Fight Virus With Virus?

Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?

Re:Don't be a part of the problem - Cisco fix

[Koda]

FYI, I have a normally reliable Cisco 675 router that Was repeatedly being infected with Code Red, requiring a reboot each time. Here's the easy fix:
1) From the "cbos#" prompt*, input the command "set web disabled". I think you'll have to follow that up with the "write" command. That shuts off the router admin web-interface. If you really must have that interface, you can change the port instead.
2) Upgrade the CBOS to version 2.4.1. See http://www.cisco.com/warp/public/707/cisco-code-re d-worm-pub.shtml for more, and check your ISP's web site for the actual patch.

Hope that helps...

*Note: to get to the "cbos#" prompt, input the command "enabled" at the "cbos>" prompt.

Re:You'd spawn a war that hasnt escalated so far

[SirSlud]

This is like saying that a certain amount of rape is inevitable, so lay back and enjoy it.

No, it's like saying a certain amount of rape does not justify raping the rapists (otherwise we could just allow rapists-to-be to get their jones off raping rapists (of their gender preference of course)). I realize that sometimes we are stuck between a rock and a hard place when dealing with miscreants, but the power to commit acts deemed illegal at the behest of authority leads to corruption - family and friends of those in charge of supervising the counter-rapes would no doubt get first shot, rape harder than the rapist did, longer .. more violently .. pick your poison, but eye-for-eye almost always leads to revenge worse than the original crime, even if it is in the name of authority.

I support community action more than the average individual, but there is a very important distinction here: community action is only warrented when the action is to stem abuse and corruption AND the adversary does not make themselves avaiable to a dialog; and even THEN, only if they refuse to aknowledge that a large enough opposition to their behaviour or ideals should result in change.

I do NOT support community action to fight violence. Why? People are not responsible enough to recognize the difference between revenge and problem resolution. When it comes to the moment when you're smashing the bat over some dissident's head, you're probably not thinking about whether or not said dissident will continue their actions (in this case, continue writing bad viruses), but rather how much the dissident had this coming to them. And since you've lost sight of the goal, no resolution is likely to come from it. Same goes with white hat viruses .. sure, some of the viruses will help fight malicious ones, but after awhile, it will be difficult to tell just who the white and black hats are. Nevermind that the popularization of viruses for the cause of 'good' will start masquerading about for various personal causes; ie, the 'good' virus that only attacks 'hell-bound' porn sites, or 'good' viruses that only attack sites which endorse gay rights. (Well, of course, these types of attacks and viruses already exist, but legitemizing the distribution of viruses would only allow these authors to claim they are writing 'good' viruses.)

All this is notwithstanding the fact that you'd raise awareness of how to write viruses (I'd imagine you could easily publish a book "How to get into an IIS server, and spread .. for good."), nor figure in the cost of 'good' viruses written improperly, and subsequently causing as much damage as the 'bad' viruses they seek to purge.

Unfortunately, mentalities like yours seem to prevail. People lack the tolerance and foresight to see that sometimes the eye-for-eye cure, no matter how self-satisfying, can cause the problem to reach levels of magnitude far beyond that which it would have reached had resolutions be seeked IN OTHER WAYS.

Incidentally, there is someone on our street with cracked windows. Despite this, everyone else seems content to continue to take pride in the appearance of their dwelling; the lawns are mowed, and the flower beds are gorgeous. If the motivation for behaviour was whatever the lowest common demonitor was, we'd have never gotten out of the stone age. I should hope that the sole motivator for maintaining some sense of responsibility, dignity, and self-control is not that others HAVE to do it to. I could list hundreds of examples, from j-walking to litter in which the only reason they havn't reached catasphoric levels is because SOME people take it upon themselves not to contribute to the problem, even if there is little chance of being punished or caught. Even if littering and jwalking were legal, I'm positive a significant portion of the population would continue respecting others' environment and traffic flow.

A please notice I never once suggested we 'lay back and enjoy it', although I suppose drawing judgemental conclusions out of posts has long since become a /. tradition. I'm just saying, there are other ways to fight viruses .. such as forcing a certain software maker to fix the pieces of swiss cheese they call web servers and mail clients, or condemning friends and family for not practicing caution when being online.

Re:Its entirely possible

[Tassach]

Plus, lawyers have to be careful about what they say in a forum like this -- a lawyer cannot give "official" legal advice to someone who is not his or her client. This is why any legitimate law-related web site has a disclaimer like "this is not to be construed as legal advice".

Best friendly virus that does no arm:

[tcc]

My approach would be educate in a real-world situation. If someone has too much time on his hands and wants to do this, well here's a suggestion:

Lock the screen in black, disable ctrl-alt-delete on any OS, and type this a bit below average reading speed in white:

"Boo... I'm a virus, you know what you did was really dumb?... You're lucky this time, you will lose no data, I won't send anything critical by email without your knowledge, and your operating system will stay intact... in exchange you'll have to bare with this message for a few minutes.

Clicking on attachments in your email when you don't even know where it comes from = Stupid.

Clicking on attachements of which you don't even know the extension = Dumb.

Opening a file that you don't know about in your [download] directory = Asking for trouble

Did you know that running an operating system without updated antivirus file, or without antivirus at all is bad when you're a rookie? (you ARE a rookie since you are reading this, please don't consider yourself bright or IT-man 2001 because if you ARE actually working in IT, you're even dumber than a rock, reason #1? a rock wouldn't catch this virus)

If you typed CTRL-AlT-DELETE anytime while this was displayed, you diserve to be wiped and bitchslapped you selfish log, if you don't care about the damages you can get, think about the damages you can create by spreading your stupidity?

Now find a way to remove me, else I'm gonna repeat this every xx minutes, and in the end, I might actually end up doing something bad.

Regards, retard!"

howzat? :)

works until....

[metalhed77]

you have about 600 anti-virus viruses on your server you don't know about some of which were poorly written leaving the admin to weed out the cpu hogging, mem leaking, anti-virus viruses.

Re:works until....

[WNight]

Better the admin has to reinstall the OS (trust me, MS admins are GOOD at that!) after it becomes slow and boggy from too many patches, then after some kiddy r00ts it, DDoSes with it, and formats the drive, taking out any data they might have had on it.

After all, either way they've got to clean up, the easiest way to clean an MS system from an unknown problem is to reinstall and download all the updates. One way they do it because the machine is a bit slow or unstable, run of the mill for a windows server, the other way they do it after contributing to potentially millions of dollars of 'damages' (usually lost sales) at some target site.

Re:Its entirely possible

[Shoten]

A case cannot be made for self-defense, and here is why.

If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort. And I won't even go into the notion of the "danger to life and limb" that is present in that scenario, but suffice it to say that generally speaking, you can do things you can't otherwise get away with if it's for the purpose of saving a life.

When it comes to your web server, nobody's going to die if you get defaced, rooted, bent over, etc. It costs some money to fix, ok, but that does not give you carte blanche to break the law at a similar level. Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access." It doesn't matter WHY you're doing it, just that you know you're not supposed to be there. And if you're basing your code upon a notorious worm...well...good luck trying to say "I didn't know!" :)

Final point, you have other options. Keep up with your patches. Install IDS and watch the logs. Yes, this takes work, but so does writing a counter-worm every time a new worm comes out, and at least this way you can be protected BEFORE it hits, not after. And if all those Code Red-nailed boxen are knocking any of your systems offline, I gotta tell ya, you need to do something about your network, because as severe as the scanning is, I haven't heard from a single client who has actually had downtime from it.

Re:The law's not on your side

[acidrain]

What about just disabling the viris as a response to the scan? As Code Red boxes advertise themselves as infected and vulnerable, you don't need to probe the net for infected/vulnerable computers. Besides, releasing _any_ scan-and-infect worm on the net is a bad idea.

Is automatically patching someones box for them (as compared to infecting it) a valid form of self defence? I can't see being sued for it.

If you wanted to go a little further overboard, you could install a defensive-response worm in response to an attack. It would only spread as far as the origional infection and place minimal load on the net.

Re:Don't be a part of the problem

[Ctrl-Z]

The problem -- as many knowledgeable folks have already reported -- is that admins are reluctant to update production servers, because of the fact that such updates can and do break those systems.

Do you really want to rely on Microsoft's updates to be reliable and correct? Updates are best installed on test servers and then migrated to production systems. The fact is that once an exploit is discovered, it typically takes several months for destructive software to be released that takes advantage of the export. Code Red came out much quicker and that has caused many of the problems we are witnessing.

Re:IIS = Loaded Gun?

[BigBlockMopar]

Is it possible you accidentally left your sense of humour and response to irony in your other pants?

He probably hates me because he's not circumcised. [grin] With my .sig, I get irrational stuff like that every now and then.

Re:Citizen's Arrest

[GreyPoopon]

How about instead just writing a program that sends e-mail to the offending system every time it makes an attempt to infect your system. That way, you're only notifying them of the problem (each and every time it occurs), and they'll be obliged to do something about it before their e-mail logs fill up.

Re:Don't be a part of the problem

[blakestah]

In other words, what you do may be ethical, that doesn't make it legal. Using the same methodes as a virus to gain access to someone's computer is not legal. It doesnt matter if you are trying to defend againts a virus, it's still illegal.

Criminal law guarantees you a trial by your peers. It is not illegal if your peers will not convict you. Here is an example: I knew a fellow in San Francisco who got AIDS as a long-time drug user. He nearly withered away and died. He started smoking pot at the advice of his physician even though it was illegal at the time. He was arrested numerous times, but never convicted of smoking pot.

You see, a jury of San Franciscans will NEVER convict someone with AIDS of smoking pot to boost their appetite. My friend gained a lot of weight and probably lived another 2 years as a result of pot smoking.

In the case of CodeRed anti-virii, you would need to have a reasonable argument that your actions were justified as bettering society on the whole. If you don't think such an argument exists, I wouldn't recommend writing it :)

Re:Don't be a part of the problem

[blakestah]

Your analogies aren't valid, because you're talking about cases where there is the threat of physical harm to an actual person. The Code Red virus is annoying, and it's causing major problems, but it's not going to kill anyone, and it's not going to permanently damage your system.

I disagree. CodeRedII is going to permanently damage your system. It is the equivalent of AIDS for computers - if completely knocks out your defenses, but doesn't cause any harm itself.

People with AIDS do not live very long. Neither will computers with CodeRedII. They are remote-rooted by anyone accessing the httpd port.

Also, you neglect to make an analogy between financial harm and physical harm, perhaps on purpose. Both are justifiable legally.

If you attack someone else's machine, then you're on exactly the same ethical level as the person who wrote the original virus.

THAT is a flawed analogy. Whereas it may not be appropriate to kill someone for committing murder, using an anti-virus to shut off machines with CodeRedII is completely different. The machines are compromised and vulnerable.

Imagine you are a business owner, and someone came along, opened the doors to your store, didn't take anything, and left. Are you trying to claim it would be illegal for me to close the door, and place me on the same level as the first person who opened the doors ?????

If you do believe that, please put down the crack pipe and back away slowly.

Many infected users don't know they're running IIS

[fearlessfreddy]

I would like to point out that many if not most of the machines that are still being infected by the Code Red worms are operated by users who are not even aware that they are running IIS.

Case in point, my roommate bought a Dell Dimension L700cx with Windows 2000 about 6 months ago. He was surprized when I showed him that his machine is running IIS and serving the default web page on port 80. This person did nothing to install or activate IIS, the machine was shipped with that configuration.

I think this fact is important to keep in mind when trying to understand why so many machines remain vulnerable to the IIS attack.

PS: We run our LAN behind a firewall that denies port 80, so my friend's machine was not infected.

Old idea

[Gruturo]

It already happened about 15 years ago or so... it was called "Vacsina" and actually cured 1701/Cascade, 1704/format and Jerusalem, if I recall correctly. It was even auto-updating: different vacsina versions would recognize each other and the most recent would overwrite the older. Sadly, a few "nasty" strains came out too....

The Cheese Worm did this for Lion-infected hosts

[Philbert+Desenex]

The Cheese Worm seems to constitute exactly what you want. Cheese actually sought out Linux hosts infected by the Lion worm and removes any backdoor root shells from /etc/inetd.conf . Some say the Cheese Worm constitutes the first hack-of-a-hack known.

Another first for Linux and Open Source software!

Re:Don't be a part of the problem

[Malcontent]

Yes but you don't get to decide who is a "danger to yourself or others". A judge has to do that.

Re:Don't be a part of the problem

[Frank+T.+Lofaro+Jr.]

Ah, but we (as a society) do legally require people to get vaccinated, because doing so benefits society as a whole sufficiently to justify the slight loss of personal freedom

Not so slight in the case of MMR vaccine which has caused much of the increase in autism cases lately.

Getting back to computers, what about where the anti-virus-virus causes inadvertant damage to the system because it has an unusual configuration, different software, etc. So instead of fixing the webserver, it utterly kills it. That could happen very easily if you binary patch even a slightly different version of the executable than you were expecting. Then what?

Just 13 years behind the times...

[iapetus]

The first such anti-virus virus, Den_Zuko, was discovered in 1988. Check out this article on VNUnet, which has more info on the history of such software and why it's a bad idea.

More recently, the Linux.Cheese.Worm has done similar things for Linux users infected by the Linux.Lion.Worm.

Re:Just 13 years behind the times...

[Frank+T.+Lofaro+Jr.]

We said it was free of VIRUSES, we never said it was free of worms. ;)

Sircam autoresponse?

[iabervon]

It might be possible to make a program that, given a sircam-infected file, would send something to the originator of the message. It could send a message with an attachment that looked for sircam, and, if it found it, removed it and installed the program. That way, it would take a sircam-infected machine and make it respond to future attacks by spreading to the originating machine but do nothing to anyone else.

The message could even say that was what it was doing.

"My advise is to run this script to remove the virus and to pass the information on to other people"

This wouldn't really be a virus at all: the people receive it in response to a request for advice and it is something you actually think they should be running. It doesn't try to infect other machines, except by advising their users to use it; no more illegal than Norton responding to a download request with a program.

Don't be a part of the problem

[Speare]

Why do schools neglect an ethics curriculum?

Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.

If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.

• "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin

Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.

If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.

Re:Don't be a part of the problem

[Mr.+Slippery]

Ethics is religion. Faith is not a Religion.

No. Ethics is that branch on philosophy that deals with the question, "How shall we live our lives?" There are supernaturalistic theories of ethics (i.e., we should live our lives according to the dictates of some supernatural being), but there are also plenty of theories without a whit of religious belief - utilitarianism, existentialism, Kantian rationalism, and others.

Applying these theories to the case of an anti-virus virus is left as an exercise for the reader.

Re:Don't be a part of the problem

[Frank+T.+Lofaro+Jr.]

If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

Well with certain diseases, we DO force people to take medicine, even before they get the disease. FORCED immunizations. Do you agree that that is just as wrong?

Re:Don't be a part of the problem

[i0lanthe]

I think you could argue rather strongly that you are taking such action in the interest of public safety.

I think you could argue that rather strongly too, but I also think that the prosecution will make mincemeat of it unless you have a really good lawyer arguing rather strongly alongside you, in which case the prosecution will have to settle for making something less finely ground, such as Dinty Moore beef stew, of it.

Re:Don't be a part of the problem

[trcooper]

Ethics is all about the shades of grey between black and white. Legality however should have no shades of grey.

Something may be ethical, but not legal, and vice versa. In this case, a white-hat worm would most certainly be illegal, because you are modifing someone's property without their concent, but to simply say it isn't ethical doesn't look at the whole picture.

What has to be asked is do people benifit more from your actions than the harm being caused? If this is so, you can ethically justify your actions. If by modifing one person's machine you prevent 50 from being infected, you're doing overall good, and while still outside the law, you are benifitting society.

If a white-hat worm were to be released into the wild and become widespread and clean up code red's damage, I think it would spark a lot of conversation on the potential of other such worms and the regulation of them for their possible future and benificial use.

Re:Don't be a part of the problem

[gad_zuki!]

It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

A couple points:

1. The infected party doesn't know they're infected. Kind kills the analogy.

2. Lots are cable modem users whose TOS does not let them run servers to begin with.

3. They're causing a communal problem - excessive network lag. Why let the authority figures make all the decisions when you can just use the exploit to net send them a message telling them their infected.

If more people became part of the problem, we'd have a more informed group of users and tighter security.

Re:Don't be a part of the problem

[blakestah]

Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.


Now there is ethics and there is ethics. Here is a scenario that occurred once in Baltimore. A house thief hot-wired a car. He jammed the steering wheel all the way to the side and floored the gas. The car spun and made lots of noise. Meanwhile, the thief broke into people's houses (that is besides the point). Am I ethical if I jump into the moving car and turn it off ?

The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.

As another example, suppose my neighbor's house is burning and his 10 year old is screaming at the window, and he is not around. Am I ethical in breaking in to save his child ? In this case the answer is really clear.

In the case of machines compromised with CodeRedII, consider the capability for MASSIVE DDOS directed at anybody launchable by anybody. Those machines are tools to be used by anyone for any reason they like. They can be used as launching points for hacks on military sites. They can be used to snoop for passwords etc. If you go onto those machines and simply remove them from the network by shutting them down (in an orderly fashion), I think you could argue rather strongly that you are taking such action in the interest of public safety.

Ethics is rarely so cut and dried that one could claim that you should NEVER alter someone else's property.

Re:Don't be a part of the problem

[blakestah]

What happens when the anti-virus you are running on someone's machine without there permission messes up and they're machine stop running /

You mean hypothetically my anti-virus stopped the 300 different threads on his machine that are attacking his Class A and Class B nets ?

I would say that is EXACTLY the intention. These machines are not benign. They are screwing up net traffic.

Worse yet, if ANYONE wanted, they could turn the machines into DDOS attacking machines focussed on a single target. Remember mafiaboy who shut down etrade and other .com sites with his DDOS ? Well, he had something like 150 machines at his disposal.

This one is hitting something like 2 million machines. These machines need to be turned off, patched, whatever. Instead they just sit there attacking other machines.

And again, if this came to a legal argument, there are other considerations.

1) The admin ignored the security advisory by Microsoft two months ago.

2) The admin ignored the CodeRed virus at the end of last month

3) The admin ignored CodeRed this month, and CodeRedII this month.

Basically, you have an admin who is either not monitoring or doesn't care about his server. This is not the signature of a mission critical admin - this is the signature of someone who doesn't know or doesn't care.

Re:Don't be a part of the problem

[Speare]

Ethics, sure. Morality, no. There's a difference.

ethics:
2. Being in accordance with the accepted principles of right and wrong that govern the conduct of a profession.

moral:
1. Of or concerned with the judgement of the goodness or badness of human action and character.

You want an ethical lawyer, but not one who applies morality. You want an ethical doctor, but not one who judges your morality.

Ethics is reflective, driving ones own behavior with respect for others. Morality is applied to others, and rarely implies respect for others.

Re:Don't be a part of the problem

[IronChef]

Anyone who has to be *schooled* in ethics has already lost the battle.

Arguably true, but the bigger issue is "what are correct ethics?" Some things nearly all people can all agree on: it isn't ethical to copy someone else's work and pass it off as your own. But there are a lot of other ethics issues that will be very decisive. For example:

"It is permissable to take a person's life if it is the only way to protect your life or the life of another."

I have had many arguments with people who think that there is never, ever a reason to take a life, whereas I believe that self-defense is a fundamental human right. In the case of a divisive topic such as this, an "ethics class" is useless at best -- and brainwashing at worst.

I think some kind of critical thinking training is a better idea. If you can think critically, you will develop your own ethical code.

Re:Don't be a part of the problem

[CharlieG]

You say:

It is up to the infected party to take the medicine, and it would be unethical to seize the unwitting victim and force the medicine into their bodies.

The thing is they CAN seize you and force you to take medicine IF you are determined (Usually by 2 doctors) to be a danger to yourself or others. Ever hear the term "Involuntary Commitment"
There ARE times when you are forced to do things

Re:Don't be a part of the problem

[startled]

Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.

By this logic, sending them an e-mail notifying them that their machine is infected is unethical. After all, I am causing a change in the state of their machine. "Oh, but they have an e-mail client running, they want e-mail." But they do not want spam; is spam unethical? They also have an http server running; which responses are ethical, which are not?

And before you attack my analogies, let's look at this awful one:
If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

Were people not quarantined for plague? If you have a contagious, deadly virus, they can force you into quarantine. Does that mean it's ethical for me to send something back that shuts off IIS, or turns off their computer? Not to mention, you can be forcibly treated for certain conditions if you pose an immediate threat to yourself and/or others; this is often invoked to treat mental illness. These boxes are certainly a threat to themselves and others-- what if someone decides to exploit this and do a DDoS? To you?

Re:Don't be a part of the problem

[CharlieG]

I don't think it's a good idea, BUT, as I said, it CAN be done

Re:Don't be a part of the problem

[WNight]

I think it's YOUR ethics that are broken. Anyone who has to be *schooled* in ethics has already lost the battle.

There are cases that it would be wrong to 'fix' someone's computer... If, for example, they ran a thriving business from it and you were being annoyed by a trojan that ran occasional port-scans, stopping their business by crashing their machine is unwarranted...

But, in the case mentioned, a worm could be written which would seamlessly upgrade the affected computers, and close the backdoors permanently. Consider that these backdoors allow (and very likely will be used) attackers to control the machine for a DDoS, port-scanning, continued spreading of the infection, and with some of the later bugs, full access to the machine which would potentially allow all sorts of electronic theft. In this case, you're almost guilty by your inaction.

The huge ammount of damage that can be caused by each infected machine, both to the owner, and to the rest of the internet completely outweighs the owners right to have their computer configured in a certain way.

In many jurisdictions, inaction can be a crime. If, for instance, you see someone in mortal danger and you could have warned them, but didn't, you can often be charged with murder. (House on fire, you know someone's inside, but don't bother trying to alert them or call for help.)

People like you really frighten me. You have a twisted sense of ethics and you want to force other people to be indoctrinated in them. Ugh.

Re:Don't be a part of the problem

[Rinikusu]

Hell, I'd give even another example.

When I was 4, I was in my apartment complex running around like a, well, screaming 4 year old. One of the residents (happened to be a RN) was watching me play with my brother and then called me over to him. He took a good look at me, grabbed my hand and took me to my apartment.

"Your son has the measles. Take him to the doctor, now."

There was a person, completely unrelated to me, who didn't even have kids whom I could "endanger" with my measles. Was he within his rights?

The original poster must realize that an infected machine has already been compromised by an intruder. If you walk past an apartment and see someone has forced the door open and is ransacking it, do you continue walking by? Or do you yell at the thief? Call the Cops?

Those "infected" machines are flooding the pipe that I'm paying for, so doesn't that make them some part of a "commons" that makes them part of everyone's responsibility?

If my neighbor is playing his music too loudly, don't I have the right to knock on his door and say "Hey, turn that down, please?"

If I'm being constantly probed by thousands of infected machines, my internet access greatly slowed down by all the garbage in the pipe, don't I have a right to find the owners and tell them "Hey, knock that shit off. Fix your damn machine, it's hurting everyone."

Furthermore, to pick on another pet peeve of /., doesn't the consumption of bandwidth by infected machines remind one of the arguments *against* spam? "I pay for my access, I don't want to pay for spam." Twist that into "I pay for my access, I don't want to pay for some virus propagating at my expense..."

Just some thoughts...

Re:Don't be a part of the problem

[isomeme]

If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

Ah, but we (as a society) do legally require people to get vaccinated, because doing so benefits society as a whole sufficiently to justify the slight loss of personal freedom. Most people consider compulsory vaccination to be quite ethical. How does this differ from compulsory computer security measures?

Re:Don't be a part of the problem

[ptomblin]

You're giving up liberty-- not yours, but theirs.

So were the public health officials who dragged Typhoid Mary kicking and screaming out of the kitchens. By your reasoning, she should have been allowed to keep working.

Even if I'm vacinnated against typhoid, I don't want a typhoid infected person handling my food.
Even though I don't have a default.ida, I resent the fact that I had to double the number of httpds that I'm running in order to provide decent service to the people who are legitimately accessing my web server because of all the "GET /default.ida?XXXXXX...." going on.

Re:Don't be a part of the problem

[einhverfr]

The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.

Interesting analogy. This is not the same thing, IMO as creating self-replicating programs to combat a virus. I don't object to writing a script that would reply to the signature packets with a buffer overrun designed to reboot the server/shut down IIS, do an rdns query and email the admin of the domain with a form letter giving the IP address of the attacking machine. That is fine and along the lines of the analogy you are mentioning. But it is not the same thing as creating a self-replicating entity to automatically do this throughout the web.

Re:Don't be a part of the problem

[laertes]

It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

And this would be unethical how? By violating some inalienable right people have to carry disease? That's a new one. People who do not patch up their servers (or take medicines) are being negligent. If a person allows them self to get sick, and they get other people sick, I would prefer that they get held responsible.

Frankly, I'm getting sick of Code Red myself. I use DSL, and it crashes my modem, a lot. Nor can I write a little script; the modem needs a hard reboot. I don't even use windows, and those irresponsible system administrators are costing me more than a little pain and greivance.

The internet is a self-policing system. Since there are no formal channels to use to force people to upgrade their servers, this extreme course of action is being pursued.

Why do schools neglect an ethics curriculum?

Whose ethics do we teach? Yours?

Re:Don't be a part of the problem

[Malcontent]

Your examples are not quite right.

The thread is not about "telling them" it's about actually fixing the problem.
Would you have wanted the neighbor to actually innoculate the child?

Would you want your neighbor to enter your apartment and actually turn down your stereo?

It's one thing to call the cops it's another to take the matter into your own hands.

How funny would this be...

[Mustang+Matt]

Find infected machines and popup a warning Window on each machine telling them they're infected.

I don't agree with doing it whatsoever, but that would wake up a lot of sysadmins.

Re:Its entirely possible

[jgerman]

Sure it is. I'm not saying that every case ends up like that, just that you cannot take for granted that you have a license to kill (or attack or whatever) in that situation.

It's understandable in some ways. Say, for example, someone pulled you off the street into their home and shot you. It's your work against theirs that you didn't break in, and you're dead.

Re:You could do that, but don't!

[isomeme]

In other words, if counterviruses and antiworms became commonplace, it would turn the internet into one big war zone for autonomous code. And I can't even imagine what might result if an arms race broke out in that contest, though I expect some of its fruits would be quite frightening. I've already drawn the analogy to Core War in a previous thread.

...A war which would have no direct effect on those practicing safe computing, and which would encourage everyone to join that group as quickly as possible. In a network of properly secured machines, both 'good' and 'bad' agents would starve.

Possible? Yes, of course.

[Tim+C]

A good idea? Absolutely not.

Part of the problem with worms isn't just the malicious acts that they perpetrate, it's the bandwidth that they use.

A particularly virulent worm can bring servers and routers to their knees just propagating itself. That's before it even gets the chance to do any of its intended damage. (Remember Melissa, or The Great Internet Worm?)

Add to this very real concern the fact that striking back in this way, no matter the good intentions, is almost certainly illegal, and the whole idea is a definite no-no.

(Yes, it does have a certain appeal - but so do many other things that are bad ideas, too)

Cheers,

Tim

Re:Possible? Yes, of course.

[startled]

How the fuck does this increase bandwidth use? I've seen several comments like this modded up; what am I missing?

Good virus resides on your computer. Computer gets scanned; good virus cleans up offending computer, installs itself. Now, rather than sending out 300 requests at a time, the offending computer is sending out nothing, unless it is scanned as well.

A K5 USer has published an anti-CodeRed virus

[hillct]

A K5 user has provided the source to a proposed code-red anti-virus, which actively repairs remote systems infected with the code red virus. The legal implications of this are a bis issue, but it's certainly an interesting code example.

--CTH

Re:A K5 USer has published an anti-CodeRed virus

[BigBlockMopar]

The legal implications of this are a bis issue, but it's certainly an interesting code example.

Yeah, it's a great idea. It would be wonderful to see someone do it, but at the same time, if you did, you're as bad as the virus writers, since this would propagate everywhere and make changes on their systems without their consent.

For me to even academically consider such a virus, it would also have to have automatically e-mail the (l)user whose machine has just been patched, and state "You are an idiot. You've been negligent in the maintenance of your webserver. A benevolent UNIX/Linux geek wrote a virus which propagates by the same method as Code Red and it has now fixed this vulnerability on your machine. To learn about real webservers, go to www.apache.org."

But based on what I'm seeing from the description (I haven't unzipped/untarred it yet), I suspect it's more along the lines of what I've been wanting to do. If I get a request from a IIS-infected machine, why not have it force a reboot of that machine? Through the negligence of the system's owner, it attacked me. Why can't I merely force a reboot, clear the virus from the memory, and hopefully alert the imbecile involved that he's got a problem?

Take a look at my webserver log (link from my sig). I seem to be getting hit by the same IIS-infected hosts over and over. I'm sure the IIS-infected machines are getting hit by the same other machines over and over. If I were to force a reboot of those machines which attempt to infect my Apache server, then they'd promptly be reinfected, and since Code Red II scans within a tighter range of IP addresses, I'd probably take that machine down again. Of course, the cycle would repeat, and infected machines where I'm within their scanning range would be coming up and going down all day. Surely the owner would eventually realize something was wrong?

I'd love to do this, but I still don't like the legal implications. Stealing a car to prevent someone driving while drunk is still illegal, and this is a lot less clear-cut.

Re:A K5 USer has published an anti-CodeRed virus

[prgammans]

As the infected server is requesting an action from your server by contacting you in the firstplace, you could say that this is a obvious request for you to fix there machine.

Re:Its entirely possible

[meldroc]

Which is excellent justification for killing him, burying the body in some remote location, cleaning up the mess, and denying everything. ;)

Re:Source?

[FatOldGoth]

Hey, who said my Perl skills were anything other than sub-stellar? That's the nice thing about Perl - you don't have to be any damn good to write useful little bits of code. :)

I'm trying to arrange for space on a relatively ./ proof server right now and should be able to post an easily hackable version of the script there soon. I'll post the URL when it's sorted.

Anti-Sircam Virus

[zpengo]

Why not take the Symantec Sircam cleanup utility, patch it to make it self-propagating, and then e-mail it out with the message "Hi there! I send you this because you're a stupid fscking idiot. :)"

Re:Anti-Sircam Virus

[Lando]

Actually, one of my customers received a message to this fact, he was automatically sent back a message saying that sircam had infected his system and the patch to fix it could be located at mcaffee.

A link was included and though my customer didn't understand the problem he called me and we had it fixed in a couple of minutes.

Lando

This has already happened

[cnkeller]

A while ago (months?) someone had a "beneficial" virus, that was making the rounds and fixing security holes in Windows I believe. The name escapes me. The author (who publicly claimed responsibility) caught quite a bit of flak over it. Who knows what kind of hidden payload your packaging in addition to the helpful features.

Personally, I feel a virus is a virus, regardless if your intentions were good. You're not any better than the hundreds of losers out there creating this mess. If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.

Re:This has already happened

[blair1q]

I'm certain you don't know right from wrong, because you've defined your terms, and messed it up.

"Illegal" is not the same as "wrong".
"Legal" is not the same as "right".

Police typically check locks on doors. They can and do enter property they find open and unoccupied, and they can and do lock those doors if possible and if they think it's a reasonable thing to do given the neighborhood (hint: the internet "neighborhood" is roughly every machine on it, and everyone, good or bad, lives right next door to you). A warrant merely franks the search into evidence.

The fact that you don't like your neighbors is your problem. The rest of us will thank ours for looking out for us.

What I'm discouraging is people trespassing on my system without my prior consent. If I want a patch (as in your case of buggy software), I'll initiate the transaction thank you. I don't want anything pushed to me.

Then you might want to stop accepting unsolicited communications.

You might be competent to download and apply a patch. But the network is full of incompetent or apathetic people, and their incompetence results in the ability of dangerous worms to propagate.

Their computers are emanating viri and worms just as evilly as the computer that originally did it. If a bum who crawled in your open door and died was emitting a foul stench and bacteria that were wafting down the street infecting other houses, you can bet I and the local HazMat team would be, without a warrant or your permission, all over your door nailing it shut, and your pewling cries of "trespassers!" wouldn't impress a jury.

The problem is that the Internet hasn't got itself set up that way, and the real culprits, the ones who install and run buggy software on a public network, are not being prosecuted.

--Blair

Re:This has already happened

[blair1q]

>Personally, I feel a virus is a virus, regardless if your intentions were good.

It's probable that you don't understand the difference between right and wrong.

Think of cops and robbers. We have bad guys with guns running around on the streets, and we have good guys with guns running around on the streets. Neither group is very bright, and both are liable to shoot you for pulling your wallet out too fast in a darkened doorway. Still, we know which group we're going to train and pay to protect us using their own judgment.

A neighbor who checks and locks my door is far more neighborly than one who walks in, spray paints grafitti on my walls, craps on my carpet, leaves a dead rat hanging between the old coats in the closet, and says "oh, you have a security problem, you should get that fixed before someone does something bad to you".

People who bought buggy software got ripped off, and you're discouraging conscientious software engineers from providing free, automatic service to those people, and preventing them from becoming unwitting dupes in spreading the bad viri around the world.

But you shouldn't live in fear that this will become epidemic. People who do know right from wrong and who do choose to do right understand that doing right is often mistaken for doing wrong by people who don't know the difference, and our system of justice isn't based on right and wrong, it's based on perception, so they won't take the chance of being railroaded, Good Samaritan law or no.

--Blair

Re:This has already happened

[dazed-n-confused]

If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.

Hi! How are you?

This is the file with the information that you ask for.

[SecurityHoleWarning.doc.exe]

See you later. Thanks.

Discussed before

[egjertse]

This has been discussed before, among other places on Bugtraq. The concept has many flaws:

• The morality aspect - you are "taking control" of someone elses hardware/software
• The legal aspect - this still constitutes "cracking" as you have illegally gained access to a computer system that is not yours. Breaking into someones house is not OK just because you only intended to do their dishes.
• The practical aspect - the worst side effect of internet worms is not primarily damage done to the infected systems, but bandwidth consumed and resources depleted as a result of the worm spreading.

I don't know of any real-life implementations of this (I somehow have the feeling I have heard of it, but it escapes me right now), but the concept has been debated at length during prior "worm attacks". There are probably many other reasons why this is not a good idea, but I think these are the most signifficant.

Re:Discussed before

[startled]

The third one, the practical aspect, is completely false. If you only propogate and install the worm to systems that probe you, you are reducing bandwidth by preventing those systems from sending a gazillion requests.

The first one, the morality aspect, is debatable. Many people would argue that cleansing their system of the virus is entirely ethical.

The legal one is the only one that seems cut and dried. Even if default.ida was a program, and you're just responding to their request, it seems your intent is fairly obvious, and the courts would recognize that. So yeah, you'd probably get hauled off to jail.

Why not?

[Aerog]

I don't see how it could be a problem, I mean, logically only something like a DoS attack or the like can't be "undone". If it's a bug in the individual system then it should be able to be fixed. The problem arises with the media stigma of a virus.

Now this just goes right back to the whole "but I thought a virus was bad" response that your typical user will tell you. For the most part, it could work wonderfully, but the big thing is, the only people who will need it are those who did not patch a system for the bug (since if they patched it, then the retrovirus (if you will) will not be able to use the same vulnerablilty). Those are most often the same people that opened 40 SirCam attachments even though they were warned ("But it came from my best friend!"). To these people, a virus is something to be afraid of, regardless of purpose. A virus is always a bad thing that will "break the computer" and we don't want to "break the computer" because we can't "fix the computer" <Cue ominous music>

But then again, if these people are so oblivious as to how they're infected, then it just may work as long as the media doesn't blow it out of proportion again.

Defense department research

[Rimbo]

Is this part of the problem?

I have a friend who works for a company that's doing just this. They are funded by the government to write intelligent agents ("agents" in the sense of mobile code) for security purposes. So rather than merely setting up a firewall, the goal of this is to write software that can move from machine to machine, like a virus, and stomp out viruses, trojans, and fight off other attackers.

Call it a white blood cell.

So is developing a counter-virus, an antibody, a white blood cell being part of the problem? I don't think so. Once a computer's been hacked, it's already been hacked. It's already been violated. If you don't want people to write counter-viruses, for heaven's sake, don't let you computer get infected in the first place! Viruses are preventable.

Re:Its entirely possible

[jgerman]

You'll find plenty of cases where a criminal harmed by a victim who was protecting himself has successfully sued for damages.

Re:So the solution would be...

[Have+Blue]

Although this is probably an urban legend, I have been told of someone to whom SirCam emailed Windows XP RC1. So yes it is theoretically possbile ;)

DirectTV hacked the hacker....

[FortKnox]

Remember the DirectTV anti-hack on the hackers? Seems like this is the same idea. Anti-virus the virus...

Hey, if it worked for DirectTV, it should work here...

Actually, this may start a "best of the best" competition with virus writers. They'll come back with a virus to counteract the anti-virus, and on and on.... might be interesting...

Re:DirectTV hacked the hacker....

[Coq]

Ok, what direcTV did is not exactly the same. They were much nastier. also, the people who were effected by direcTV were not hosts to some virus. They were willing participants. An equivalent would be the DVD CCA putting out a virus to kill DeCSS. If a company like microsoft were to do something like this to viruses, it would only close the door for that virus. It wouldn't kill the machine, or write "Game Over" or anything fun like that. It also wouldn't close any other doors, as they would still be unknown. As far as an arms race goes, it would be no different than now. Except, now that I think about it...

Virus writers would close the door they came in in advance and write in another door that would be extremely hard to find. The worm would still infect other machines, and it would be a very long time before the other back door kicks in. People would think the worm they got was a purposeful fix worm, when in actuallity it only would be a matter of time before it became a zombie. Now that would be a smart virus. Of course, the hardest part would be giving the new back door the functionality needed while effectively hiding itself.

Re:DirectTV hacked the hacker....

[IronChef]

Dish Network sent down an ECM that destroyed the satellite receiver -- it didn't mess with the card, which is Dish's property -- it rewrote the receiver's flash with a new program that locked out all the channels except for a "stop stealing TV" message. Many people who were using an emulator board without locking the flash RAM in the unit got their boxen cooked but good.

I think that DTV's card-melting is kosher, they do state that the card is their property. (as does Dish.) But Dish frying your personal hardware -- whoa. That seems to cross a line, even if you are using it to pirate TV. Ethically, it seems to be a much more questionable activity than releasing an anti-virus virus.

Have we already forgot the Cheesy Worm?

[hubie]

Recall that there was the "white hat" Cheesy Worm that fixed the "linux worm" or "linux virus" (or however the BIND worm was misreported).

See this link for examle.

It's not 'virii'!

[The+Wing+Lover]

...it's Viruses. VIRUSES! VIRUSES!

check out http://www.cknow.com/vtutor/vtplural.htm for more information...

(rant mode off)

Darwinian Predator - Prey relationship on the net

[hillct]

So now you have a bunch of viruses, and counter-viruses roaming the net. This is not so bad until you have self-mutating viruses and antigens, several generations down the line. Eventually chaos theory will dictate that the nature of the relationship has become so complex as to be unknowable. This is a pandoras box we don't want to open. It's similar to the human cloning issue, in that there are a lot of good arguments not to do it, but there's one overwhelming argument for making it legal, lincensed and monitored; that is, if it's not legal, those who choose to pursue it will not be hindered in that activity, but will be forced to pursue it without oversight, while in hiding and possible in poorly controlled conditions.

All you can do here is appeal to the logic of those who would pursue such an activity and suggest that they not undertake it, but regardless of how much you argue, convince and suggest, someone will eventually do it and there will be severe concequences - not all negative, but severe, with respect to how we look at technology and how we use it.

It could further be argued that those against such undertakings, need to ajust to changing technology and make the appropriate changes to their world view. This is what the recording industry is having to do, as well as companies in other well established industries. The same will eventually be true of how we look at software design (computer viruses), and biology (human cloning).

--CTH

Re:Because of this the internet is dying..

[cybrthng]

well, there is more then slashdot, bsd and such, but our freedoms are definatly going..

i live to see the world, be there for my family, and be who i am, but the governement and monopolies sure are good at fudging things up.

Get off of your high horses.

[fmaxwell]

I don't care about the legality, ethics, morals, etc. of this. If some idiot, after weeks of warnings in the popular press, still has not installed the patch, he better find a way to keep from the virus on his system from attempting to infect my computer. Otherwise, his system is fair game as far as I am concerned. Since the legal system is not punishing these people, I might.

Let's also drop the insane analogies comparing this to someone threatening a family member's life. It's just a bunch of computers.

Re:There is another way...

[friscolr]

You don't need to do the lookups/etc yourself. You can help security focus send out the mail.

from the bugtraq post:

To: BugTraq
Subject: Infection Notification
Date: Sun Aug 05 2001 10:50:22
Author:
Message-ID:

If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:

IP ADDRESS DATE/TIME WITH TIMEZONE

Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

---end bugtraq post---

Illegal

[3prong]

I keep seeing people talk about how invading a server in some cases is legal, because "the intent was good". That is an incorrect interpretation of the word intent. Intent only refers to the crime itself, i.e. did the criminal intend to break-and-enter or was it accidental.

This means that unauthorized access in the attempt to do a "good deed" is just as illegal as black-hat unauthorized access.

For this to happen, someone with the antidote virus would have to break the law to spread it and apply it. Of course, Robin Hood was considered a criminal too.

Because...

[11223]

Everybody with the ability to do something like that and the lack of ethics to consider it realistically actually wants the rooted boxes for themselves?

Seriously, folks, everybody who *could* write something like that either (a) recognizes that infecting someone's box is infecting someone's box, closing holes or not or (b) sees no problems in having the rooted boxen out there anyway. I doubt that anybody else actually has the skills to do it.

Re:Because...

[IronChef]

What we need is a body that examines, approves, and introduces counter measures.

Microsoft for example, could include in the license agreements for the next outlook an agreement to allow MS to apply counter measures.


That is actually a great idea. If only MS could catch a clue these days. (then again, maybe it is all part of their master plan!)

Re:Its entirely possible

[BlueUnderwear]

> I haven't heard from a single client who has actually had downtime from it.

At work, we had a Lotus Domino server that would crash whenever someone requested an non-existant Web URL from it (don't ask...). As most access to it are done from programs, or from links & bookmarks, this hasn't actually been a problem until recently...

Since the beginning of August it started crashing every hour or so, making it rather difficult to work with. Then, this week it crashed every ten minutes... Initially we assumed that unknowingly a coworker was mistyping an URL, or doing some bizarre tests which crashed it. Then we understood what was really happening: it was CODE RED! Does that qualify as client having downtime due to Code Red?

However, in retrospect, this whole story had a good thing to it: it encouraged the guy in charge of Notes to find out why exactly it was crashing when asked for a non-existing URL... And he did indeed find the faulty config option and fixed it.

Ok, now on the next task: another of our Domino servers crashes whenever somebody enters a bad password into the HTTP password dialog box for protected pages (yeah, yeah, I know...). Now that the weekend is approaching, and the kiddies are putting their final touches onto their new creations, could somebody please include an Authorization: Basic Tm90ZXM6c3V4b3Jz0 into the HTTP headers of the probes of his Code Red III, so that we have an excuse to fix that problem too? ;-)

Re:Its entirely possible

[ryanvm]

I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

The problem is that 'self defense' only exists in a situation where your personal safety is at risk - like the above scenario.

It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?

Basically, you can't violate someone else's rights unless your own safety is in danger.

See Everything2

[l-ascorbic]

That seems a bit like overkill. There is an Everything2 node on this subject with some simpler PHP code samples, including (full disclosure) one by me.

I'm Batman

[Punto]

I don't get it. We all think Batman is cool, but mobody likes the idea of a virus fighting against evil?

Of course, the author can't go around claiming responsability (or posting stories on slashdot), that's not cool.

Go ahead and do it.

[atrowe]

I don't see why it couldn't be done. The CodeRed worm has already been modified several times and re-released. The original source can be found here

Google cache because it looks like the original site has been remove.

I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.

Fighting fire with fire?

[Drakino]

Making a worm to fix the worm is just going to create more problems. My main slowdown of service comes from all the ARP requests from the think scanning my neighboorhood.

Instead, (idea from another ./ reader) make a CGI script called default.ida that fixes just that machine that tried to attack your server. Make sure it can deal with Code Red 1, otherwise once 2 is dead, 1 will be able to swing back easially to the unpatched servers. Also make sure it sends a bill to the company for "IT Consulting".

This reminds me of the Fish Virus....

[AhNewBis]

The Fish virus, IIRC, would remove the Stoned/Michaelangelo virus if it was found, and then infect the machine itself.

Further info about the virus is found here from Datafellow's virus database.

Understanding

[virg_mattes]

> Ethics is religion. Faith is not a Religion. You must understand the difference.

I'm going to have to disagree on this point. Ethics and religion are very different things. They are actually not even directly related to each other. The link between the two is morality, to which both are related. To give an example, it's possible for an agnostic person to act in an ethical manner. Actually, it's possible for any person to act in an ethical manner. It's also possible for someone with a religious ideal to act in an unethical manner without violating his/her religious convictions (the Inquisition is an old example, but it fits, so I'll use it for ease). Religion is a belief system. Morality is a rule set based on the belief system. Ethics is adherence to generally accepted codes of behavior.

And, in response to your second sentence, religion is specifically a belief system. So, while linguistically your statement is correct (one can have faith without a directed religion, such as "faith in the goodness of mankind"), by definition one cannot have a religion without faith.

Virg

Re:Funny,

[BigBlockMopar]

I agree. This past monday when i first login, my W2K told me it shut down in 2 minutes because it just installed an anti-code-red. this is itself exactly a virus: executing something without owner's consent...

This past Monday? Wow. I see your administrators take their time, don't they? Or did they wait until they'd been infected to decide that it might be time to take preventative measures?

Preferable method

[Snowfox]

I'd rather it used the IIS log file to try to spread itself to every system that had tried to infect it, then executed a

%windir%\System32\rundll32.exe user32.dll,exitwindows

(which you can do manually right now with the worm-installed back door.)

Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.

Re:Preferable method

[jspaleta]

I wonder what the legality of this is? Having the infected system which is attacking you power down, is not viral, and actually sounds like a very good disarming mechanism. In legal terms this seems like a very clear "self-defense" action aimed exclusively at stopping the illegal trespass. It's sort of like having tire spike strips in your parking lot to prevent people from coming in the wrong way

You are allowed a certain modicum of property damage when acting in self-defence. How much damage you can do to the violator, is subjective and depends on the threat being presented to you and your property. I don't see how an non-invasive shutdown of the attacking system is out-of-line considering the threat to your computer system and to the larger community a virus represents.

It's true that the polite thing to do is to just email the offending system's maintainer, but in situations where a virus has a potential to cause large material harm(i'm thinking virus infected machines as trojaned DoS zombies, or mail server clogging becuase of the virus spawned emails) you could argue that forcing an attacking infected server to shutdown is a legit self-defense action to prevent your own property damage. -jef

You could do that, but don't!

[Mendax+Veritas]

A "white hat worm" of this sort could be made, but its deployment would be just as illegal as the original "black hat worm" it was created to fight. You're still making unauthorized use of someone else's computer. It doesn't matter that you have good intentions. And what if a bug in your code crashes some machines? How do you prove it wasn't intentional, and that your "white hat worm" isn't really a "black hat worm" in disguise?

Re:You could do that, but don't!

[bughunter]

Yes, that appears to be the prevalent ethical standard.

But I think people are overlooking a more ominous repercussion, technically and ethically: Setting a precedent. If the precedent were set that it's OK to loose countercode upon the world, think of what might result.

In other words, if counterviruses and antiworms became commonplace, it would turn the internet into one big war zone for autonomous code. And I can't even imagine what might result if an arms race broke out in that contest, though I expect some of its fruits would be quite frightening. I've already drawn the analogy to Core War in a previous thread.

Out of the frying pan...

[babbage]

I've heard -- and this may be apocryphal so please correct me if I've got this wrong -- that the narcotics that we all know and love had an interesting evolution over the course of the last 150 years or so.

Apparently, it seems that in the early 1800s, there was a general problem with people smoking too much opium, so people came up with a supposed cure for it -- morphine! Of course in hindsight this wasn't any better than opium, but at least it had a pain relieving effect so there was some medical use for it (and still is). Sure enough, former opium smokers got hooked on morphine, and a new cure was needed. What did we get? Heroin! This was much worse, had no worthy side effects, and has generally been a huge headache ever since. What was the solution? Go cold turkey? Of course not, we came up with yet another new drug -- methadone. This one seems to have the great benefit of not being worse or more addictive than it's predecessor, but that just means that people don't want to stop using heroin in favor of methadone, so while methadone may not be worse, it does little good either.

Like I say, this may not actually be true, but I think it illustrates the point very well. Even if it isn't true, there are still similar examples all over the place -- people that give up cigarettes for nicotine gum, etc.

This sort of suggestion has the same critical flaw: it might look good on paper, but in practice you're just trading one nasty thing for another. Sending out a benevolent trojan sounds like a nice idea, but how do you know that it'll be benevolent anyway? Are you sure it isn't going to be vulnerable to some flaw that will do more harm than good? You've checked all your buffers and are careful in what your program accepts and strict in what it sends out? Moreover, you're confident that, even if it *is* perfectly benign (which, let's be honest, is a tricky assertion at best, and very hard to verify) once it's out in the wild can you guarantee that your code isn't going to get hijacked by someone less saintly or all-knowingly proficient as you surely are?

I doubt it.

These sorts of proposals sound nice but are fraught with danger and likely to come to a bad conclusion, both technically and, let's not forget, legally. This sort of idea comes up every now and then -- K5 is debating it right now, too -- but it's never a good idea and in practice it will never reliably work. It's clever & tempting, but raises more problems than it solves, just like trading morphine for heroin...

Re:I Hope You Keep Bail Money Near Your Gun

[WNight]

I agree that 'stuff' is worth less than a life. However I don't think that's the end of the story.

Some people, to me, are of negative worth. These would be the rapists and murderers. I wouldn't assume someone was of negative worth, but I think the simple fact of finding them in my house without my permission, despite locks, would be fairly strong evidence for that.

Now, I don't necessarily think these people should be killed, but my adversion to killing is sufficiently lowered in those (hypothetical) circumstances, that I would be willing to shoot, if I thought it was warranted.

Now, what is warranted... Tough question. To me, seeing some kid trying to break into your garage isn't. Seeing someone walking *out* of your house with the TV, isn't. Heading the door be kicked down and seeing someone come in, is.

If I could clearly see them and tell they didn't have a weapon handy, I'd give them a warning to leave. If I couldn't, why would I want to risk my life and that of my family, by giving them a warning which they might use only as a chance to duck for cover before going for their weapon?

There's been a rash of home invasions in my area, which often lead to murder. I don't know about you, but my door has never been kicked down, I think I'd assume the worst, and in that case, be willing to defend myself. Any criminal intending only theft should either announce himself "Hey, I'm just here to steal the TV" or risk my assuming that since he broke the door down, he's probably got more sinister motives, given the rash of invasions/murders.

@work

[clinko]

A funny story from where I work. Some guy took the code from the melissa virus and tried to do the same thing. While doing it, he accidentally ran it and set off his screwed up version of it accross our network. Big fun :)

Re:@work

[unitron]

If clicking the icon launches a browser, shouldn't the icon be labeled "Browser", or perhaps whatever actual browser it launches? Didn't I hear a rumor somewhere that there's more to the internet than just HTML?

Or is it easier to make fun of and complain about ignorant users if you do what you can to keep them that way?

Re:Its entirely possible

[Chris+Burke]

It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?

That's a great analogy. Mostly because of the image it conjurs.

Already been done

[Xeger]

I thought of doing this a few days ago and I started coding. I got as far as a script to automatically reboot attacking machines, to help slow the spread of Code Red.

I had begun work on a worm called Code Blue that would infect Code Red machines and clean them of Code Red. This kind of work is very laborious since it involves writing Intel assembly code that uses the Win32 API and runs in a Windows environment.

Before I could finish, my best friend (who is a security consultant) informed me that somebody has already done this. There is a perl CGI script going around that you can put into your root directory and name "default.ida" so that infected machines will cause it to execute.

The script connects to the IP of the attacking machine, uses the Code Red II backdoor to clean the system of trojanned files. Then it uses the very same buffer overflow exploit used by Code Red to send a binary to the server that patches IIS, removes Code Red-related registry entries and reboots the machine.

Re:Already been done

[startled]

2 things.
1. Where's the script?
2. Shouldn't it be modified to install itself? Otherwise, it'll get drastically outpaced.

Note: yeah, yeah, ethics and so on. Disclaimer, and another one.

Re:Already been done

[iabervon]

While you're at it, why not set up your server to document that it does that? E.g.

Go <a href="default.ida">here</a> to check your server for the Code Red worm and remove it if found.

Unlike an actual anti-security-hole virus, in this situation you are providing a legitimate and documented response to an actual request. If you're not scanning other machines unless they actually ask (either by following the link or by attacking you), it's not really any more unethical than, say, active FTP (if you send this message, I will open a connection back to you and send some data over it). It is no more using the other person's machine than, say, slashdot forcing my machine to render an HTML document or an FTP server forcing my machine to store the document I download.

Beneficial Worms

[Restil]

I have spent the last week thinking this over, and spent some time coding a test. Working with a known named hole, I ran a vulnerable version of named on a few of my machines.

I obtained some script kiddy code to open up a shell on the alternate machine and started to modify it. Since I have no desire to be assused of starting a virus of any kind, I have no intention of finishing or releasing this, but I want to have the concept proven in case someone with more guts than I decided to release something similar.

No matter how you look at it, I believe that releasing this worm would be illegal, at least in the US where I live. Knowing this, I'm not going to concern myself with legal issues, but with ethical ones. The purpose of this prototype worm is to exploit the named deamon and obtain a shell on the victim computer. Then it will send over a copy of the worm, along with a nonvulnerable version of named.

On the victim's side, it will make a copy of all programs and configuration files it needs to change and replace them with safe versions. It will then send a message to root on that machine explaining exactly what was done and why, how to reverse the changes in case the worm broke something, and what to do in the future to avoid the same or similar problems. The worm will then
find and exploit 256 more systems within the same network level, one in each subnetwork. For instance, if the worm is currently working at the class A level for the 24.0.0.0/8 network, it will try to find one system in the 24.1.0.0/16 network, one in the 24.2.0.0/16 network, etc. Each progression will work one level lower. This will prevent the same machine from being hit more than twice for every pass the virus makes over the internet. After finding 256 systems, the worm will shut itself down and remove itself.

The important factors of this worm is the fact that it will ONLY be beneficial. If it causes more problems than it solves, it will be seen as another nuisence instead of fixing security holes as it is intended. It is important that root on the machine is notified of any changes. This gives the administrator the opportunity to fix other potential problems and if necessary reload the system. There must be a way that an administrator can leave configuration files on the machine so the worm will function in a limited capacity. The machine operator can therefore prevent the worm from making changes although they will still be notified if there's a security risk.

The worm will only search for and detect a single flaw in a single program, and only use that specific program to exploit the system and only replace that single program. Updating an entire package to fix one program may actually introduce other security problems into the system. Programs
deployed on the system should also be either compiled on that system or staticly linked to prevent any library conflicts.

On a side note, the worm might also want to check for a root kit on the machine and notify root if one exists. If the machine has already been comprimised (which is possible if there are vulnerable programs running), then the machine will need to be reloaded and root needs to know about it. Fixing one program won't make any difference.

Am I completely off my rocker here? Comments?

-Restil

Why not put up a webpage that people can use?

[Keeper]

Just put up a website on your computer that advertises the ability to automatically clean the CodeRedII virus off of the viewer's system, if present.

All the viewer has to do is click a button at the bottom of the screen.

Just so happens that this particular button sends a request to /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (etc), which then scans the sender's IP and proceeds to start a command session, download the patches, and do whatever else is needed to done to vanquish the worm.

Afterall, they did click on the link, right? :)

Seriously though, if someone wants to get all pissy about you going to their box and fixing their screwup, threatening to sue and the like, I'd just countersue ... afterall, they tried to hack your box first. ;)

Re:Why not put up a webpage that people can use?

[Keeper]

Why wouldn't it be criminal? It'd certainly be more criminal than fixing their box -- I didn't have to do anything to gain access to their box; they were actively attempting to gain access to my box.

They could argue "oh, it was code red" and I could argue "yeah, you had it, but you were actually doing things independently too".

And they did click on the link of their own free will. ;)

Indexing server is essentially part of IIS

[brlewis]

The indexing server is bundled with IIS, and is one of the main reasons for choosing IIS -- searching is bundled right in. Comparing it with "some CGI script" is disingenuous.

It would be fair to compare it with Apache modules that are part of the standard distribution and are usually installed. Care to point out a recent hole in such a module?

Insightful, my foot. The pro-MSFT moderators are busy today.

Re:Indexing server is essentially part of IIS

[SuiteSisterMary]

There is an incredible difference between there being an exploit, and there being an exploitable bug. Can I name a recent hole? No. Does that mean anything at all? No. I'll also point out, as I have been for weeks, that the patch available for a month before code red 1, leading me to believe that the patch spawned the exploit. Can't blame MS for people not installing patches like they should.

I've done some of this

[RobertGraham]

I created a program that automatically checked for the backdoor upon receipt of a /default.ida attack (/scripts/root.exe?). It didn't work: the CodeRedII worm is DoSing itself - after enough reinfections, the server stops being able to respond with requests.

As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.

You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).

You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.

CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.

DOS against security focus...

[Lando]

Ehmmm,
For those of you participating in the DOS attack against Securityfocus...

Although, they did not launch a posting to this, in the mailing list they said that they were going to discontinue taking mailings from people.

When I went to get the link for this message I found that they are having a hard time responding to HTTP requests... Perhaps caused by the slashdot community?

Lando

just pop up an explorer window for cert.com

[Gkeeper80]

this isn't original, a friend found it posted somewhere, but you can call up an internet explorer window with the cert advisory(or the patch for that matter)byt usung the root.exe file. like such: http://the.fckd.up.host/scripts/root.exe?/c+explor er+htt p://www.cert.org/advisories/CA-2001-23.html this works great for cable/dsl users who might not even know they have a webserver running. kinda tough to ignore explorer windows poping up, even on a MS computer.

Already Happened, I Think

[Prof_Dagoski]

I remember seeing a /. blurb about just such a thing. If I remember right, after it invaded the system, it patched a security hole, copied itself onto whatever removable media was in the computer and deleted itself. Unfortunately I couldn't find the article in the archives.

In the meantime, this sort of program is pretty trivial, aside from invading a secured host. I've heard talk in various organizations about writing maintenance viruses to crawl the network's hosts and do whatever updating needed to be done. Such ideas are usually tanked because everyone's a little nervous about independent critters running loose, doing things on their computers. Besides, there are more reliable automated ways to install patches and updates. In the meantime, writing one of these as a good samaritan deed would likely get you prosecuted because, 1) You don't own the computers you're infecting 2)You don't know what the configuration is on the machines and your virus might screw 'em up, 3)What if you missed a bug in your code?

...but it's a bad idea

[Sun+Tzu]

After all, how do you tell a 'good' virus from a bad one? It might be harder than you realize, if you're a virus scanner, for example. There is an article here that deals with some of the other issues that 'good' viruses raise.

Not just that

[einhverfr]

Worms are not to be messed with that way. The first worm was released as a self-replicating software update (by Intel iirc). However, partway through their network, the payload became truncated, though it continued to replicate. The result was that the worm took down a good portion of their network.

With the internet, this is a greater danger because the number of machines is much larger...

Re:That's the worst idea I've ever heard

[arcade]

While what you say is factually true (spoofing the source is tricky), the principle of not fighting fire with fire is still reasonable. Whenever you automatically respond to an attack with another attack you open up the potential for an explosive situation.

Yes, I agree totally with that principle. I do however prefer to use factual arguments and not bullshit like the commentor that I responded to did.

"Cheese Worm" on Linux Did This

[Lethyos]

An article on /. came up a while ago about a worm that did just this called "Cheese Worm".

It fixed a back door created by another worm then goes looking for other systems infected by the l10n worm.

Yes, it's a novel idea. No, it's not the solution. Not everyone runs the same distro/OS and not everyone has them configured the same.

It would take an amazing amount of design and coding work to create one that intelligently fixed configuration problems without creating more nightmares for the admin, and even then, it's likely to cause more problems than it fixes. Then it would no longer be a worm - it'd be a "service pack". :-)

Re:Why do favors?

[SuiteSisterMary]

This is NOT an "IIS" hole. That's a fact. This is an Indexing Server hole. That's a fact. Comparing this to 'apache never having an exploit like this' is wrong. That's a fact. Comparing this to some apache module or CGI script being exploited, which has happened, and will continue to happen, is accurate. That's a fact.

I Hope You Keep Bail Money Near Your Gun

[virg_mattes]

> Yes, but criminal trespass (a crime to which an American citzen
> can respond with deadly force) and cracking a webserver are of the same magnitude.

Even if I agreed that criminal trespass and cracking a webserver are the same (they're not, in either a legal or ethical sense), you're way off on the justification for deadly force, at least in the laws of most U.S. jurisdictions. First, cracking a web server is like picking the lock on your front door, which is breaking and entering, not criminal trespass. Second, you're not legally allowed to use deadly force against someone unless they are threatening your life or well-being. Since someone can commit criminal trespass when you're not present, if you drilled someone just because they broke into your house while you were at work, you'd be guilty of second-degree murder. In fact, if you shoot someone who breaks into your house while you're at home, the burden of proof for threat still rests with you (basically, you get "convicted" of justifiable homicide) or you're still going up the river.

Virg

Re:I Hope You Keep Bail Money Near Your Gun

[virg_mattes]

> I have the right to self defense, and if someone is in my home
> on some unknown mission I'm not interested in letting him do whatever
> and then let the law take care of it. I'm going to stop him, doing
> whatever it takes to do that.

This is the very essence of why vigilantism is bad. If someone is in your home on an unknown mission, you seem to assume that your only recourse is to kill him. You don't even consider the possibility that anything less than murder is possible or even desirable.

Consider this: you hear someone in your house, rummaging through your stuff. You stand at the top of the stairs (or around a corner from said stairs) and shout, "I hear you, and I have a gun. If you don't leave, I'll shoot!" The burglar runs out the door and into the night. Now, if you consider this approach to be unacceptable because the burglar will get away, but you don't consider it unacceptable to shoot him rather than give him the opportunity to run, then you have a horrendously deranged sense of personal property.

So the question becomes not whether you consider it within your rights to shoot someone in your house, but whether you consider the sanctity of your things more important than a human life. Consider that the next time you argue about your "right" to kill someone because of your indignation.

Virg

Re:I Hope You Keep Bail Money Near Your Gun

[brunson]

Colorado (for positive) and many other states have a "make my day" law. If someone breaks into your home you can automatically assume you are in danger of grevious bodily harm or death and can shoot dead on the spot.

Re:I Hope You Keep Bail Money Near Your Gun

[virg_mattes]

> If someone comes into my house and wants to take all my stuff,
> I'm going to shoot him and let the D.A. decide whether to prosecute.

And I certainly hope that DA decides to have you arrested. See below for my reasoning.

> In this country, as a wise man said, we have a right to "life,
> liberty, and the pursuit of happiness". Requiring law-abiding citizens
> to allow any brigand to boldly stroll into a person's house and demand
> all their posessions denies me my rights. If pointing a loaded weapon at
> him doesn't make him realize the error of his ways, then that's not my problem.

This is a straw man argument in the extreme. Firstly, when a brigand "strolls into a person's house and demand[s] all their posessions", we've gone beyond criminal trespass into assault or robbery. This is a credible threat to safety, which is grounds for justifiable homicide, so it's outside the scope of my original argument (and, it's a ridiculous extension of my argument to say that I think people should be allowed to steal from you with impunity because I accept that proof of justifiable homicide is necessary).

Secondly, you don't specify what happens when you confront the assailant but again, if he doesn't "see the error of his ways", then it's assault and therefore falls outside the scope of my original argument. The real question is what happens if, for example, the burglar's reaction is to run? As I stated in another post, shooting someone for threatening your safety is justifiable, but shooting someone for stealing your stuff is not, nor is shooting someone who is trying to escape when confronted while stealing your stuff. So, as I said before, if your justification for shooting the invader is, as you stated, "someone comes into my house and wants to take all my stuff", then you deserve to be incarcerated. You should consider lethal force as a last resort, only if your personal safety is endangered, and then only if and when other possible alternatives have been exhausted. As I said in the other post, letting the thief get away is inconceivable to most vigilantes, but that's a much better answer than killing someone when you don't have to do it because you're indignant about being burgled.

Virg

Re:I Hope You Keep Bail Money Near Your Gun

[Kintanon]

I believe many of us work off of the assumption that if the person is committing the one crime (breaking and entering) then they will be willing and able to commit a more grievous crime (theft and assault), and then possibly a yet more serious crime (murder) in order to cover their tracks. I for one am not going to wait for them to get around to step 3. If they are in my home illegally I have to assume that they wish to kill me, in Georgia it's considered polite to give one warning shot before killing anyone who is in your home, a shouted warning that you have a gun is acceptable. So I imagine we would all warn the intruder first. But if they didn't get the hell out of my house right then I'd certinaly kill them.

Kintanon

Less intrusive solution

[coyote-san]

There are two problems with an anti-worm:

1) there is an obvious, less-intrusive solution to the problem. Log the IP addresses, notify their ISP, and (assuming the ISP is on the ball) they "go dark" until they clean up their act. It's not like it's hard to verify the information provided to the ISP.

This will guarantee that 1) that system infects nobody else and 2) the owner is aware of the problem.

2) The second problem is contained in the comments above - quietly patching the system does nothing to undo the damage (it might close a few doors, but *anyone* could have run *anything* on that system while it was open) and does not teach the owner to take responsibility for their system.

However, this requires the ISP to take action. To be honest, some of these systems are starting to remind me of car alarms that run for hours (e.g., because of high winds) and the owner can't be bothered to shut them off. Breaking some glass on that car is illegal... but few cops or DAs would consider anger vented at car alarm which kept neighbors up all night a crime without a compelling mitigating factor.

Re:That's the worst idea I've ever heard

[arcade]

Anyone who uses a script like that is crazy. Next there will be a Code Red III which spoofs the originating IP and then your perl script becomes an unwitting part of a distributed DOS attack... Then YOU go to jail instead of the Code Red author.

Ohmy, how fscking stupid is it possible to be. Let me give you the hints one by one.

To attack a webserver you need to use http..

http uses tcp

tcp has something called initial sequence numbers

initial sequence numbers have been randomized rather good in more "recent" (think 97->now) operating systems.

spoofing a connection via tcp is almost impossible.

Re:That's the worst idea I've ever heard

[cburley]

the principle of not fighting fire with fire is still reasonable

Are you unaware that firefighters often do use fire to fight fire?

(They burn away strips of forest to prevent a forest fire from being able to cross the strips and attack, say, neighborhoods.)

I think your comment in the next paragraph is right, though, because it illustrates the weakness of the forest-fire analogy.

In particular, while fighting viruses on the Internet today might be more like fighting a forest fire -- in that the trees are not "smart" at fighting fires, you want to save as many as reasonably possible, yet you're not averse to burning a few more down yourself to avert a larger disaster -- the overall goal should be to convince Internet sysadmins to do for their systems what homeowners and business owners have, over the centuries been encouraged to do: be the first line of defense against fires starting, or offense against fires spreading, etc.

(Think of elements of "progress" here -- new homes likely have smoke alarms, people are strongly encouraged to report fires quickly, flammable materials are less widely used, buildings are designed for quick exit in the event of fire.)

Until the Internet resembles something more like today's upscale suburban neighborhood (in its security against fires) than a dry, dense forest, I suggest that fighting fire with fire does have utility, if thoughtfully (rather than arbitrarily) applied by experts.

There is another way...

[FatOldGoth]

...though it's not quite as effective.

Since the start of this week, I've been running a Perl script as an hourly cron job that parses my firewall logs, gets the originating IP addresses of any Code Red scans, does a reverse lookup, attempts to extract a meaningful domain name and then mails a polite notification to postmaster and webmaster at that domain. The notification contains a link to the MS page with the details of the relevant patches.

Since doing so, I've had a number of responses from people thanking me for pointing out the problem and confirming that their server has now been patched. The response rate is only about 1%, largely due to the fact that around 90% of the problem servers are on dial-ups/cable modems/DSL, but it's better than nothing.

I'm not advocating that everybody, or even a large number of people, do this, as the amount of traffic it would generate would only add to the problem, but it seems like a more legal solution than another, white-hatted, worm.

Re:There is another way...

[FatOldGoth]

Cool! Thanks for the tip! I'll modify the script to send the addresses to them when I get back to work tomorrow.

Watch out for Federal Computer Crime Laws

[werdna]

The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act combine with state "Blue Sky" computer crime and fraud law to make this tactic amazingly dangerous for anybody who does this. G-d forbid the license should (accidentally or otherwise) harm any system in any way in so doing -- the damages and liability could be enormous, and there may well be substantial criminal responsibility as well.

In short, anybody who even begins to perform a passive security audit of a system of another without having obtained written consent TO DO EVERYTHING THAT WAS DONE (exceeding authority can be a crime as well as obtaining authority in some cases) risks the slings and arrows of abusive attorneys.

It would be nice to have a vigilante virus out there -- the guy who wrote it might even become some kind of folk hero. Even so, he might spend years in jail for his good deeds, and g-d save him if he messed up.

Re:Don't be a part of the problem - Cisco fix

[Anne_Nonymous]

Also affected are Cisco 678's.

See http://www.qwest.com/dsl/customerservice/coderedvi rus.html

it has already happened

[node3667]

The virus nVIR A was propagating the macintosh world.(1990) Someone created a second nVIR B to counter attack the nVIR A, to replace A with itself.

There were bugs into nVIR B, making the computer part unusable. and the nVIR B could propagate on a computer which wasn't infected by nVIR A.

Not everybody was happy :-(

bye

Re:Its entirely possible

[starseeker]

I'd say a stranger in my house DOES pose a threat to my family. I don't know who this creep is, or what he intends. If my family is at stake you'd better believe I'm going to play safe. I might not shoot the instant I see him, but I'd sure take aim and if he tried to flinch without my permission he's history.

Attention is Money

[ka9dgx]

Attention is money, welcome to the true new economy.

Perhaps system administrators have other things to do other than keep applying patch after patch to the rubber dinghy Microsoft built as a web server. As long as we have good backups, why bother until something goes wrong? It's a waste of attention to keep patching things, not to mention the odd service pack disasters that make things worse than before.

Don't go blaming the system administrators who have better things to do, put the blame right where it belongs, in the developers lap. They should test their code, and not count on us as their test lab.

--Mike--

Re:R U Nuts?

[Tower]

I'm definitely against the idea of another virus/worm, but if the anti-worm resided on a server and only activated in response to a request from an infected server (the reply to the infected server caused the cleanup and patch, plus installed the anti-worm)... it couldn't propogate without provaction, and would slowly eliminate the infected machines. Bandwidth wouldn't go up, since the anti-worm isn't active, only reactive (and only makes one request per attack, which should then prevent further attacks by the attacking box).

Not necessary, if people would only research

[ColGraff]

There are a lot of good legal resources out there, both internet law libraries, the supreme court web site, and actual "meatspace" libraries. If people would just do a little research before posting, we would have a lot fewer "it seems to me that" posts and a lot more informative "if we apply the ruling in blank V blank" posts. I can dream, can't I?

This is OLD....

[Lxy]

I've seen this asked many places already. The long and the short of it is that this tactic is ILLEGAL. You'd be subject to the same punishment as the Code Red authors. Yes, your intentions are good, but you're A) accessing a computer system without consent and B) INSTALLING software without consent. This is no different than me walking into your house at 3 AM to install the IIS patch on your server. It doesn't matter that I had good intentions, I'd be at gun point pretty quick. I'd be charged with unauthorized entry regardless... you didn't invite me, I came in, and refused to leave when you told me to because "the patch wasn't finished upgrading".

Good Samaritan laws?

[TheFlu]

I know several states have laws that afford some level of immunity to people who have the intention of helping others (more info here). These laws usually deal with physical actions, such as performing CPR on someone, trying to save someone from a fire, etc...

In a sense, "white hats" are merely Good Samaritans themselves. Perhaps new laws should be passed to cover the actions of Good Samaritans whose intent is to help others online.

Re:Its entirely possible

[jgerman]

It's not necessarily true that an American citizen can respond with deadly force to criminal trespass. That varies state by state. Here, in MD, for example, if someone breaks into your home and threatens you, you must make every effort to vacate the home. You can not just shoot him for trespassing, breaking and entering, or anything else.

Guees that means if my machine gets hacked here I have to give it over to whomever hacked it.

What if you screw up?

[r_j_prahad]

What if your beneficial virus has a coding flaw that you didn't catch when you were testing it? And it streams across the net and takes down thousands of websites unintentionally?

I can tell you what'll happen; your wardrobe the next day will be an orange jumpsuit and shower shoes.

You'd spawn a war that hasnt escalated so far

[SirSlud]

Actually, there's nothing like a challenge to a virus writer .. so I'll bet if you started spreading a good one, you'd just start escalating the war. Sometimes I believe viruses havn't caused major catastrophes yet because we dont fight viruses with viruses. Think of guns .. since we fight guns with guns, it really ends up coming down to who has the most/biggest guns. Do we really want to find out who has the most time and haxoring genius, the black hats or the white hats?

Re:Its entirely possible

[VivianC]

IANAL but....

There is really no single law that covers this so a lawyer would be useless in this case. You could get ten different opinions from five different lawyers and any or all of them could be right. Or wrong. That's what Judges do.

Now, with the PHP or CGI programs that do something to a computer, it would be a very grey area. After all, the 'attacking' computer is actualy requesting information from your machine. You are simply returning information. Then you can get into the motive of the requestor and the motive of the author and it gets even worse.

Basically, all a lawyer is going to tell you is his theory of how a set of laws will be interpretted. Only Judges can actualy do the interpretting.

Same Sides Issue

[virg_mattes]

> Colorado (for positive) and many other states have a "make my day" law.

This doesn't contradict my original statement. Note that my example describes a breakin when the homeowner isn't home (the MMD law doesn't apply) and that when he/she is, that the burden of proof for threat rests with the homeowner (MMD laws relax that burden considerably, but they do not remove it).

Virg

net police

[SKicker]

If these worms are illegal because they gain unauthorised entry then of course making a 'friendly' virus is illegal because it is doing the same thing.

Having good intentions is nice but consider this (fictional) scenario: A local cat keeps trying to have 'relations' with my cat and I dont know who the owner is, plus the owner is unaware of their cat's activity. I catch the cat and get it 'fixed' without the owner knowing. When the owner finds out I doubt they or the police would be too pleased about it. Swap 'cat' for 'web server' and you have this code red situation.

Yes the internet is unpoliced but I dont think the 'Do-Gooder' virus is a very good answer. Internet policing is an interesting new subject but traditional security ideas still apply - the owner of the house is the one responsible for making sure the door is locked. People need to be taught this applies to the internet too.

(And no jokes about unauthorised entries thank you very much)

Re:net police

[WNight]

Your analogy didn't convince me that anti-worms are bad, rather it convinced me that people who can't take care of themselves or pets should be taken care of in the most expedient fashion.

I will consider vigilante-spaying the next time one of my neighbors has a cat which is in heat and past it's first heat (which you're not supposed to spay a cat before). It'd be well worth the $40 to get a night of sleep, and I am a firm supporter of spaying/neutering all your pets anyways. Always pisses me off when people don't and contibute to the problem of unwanted animals.

Re:Source?

[FatOldGoth]

As promised.

They're a bit rough and ready, and will require some customisation and possibly a minor bit of hacking. I've put a few comments in to make that easier, though. Good luck!

Great business plan.

[supabeast!]

Supply programs that do this for all the latest viruses to the IT departments of companies with bad/lazy/not enough sysadmins. Charge them a yearly fee, and just email them a new worm that will go through their network and close all the holes behind itself once a week. Have a client that they can put on their firewall to keep it from escaping to external networks (Or just program it to stay on on local networks.).

There are companies out there that might actually pay for this.

Simpler, non-illegal technique to stop code red

[btempleton]

Create a scriptalias on your web server, so that fetches of "default.ida" go to a CGI which responds, very slowly -- just under code red's timeout -- with whatever code red is looking for a the response of a successful penetration.

I know it creates a lot of threads, but assuming it will tolerate a decent timeout, enough of these would slow it down quite a bit, until it dies from people installing fixes.

Anybody taken apart the virus to know what timeout to use and what response it's looking for?

What if my 'default.ida' was a program?

[mgkimsal2]

The worm goes after 'default.ida' as I can see. They're trying to execute a program on my system. (default.ida). If my default.ida was actually a script that sent a payload back, and that payload just HAPPENED to be commands to disable their system, what's the harm there? I'm not ACTIVELY exploiting their system. I'm only sending a payload back in response to a request that THEIR system requested. Seems pretty clear cut to me.

Code red backdoor checker

Re:Why do favors?

[elefantstn]

If I install Win2K or NT on a box connected to the net right now, there is a high probability I will be infected before I can even apply the patch. That's a fact.

If I install Linux/BSD/etc with Apache on a box connected to the net, I will end up with an access.log full of default.ida?XXXXXXXXXXXXX requests and nothing more. That's a fact.

It's disingenuous to say that the indexing hole is comparable to "some CGI script," because that CGI script is not a default component of the Apache installation. The relative security records of Apache and IIS are not the result of "open" vs "proprietary" development models, they are the result of the attitudes of the respective developers towards the need for new features and accountability to end users. IIS doesn't end up with more holes because it's "closed-source," but because it's designed to add as many features as possible and install those by default. This isn't an ideological difference, it's good development practices difference.

That doesn't solve the problem.

[Mustang+Matt]

The solution is twofold.
A: Microsoft needs to release more secure OS/Web servers.
B: People need to patch their system themselves or take it off the net.

Re:Correction Was:You could do that, but don't!

[RedX]

Nope, you didn't /. any of those, but you did save me some time in tracking down a CRII-infected server to play with. Seems you can manipulate the files in the \inetpub directory, but very few anywhere else. Making a dir on the desktop didn't work, but their index.asp has been renamed. Hopefully and admin with 1% of a clue is supporting this server.

this is not legal

[egomaniac]

Lots of people here are saying "this is legal because you have good intentions" ... which is, of course, absolutely not true.

Imagine you got home after work one day, and found your front door standing wide open. You frantically search the house, and find a complete stranger sitting down at your computer. He cheerfully tells you that your computer was infected with a virus, and that he's going around the neighborhood breaking into people's houses fixing their computers.

No damage was done, because he merely picked the lock to the front door. You check out your computer and as far as you can tell everything looks fine, so it seems like he was telling the truth.

Do you:

A) say "Oh, that's okay! Thanks for fixing it!"
B) tell him to get the hell out of your house, and then call the police?

I'm betting the vast majority of you would pick (B). Now (just like all the other idiots on /.) IANAL, but I imagine the courts would be quite willing to see a counter-worm situation similarly. It is not legal, and it could land you in some serious trouble even if your intentions were pure.

I suppose...

[Scoria]

... that the Slashdot editors don't read Slashdot.

This has been discussed on the other three Slashdot stories about Code Red.

Each time, none of the comments have risen above +1. Some have even been modded down to...

... -1, redundant.

Nevertheless, this is a good idea. You have to remember that not all NT administrators are anything more than employees of a small company trying to see what this "Internet and web server" thing is all about. They'd patch, but they just don't know how. (And yes, I know. If they don't know how to administer it, they shouldn't be trying to.)

I believe that the United States FBI still counts this as an unauthorized intrusion, so watch out if you do try to inject something like this into the Internet...

Be Kind, Just Remind

[SuperKendall]

How about instead of actually patching the machine or doing something else to affect the state of the machine (like turning off the web server), you simply pop-up a message on the screen that says "This machine infected with Code Red, please download update from Microsoft.com/security" or something along those lines. I'm not sure myself how you'd go about raising a message or dialog box but there are probably a number of ways you could do this.

That way you don't enter the grey area of messing with another users machine, and since most of these boxes are probably home machines they'll get the message pretty quick that someone can do anything they want with the machine and they should patch it pronto!

Re:Its entirely possible

[catfood]

I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?...
Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?

I didn't ask my lawyer about this, because I know exactly what he would say. "catfood," he'd say, "what happens if you don't send the white-hat virus to those hosts that are probing you?" And I'd say that basically nothing bad will happen to me; I'd just get a couple hundred hosts a day knocking on my door and not getting in. And then my lawyer would say, "and what might happen if you do send the white-hat virus out?" At which point I'd say well, I guess it's remotely possible that I might break something, and the other host's manager might notice it...

And then my lawyer would say, "Don't be an idiot. You'd be exposing yourself for no benefit to yourself, right?"

Then I'd say okay, you're right, and my lawyer would send me a bill for $300.00.

I save a lot of money by asking myself, "what would Tim the Lawyer say?"

Re:This is definately not a good idea

[Keeper]

There's a small difference here.

The fact that a hole exists isn't the problem. The fact that a hole is being exploited actively, and being used to propage software to hundreds of thousands boxes (causing all sorts of bandwidth problem) is a SERIOUS problem. Compounded by the fact that 90% of the people who are currently infected by it WILL NEVER FIX THE PROBLEM THEMSELVES. This has been going on for almost a week now, and it's only getting worse! My server at home is getting hit by this damn thing multiple times per minute! Hell, the after this thing was in the wild for the first 16 hours, I had 355 registered attempts to hit my box with it.

The app you speak of did four things:
* it patched holes
* it left open a new backdoor
* it tried to spread itself
* it told no-one what it did

I'd have no problems with something that patched compromised holes, didn't leave open any backdoors, didn't attempt to spread itself, and told the owner of the box in some fashion what it did. Some would argue that "well, they'll have to wipe the box because who knows what was done by the fix" -- guess what, they should have done that in the first place, because god only knows who else did nasty things before the hole was patched...

We've been over that...

[Greyfox]

Creating a new worm and sending it out over the net can be pretty easily classified as illegal, even if it's to a beneficial purpose.

Somewhat more hazy is setting your web server up to shut down a web server that just scanned your for code red II. That would be completely passive and would have a hell of a lot more benefits than drawbacks. If you're evil you could also bill the owner of the server for administrative services (With about 2000 scans since saturday, I could have made a hefty chunk of change on paper had I been doing this heh.)

Re:Not always

[WNight]

Perhaps she'd have been a bit annoyed, but if he saw her leave, and she went far enough that he lost sight of her, it would also be enough time for a burglar to get in.

She might have to call to get someone with a spare key to come over, or at most, a locksmith whose price I'm sure Startled would have paid half of, but it's a small price to pay compared to having your stuff gone, or someone waiting inside when you come home...

And if she did want it that way, she need only tell him once and he'll never help her that way again.

It's never happened to me, but if I was in a parking lot and saw an unlocked car without an obvious alarm, I'd open the door, lock it, and close it. To avoid risk of a theft charge, I'd get a random passer-by to witness it, so that it was obvious I was only locking the door if the owner came back right then. But I would lock the door. I don't want anyone to have to pay out a large deductible and lose their CDs, etc. That sucks.

Re:Its entirely possible

[jgerman]

You'd think so, but there are plenty of cases in turn where the family sues for damages, or even worse murder charges are pressed. Revel in the beauty of the U.S. justice system.

It has happened already

[hexx]

Cheese, a linux worm did this.
Read This

Re:Its entirely possible

[johnwbyrd]

Slashdot desperately needs is a full-time lawyer. It's a great site for Internet geek stuff but nobody on the site has the first fucking clue about liability law. That in itself would not necessarily be awful if it were not the case that all discussions here invariably end up with a bunch of laymen talking legal theory. Lawyers, help!

Rehash/summary

[AnotherBlackHat]

Worms bad... Virus bad...

There have been many suggested responses, in approximate order of grayness;

1. Do nothing.
2. Send email to any system that probes yours.
3. Provide a patch, and make it as easy to download and install.
4. Have a bot send email to any system that probes yours.
5. Provide a web page that activates a bot that exploits and patches a system.
6. Have a bot exploit and patch any system that probes yours.
7. Have a bot exploit any system that probes yours, and patch it with the bot.
8. Actively search out infected systems and patch them.
9. Actively search out infected systems and patch them with something that actively searches for systems.
10. Write an even more virulent worm that patches systems.

I feel that arguing the current legality of the above options is meaningless. The question is, which of the above is the right thing to do. Once it's decided what the right thing is, then we can change the law to make that legal.

Personally, I would be opposed to anything past 6, as they all involve unlimited expansion, and thus are potentially more harmful than the worm they are stopping. Below 5, I think is ok, although 4 does have some potential for harm. As long as the bot is properly limited to, say, one email per infected system per week, then I think the response is justified.

5 is curious - it does involve cracking the infected system, but theoretically only at the behest of those who are infected. There is, however, a potential for abuse - you could spoof a request, and trick it into patching a different server. However, someone would have to actively choose to spoof it, so it effectively is no different than the spoofers running the exploit themselves. I.e. you've made it a tiny bit easier for them to do it, but didn't actually initiate the action.

6 is onerous. It does involve cracking a system - but it's a system that is "attacking" you, and potentially others as well. I would rate it about the same as cold cocking someone who's been drugged, and is now running around swinging at everyone they see. I'm nervous about the idea of vigilante cracking, though - too much potential for abuse. Perhaps a compromise between this and 4 above - have someone "trusted" set up a cracker/patcher that only patches servers that are reported to it, and which it also agrees are infected and dangerous. Sort of like calling the net-cops on the server.

Discussion rerun?

[abischof]

Haven't we already discussed this?

I can see it now...

[pukeAndCry]

VbScript that uninstalls MS Outlook?

JiM
---

Better Living Through Reckless Experimentation

Because of this the internet is dying..

[cybrthng]

Really..

I can no longer run services on port 80. As of tommorow port 25 is filtered.

Verizon is my DSL provider, telocity is the only other choice and they use Verizons network so the filters will remain even if i switch.

I pay for Pro service and now some Virii/Worm has expired my abilities to run a hobby server at home

Cable modems (@Home) aren't available in my area yet and they have a terms of service prohibiting running servers.

Is the internet dying now that monopolies have 100% control? I mean verizon is blocking services, other isp's control the content and now even if i switch providers i'm still paying for a monopoly after all?

Re:I Hope You Keep Bail Money Near Your Gun OT

[Ed_Moyse]

Maybe in places like the UK they don't mind that robberies while the owner is home have gone up since the draconian gun laws. I do.

Interesting. I read this over and over again on the internet, and it is complete and utter bollocks. If you were a burglar in the UK you were (and are) very, very unlikely to get shot even before the "draconian" gun laws came in. There simply weren't enough guns around to make it a worry. So even if burglaries HAVE gone up since then, it's completely and totally unrelated.

Not a good idea

[rangek]

Just look at how many of these worms have had little bugs in them, like not attacking when the were supposed to, or emailing the wrong drop and stuff. All we need is some cowboy thinking he is going to clean up the internet and messing up even more stuff.

Ever see that movie Office Space? One wrong decimal point could mean big trouble. It is bad enough these people have to run Microsoft's buggy code. But at least they chose to do that. They shouldn't be forced to run your buggy code too, even if you are trying to help.

Its entirely possible

[baptiste]

CodeRed II leaves a huge hole - the virtual C and D drives so even if they remove the root.exe file, as long as the explorer.exe is infected, you can access any file via /c or /d in your GET request (ie /c/winnt/system32/cmd.exe?any cmd you want)

I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?

Re:Its entirely possible

[Tassach]

If you wrote a program that counter-attacked any codered infected server that attacked you, the proper analogy would be returning fire whenever someine shot at you.

However, if your countermeasure does anything BESIDES stopping the attack, you are going too far. IMHO, it would be ok to write a countermeasure that shut down the attacking system, or even one that patched the hole IN THE SERVER THAT ATTACKED YOU; but it would be wrong to develop a countermeasure then tried to run itself on the "disinfected" machine and spread itself to other infected machines that never attacked you directly. The first scenerio is (at least potentially) defensable under accepted doctrine (self-defense, good samaritan); the second is not.

Take it one step futher...

[Overt+Coward]

And after closing the hole, the counter-virus should stay resident and launch a counter-attack against anyone who tries to exploit the hole with anything other than the counter-virus.

Re:Take it one step futher...

[Overt+Coward]

You know, I keep forgetting that I have to mark sarcasm as such when I post on the Internet -- inflection is lost entirely. Apologies to anyone who thought I was being serious.

The original post, above, should have been flagged "(-1, Smartass)".

Use of Anti-Code Red Script Considered Harmful

[Xeger]

After hearing what everybody has to say, I've decided that this sort of script is probably not a good idea. To those of you who replied to me via email, I'll send you a link to a webpage where I'll be putting up the script, once I get hold of it. You'll be able to reach it after clicking through a disclaimer.

I would still advise against anyone using this in "production" (i.e. to combat live code red attacks on the open Internet.) Think about it:

If, for some reason, your copy of the script mis-performs and corrupts IIS DLLs or executables on the attacking host, you will be liable.

If the federales are monitoring traffic and see your box actively exploiting the Code Red hole, you're in trouble.

If your ISP notices your box "propagating" Code Red, then you are likely to be denied service (in the most literal manner) and your account might be terminated.

So, in the final analysis, it's probably better just to put up a default.ida that does a "net stop w3svc" (as someone else here recommended) or does a reboot.

This is definately not a good idea

[Foxman98]

While the Code Red virus has been spreding rapidly, in part due to all those Windows 2000 users on cable modems, I think this idea of "fixing" everyone's computer is a really really bad one.

By connecting to someone elses computer, and running code on it without their permision you are in fact committing an illegal activity. I think a much better idea would be to politely inform the machines' owners that their server is infected. Also providing a link to the patch.

Any unauthorized access is scary. Remember that worm a while back that went around and "fixed" unix systems by patching holes? Remember the outcry about how no one would want that because it was "Their" server and whatnot. Same thing applies here.

Code Red II is an anti-virus, partially

[Thagg]

Code Red II has a fighting chance of killing off Code Red I, as it reboots machines that it finds. So, it is partially a good thing; beyond the fact that it will probably convince a percentage of people to abandon Microsoft servers.

thad

This is a Bad Idea

[Satai]

This is a very Bad Idea. First of all, unauthorized access to a computer is, by definition unauthorized. Any worm which spreads changes is illegal and as such a Bad Idea.

No matter how good your intentions are (RTM just wanted to play around, right?) you cannot take the "law" into your own hands.

Ethical issues aside, it would be very dangerous to being publicizing that there was a beneficial worm available; immediately, we would get copycat worms everywhere, appearing the same (yes, this could probably be circumvented by MD5 checksums or something, but jeez, if the webmaster was going to go through THAT much trouble, they'd install the damn patch themselves!) but doing far worse things.

I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.

The defenses always have to be kept up - or else you have to start making judgment calls about which outside sources to give access to, which is a path no one wants to go down.

Re:There's a reason for that.

[mgkimsal2]

I don't see at all why it's a bad idea. Please explain.

Why not get providers to get heavy?

[Goonie]

In this case, why don't the cable/xDSL providers start suspending the accounts of people with infected computers? That tends to get people's notice a lot more effectively than vigilante counter-viruses . . .

Re:Why not get providers to get heavy?

[J'raxis]

MediaOne.net prefers an approach à la machine-gunning a mosquito: completely block port 80 on their entire customer network.

Re:Darwinian Predator - Prey relationship on the n

[Dwonis]

This is exactly the situation we want! It will force all our bosses that security is of utmost importance, and it will force Microsoft to either shape up or ship out.

If only this sort of thing weren't illegal where I live...

Re:ERRR, HELLO!!! ATTEMPT TO CONTACT WORLD!!!

[J'raxis]

Create a default.ida file on your website (or whatever IIS file the next Windows worm chooses to exploit) with your "terms and services of usage":

By connecting to this machine, you agree to the following...

Re:plural of virus

[J'raxis]

Depending on what declension it is (I haven't dealt with Latin in a long time), wouldn't the plural either be virî (one I) or virûs in Latin? I seem to remember that there are a few strange (fifth declension?) -us words that are pluralized with -ûs.

Re:I Hope You Keep Bail Money Near Your Gun OT

[urtica]

For more stats and analysis on guns than you could possibly want, see Tim Lambert's archive of his postings to talk.politics.guns

Country % at-home % gun homicide
burglaries ownership rate
Netherlands 48 2 0.9
England 26-59 5 0.7
Australia 10 20 2.0
Canada 10 31 2.1
USA 14 49 8.8

The Australian "at-home" burglary rate is actually for Victoria. The range given for England is because the rate is 59% for attempted burglaries and 26% for completed burglaries, so the overall rate must be somewhere in between.

When one looks at the Australian and Canadian figures, the relationship between gun ownership and "at-home" burglaries isn't so clear as some like to make it out. The correlation between gun ownership and homocide rate is much clearer.