]

The legal implications of this are a bis issue, but it's certainly an interesting code example.

Yeah, it's a great idea. It would be wonderful to see someone do it, but at the same time, if you did, you're as bad as the virus writers, since this would propagate everywhere and make changes on their systems without their consent.

For me to even academically consider such a virus, it would also have to have automatically e-mail the (l)user whose machine has just been patched, and state "You are an idiot. You've been negligent in the maintenance of your webserver. A benevolent UNIX/Linux geek wrote a virus which propagates by the same method as Code Red and it has now fixed this vulnerability on your machine. To learn about real webservers, go to www.apache.org."

But based on what I'm seeing from the description (I haven't unzipped/untarred it yet), I suspect it's more along the lines of what I've been wanting to do. If I get a request from a IIS-infected machine, why not have it force a reboot of that machine? Through the negligence of the system's owner, it attacked me. Why can't I merely force a reboot, clear the virus from the memory, and hopefully alert the imbecile involved that he's got a problem?

Take a look at my webserver log (link from my sig). I seem to be getting hit by the same IIS-infected hosts over and over. I'm sure the IIS-infected machines are getting hit by the same other machines over and over. If I were to force a reboot of those machines which attempt to infect my Apache server, then they'd promptly be reinfected, and since Code Red II scans within a tighter range of IP addresses, I'd probably take that machine down again. Of course, the cycle would repeat, and infected machines where I'm within their scanning range would be coming up and going down all day. Surely the owner would eventually realize something was wrong?

I'd love to do this, but I still don't like the legal implications. Stealing a car to prevent someone driving while drunk is still illegal, and this is a lot less clear-cut.

Already been done

[Xeger]

I thought of doing this a few days ago and I started coding. I got as far as a script to automatically reboot attacking machines, to help slow the spread of Code Red.

I had begun work on a worm called Code Blue that would infect Code Red machines and clean them of Code Red. This kind of work is very laborious since it involves writing Intel assembly code that uses the Win32 API and runs in a Windows environment.

Before I could finish, my best friend (who is a security consultant) informed me that somebody has already done this. There is a perl CGI script going around that you can put into your root directory and name "default.ida" so that infected machines will cause it to execute.

The script connects to the IP of the attacking machine, uses the Code Red II backdoor to clean the system of trojanned files. Then it uses the very same buffer overflow exploit used by Code Red to send a binary to the server that patches IIS, removes Code Red-related registry entries and reboots the machine.

Re:Already been done

[startled]

2 things.
1. Where's the script?
2. Shouldn't it be modified to install itself? Otherwise, it'll get drastically outpaced.

Note: yeah, yeah, ethics and so on. Disclaimer, and another one.

Re:Preferable method

[Snowfox]

I'd rather it used the IIS log file to try to spread itself to every system that had tried to infect it, then executed a

%windir%\System32\rundll32.exe user32.dll,exitwindows

(which you can do manually right now with the worm-installed back door.)

Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.

p.s. - if you're gonna mod it - mod it as funny. In the real world, this is what we call a capital Bad Idea.

Re:Its entirely possible

[famillionaire]

I'm going to insult the next person who mods me up too, and hopefully we'll start a cool new Slashdot trend.

I've done some of this

[RobertGraham]

I created a program that automatically checked for the backdoor upon receipt of a /default.ida attack (/scripts/root.exe?). It didn't work: the CodeRedII worm is DoSing itself - after enough reinfections, the server stops being able to respond with requests.

As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.

You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).

You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.

CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.

Re:You could do that, but don't!

[bughunter]

Yes, that appears to be the prevalent ethical standard.

But I think people are overlooking a more ominous repercussion, technically and ethically: Setting a precedent. If the precedent were set that it's OK to loose countercode upon the world, think of what might result.

In other words, if counterviruses and antiworms became commonplace, it would turn the internet into one big war zone for autonomous code. And I can't even imagine what might result if an arms race broke out in that contest, though I expect some of its fruits would be quite frightening. I've already drawn the analogy to Core War in a previous thread.

Re:That's the worst idea I've ever heard

[cburley]

the principle of not fighting fire with fire is still reasonable

Are you unaware that firefighters often do use fire to fight fire?

(They burn away strips of forest to prevent a forest fire from being able to cross the strips and attack, say, neighborhoods.)

I think your comment in the next paragraph is right, though, because it illustrates the weakness of the forest-fire analogy.

In particular, while fighting viruses on the Internet today might be more like fighting a forest fire -- in that the trees are not "smart" at fighting fires, you want to save as many as reasonably possible, yet you're not averse to burning a few more down yourself to avert a larger disaster -- the overall goal should be to convince Internet sysadmins to do for their systems what homeowners and business owners have, over the centuries been encouraged to do: be the first line of defense against fires starting, or offense against fires spreading, etc.

(Think of elements of "progress" here -- new homes likely have smoke alarms, people are strongly encouraged to report fires quickly, flammable materials are less widely used, buildings are designed for quick exit in the event of fire.)

Until the Internet resembles something more like today's upscale suburban neighborhood (in its security against fires) than a dry, dense forest, I suggest that fighting fire with fire does have utility, if thoughtfully (rather than arbitrarily) applied by experts.

Re:Preferable method

[jspaleta]

I wonder what the legality of this is? Having the infected system which is attacking you power down, is not viral, and actually sounds like a very good disarming mechanism. In legal terms this seems like a very clear "self-defense" action aimed exclusively at stopping the illegal trespass. It's sort of like having tire spike strips in your parking lot to prevent people from coming in the wrong way

You are allowed a certain modicum of property damage when acting in self-defence. How much damage you can do to the violator, is subjective and depends on the threat being presented to you and your property. I don't see how an non-invasive shutdown of the attacking system is out-of-line considering the threat to your computer system and to the larger community a virus represents.

It's true that the polite thing to do is to just email the offending system's maintainer, but in situations where a virus has a potential to cause large material harm(i'm thinking virus infected machines as trojaned DoS zombies, or mail server clogging becuase of the virus spawned emails) you could argue that forcing an attacking infected server to shutdown is a legit self-defense action to prevent your own property damage. -jef

Re:Because...

Ohh, I disagree.

Most all of these virii/worms that have come out are childs play to a decent programmer.

It really comes down to the ethics of it. I've even offered to my company that if they back me legally, I'll do it with the next one for the publicity.

Obviously, this is not proper motive.

It certainly can be argued however, given the virulence of Code Red and the new strains on new exploits that have been inspired, it may eventually be the only way to rid the net of it.

You can say, sure let them disinfect their own boxes, but what about when it kills bandwidth? It may have been very localized this time, but wait till next time.

Putting a server on the net is accepting responsibility for it. Unfortunately, alot of admins either don't see it that way, or are incompetent.

What we need is a body that examines, approves, and introduces counter measures.

Microsoft for example, could include in the license agreements for the next outlook an agreement to allow MS to apply counter measures.

For this to really be effective though, we need a more global solution.

Its entirely possible

[baptiste]

CodeRed II leaves a huge hole - the virtual C and D drives so even if they remove the root.exe file, as long as the explorer.exe is infected, you can access any file via /c or /d in your GET request (ie /c/winnt/system32/cmd.exe?any cmd you want)

I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?

Re:Its entirely possible

They would need about 50 lawyers to cover every area of law that is discussed on these boards.