Slashdot Mirror
Fight Virus With Virus?
Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?
Why do schools neglect an ethics curriculum?
Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.
If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.
- "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.
It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.
[
The legal implications of this are a bis issue, but it's certainly an interesting code example.
Yeah, it's a great idea. It would be wonderful to see someone do it, but at the same time, if you did, you're as bad as the virus writers, since this would propagate everywhere and make changes on their systems without their consent.
For me to even academically consider such a virus, it would also have to have automatically e-mail the (l)user whose machine has just been patched, and state "You are an idiot. You've been negligent in the maintenance of your webserver. A benevolent UNIX/Linux geek wrote a virus which propagates by the same method as Code Red and it has now fixed this vulnerability on your machine. To learn about real webservers, go to www.apache.org."
But based on what I'm seeing from the description (I haven't unzipped/untarred it yet), I suspect it's more along the lines of what I've been wanting to do. If I get a request from a IIS-infected machine, why not have it force a reboot of that machine? Through the negligence of the system's owner, it attacked me. Why can't I merely force a reboot, clear the virus from the memory, and hopefully alert the imbecile involved that he's got a problem?
Take a look at my webserver log (link from my sig). I seem to be getting hit by the same IIS-infected hosts over and over. I'm sure the IIS-infected machines are getting hit by the same other machines over and over. If I were to force a reboot of those machines which attempt to infect my Apache server, then they'd promptly be reinfected, and since Code Red II scans within a tighter range of IP addresses, I'd probably take that machine down again. Of course, the cycle would repeat, and infected machines where I'm within their scanning range would be coming up and going down all day. Surely the owner would eventually realize something was wrong?
I'd love to do this, but I still don't like the legal implications. Stealing a car to prevent someone driving while drunk is still illegal, and this is a lot less clear-cut.
Fire and Meat. Yummy.
I thought of doing this a few days ago and I started coding. I got as far as a script to automatically reboot attacking machines, to help slow the spread of Code Red.
I had begun work on a worm called Code Blue that would infect Code Red machines and clean them of Code Red. This kind of work is very laborious since it involves writing Intel assembly code that uses the Win32 API and runs in a Windows environment.
Before I could finish, my best friend (who is a security consultant) informed me that somebody has already done this. There is a perl CGI script going around that you can put into your root directory and name "default.ida" so that infected machines will cause it to execute.
The script connects to the IP of the attacking machine, uses the Code Red II backdoor to clean the system of trojanned files. Then it uses the very same buffer overflow exploit used by Code Red to send a binary to the server that patches IIS, removes Code Red-related registry entries and reboots the machine.
As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.
You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).
You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.
CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.
I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?
Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?
Top Most Bizarre/Disturbing Error Messages