Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fight Virus With Virus?

Posted by Hemos on from the cleaning-up-the-mess dept.

Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?

32 of 697 comments (clear)

  1. Just 13 years behind the times... by iapetus · · Score: 5, Insightful

    The first such anti-virus virus, Den_Zuko, was discovered in 1988. Check out this article on VNUnet, which has more info on the history of such software and why it's a bad idea.

    More recently, the Linux.Cheese.Worm has done similar things for Linux users infected by the Linux.Lion.Worm.

    --
    ++ Say to Elrond "Hello.".
    Elrond says "No.". Elrond gives you some lunch.
  2. Don't be a part of the problem by Speare · · Score: 4, Interesting

    Why do schools neglect an ethics curriculum?

    Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.

    If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.

    • "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
    Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.

    If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

    It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.

    --
    [ .sig file not found ]
    1. Re:Don't be a part of the problem by blakestah · · Score: 5, Informative

      Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.


      Now there is ethics and there is ethics. Here is a scenario that occurred once in Baltimore. A house thief hot-wired a car. He jammed the steering wheel all the way to the side and floored the gas. The car spun and made lots of noise. Meanwhile, the thief broke into people's houses (that is besides the point). Am I ethical if I jump into the moving car and turn it off ?

      The point I am raising is that the car poses a risk to society. I am altering someone else's property in stopping it. However, I don't think it can be called unethical. The danger was created by someone who was not the owner - removal of that danger by another third party can be ethical depending on the magnitude of the danger and the alteration of the property.

      As another example, suppose my neighbor's house is burning and his 10 year old is screaming at the window, and he is not around. Am I ethical in breaking in to save his child ? In this case the answer is really clear.

      In the case of machines compromised with CodeRedII, consider the capability for MASSIVE DDOS directed at anybody launchable by anybody. Those machines are tools to be used by anyone for any reason they like. They can be used as launching points for hacks on military sites. They can be used to snoop for passwords etc. If you go onto those machines and simply remove them from the network by shutting them down (in an orderly fashion), I think you could argue rather strongly that you are taking such action in the interest of public safety.

      Ethics is rarely so cut and dried that one could claim that you should NEVER alter someone else's property.

    2. Re:Don't be a part of the problem by Speare · · Score: 4, Insightful
      Ethics, sure. Morality, no. There's a difference.

      ethics:
      2. Being in accordance with the accepted principles of right and wrong that govern the conduct of a profession.

      moral:
      1. Of or concerned with the judgement of the goodness or badness of human action and character.

      You want an ethical lawyer, but not one who applies morality. You want an ethical doctor, but not one who judges your morality.

      Ethics is reflective, driving ones own behavior with respect for others. Morality is applied to others, and rarely implies respect for others.

      --
      [ .sig file not found ]
    3. Re:Don't be a part of the problem by CharlieG · · Score: 5, Interesting
      You say:
      It is up to the infected party to take the medicine, and it would be unethical to seize the unwitting victim and force the medicine into their bodies.


      The thing is they CAN seize you and force you to take medicine IF you are determined (Usually by 2 doctors) to be a danger to yourself or others. Ever hear the term "Involuntary Commitment"
      There ARE times when you are forced to do things
      --
      -- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
    4. Re:Don't be a part of the problem by Rinikusu · · Score: 4, Insightful

      Hell, I'd give even another example.

      When I was 4, I was in my apartment complex running around like a, well, screaming 4 year old. One of the residents (happened to be a RN) was watching me play with my brother and then called me over to him. He took a good look at me, grabbed my hand and took me to my apartment.

      "Your son has the measles. Take him to the doctor, now."

      There was a person, completely unrelated to me, who didn't even have kids whom I could "endanger" with my measles. Was he within his rights?

      The original poster must realize that an infected machine has already been compromised by an intruder. If you walk past an apartment and see someone has forced the door open and is ransacking it, do you continue walking by? Or do you yell at the thief? Call the Cops?

      Those "infected" machines are flooding the pipe that I'm paying for, so doesn't that make them some part of a "commons" that makes them part of everyone's responsibility?

      If my neighbor is playing his music too loudly, don't I have the right to knock on his door and say "Hey, turn that down, please?"

      If I'm being constantly probed by thousands of infected machines, my internet access greatly slowed down by all the garbage in the pipe, don't I have a right to find the owners and tell them "Hey, knock that shit off. Fix your damn machine, it's hurting everyone."

      Furthermore, to pick on another pet peeve of /., doesn't the consumption of bandwidth by infected machines remind one of the arguments *against* spam? "I pay for my access, I don't want to pay for spam." Twist that into "I pay for my access, I don't want to pay for some virus propagating at my expense..."

      Just some thoughts...

      --
      If you were me, you'd be good lookin'. - six string samurai
  3. Possible? Yes, of course. by Tim+C · · Score: 4, Insightful

    A good idea? Absolutely not.

    Part of the problem with worms isn't just the malicious acts that they perpetrate, it's the bandwidth that they use.

    A particularly virulent worm can bring servers and routers to their knees just propagating itself. That's before it even gets the chance to do any of its intended damage. (Remember Melissa, or The Great Internet Worm?)

    Add to this very real concern the fact that striking back in this way, no matter the good intentions, is almost certainly illegal, and the whole idea is a definite no-no.

    (Yes, it does have a certain appeal - but so do many other things that are bad ideas, too)

    Cheers,

    Tim

    --
    It's official. Most of you are morons.
  4. A K5 USer has published an anti-CodeRed virus by hillct · · Score: 4, Informative

    A K5 user has provided the source to a proposed code-red anti-virus, which actively repairs remote systems infected with the code red virus. The legal implications of this are a bis issue, but it's certainly an interesting code example.

    --CTH

    --

    --Got Lists? | Top 95 Star Wars Line
    1. Re:A K5 USer has published an anti-CodeRed virus by BigBlockMopar · · Score: 4, Interesting

      The legal implications of this are a bis issue, but it's certainly an interesting code example.

      Yeah, it's a great idea. It would be wonderful to see someone do it, but at the same time, if you did, you're as bad as the virus writers, since this would propagate everywhere and make changes on their systems without their consent.

      For me to even academically consider such a virus, it would also have to have automatically e-mail the (l)user whose machine has just been patched, and state "You are an idiot. You've been negligent in the maintenance of your webserver. A benevolent UNIX/Linux geek wrote a virus which propagates by the same method as Code Red and it has now fixed this vulnerability on your machine. To learn about real webservers, go to www.apache.org."

      But based on what I'm seeing from the description (I haven't unzipped/untarred it yet), I suspect it's more along the lines of what I've been wanting to do. If I get a request from a IIS-infected machine, why not have it force a reboot of that machine? Through the negligence of the system's owner, it attacked me. Why can't I merely force a reboot, clear the virus from the memory, and hopefully alert the imbecile involved that he's got a problem?

      Take a look at my webserver log (link from my sig). I seem to be getting hit by the same IIS-infected hosts over and over. I'm sure the IIS-infected machines are getting hit by the same other machines over and over. If I were to force a reboot of those machines which attempt to infect my Apache server, then they'd promptly be reinfected, and since Code Red II scans within a tighter range of IP addresses, I'd probably take that machine down again. Of course, the cycle would repeat, and infected machines where I'm within their scanning range would be coming up and going down all day. Surely the owner would eventually realize something was wrong?

      I'd love to do this, but I still don't like the legal implications. Stealing a car to prevent someone driving while drunk is still illegal, and this is a lot less clear-cut.

      --
      Fire and Meat. Yummy.
  5. Anti-Sircam Virus by zpengo · · Score: 5, Funny

    Why not take the Symantec Sircam cleanup utility, patch it to make it self-propagating, and then e-mail it out with the message "Hi there! I send you this because you're a stupid fscking idiot. :)"

    --


    Got Rhinos?
  6. This has already happened by cnkeller · · Score: 4, Insightful
    A while ago (months?) someone had a "beneficial" virus, that was making the rounds and fixing security holes in Windows I believe. The name escapes me. The author (who publicly claimed responsibility) caught quite a bit of flak over it. Who knows what kind of hidden payload your packaging in addition to the helpful features.

    Personally, I feel a virus is a virus, regardless if your intentions were good. You're not any better than the hundreds of losers out there creating this mess. If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.

    --

    there are no stupid questions, but there are a lot of inquisitive idiots

    1. Re:This has already happened by blair1q · · Score: 4, Insightful

      >Personally, I feel a virus is a virus, regardless if your intentions were good.

      It's probable that you don't understand the difference between right and wrong.

      Think of cops and robbers. We have bad guys with guns running around on the streets, and we have good guys with guns running around on the streets. Neither group is very bright, and both are liable to shoot you for pulling your wallet out too fast in a darkened doorway. Still, we know which group we're going to train and pay to protect us using their own judgment.

      A neighbor who checks and locks my door is far more neighborly than one who walks in, spray paints grafitti on my walls, craps on my carpet, leaves a dead rat hanging between the old coats in the closet, and says "oh, you have a security problem, you should get that fixed before someone does something bad to you".

      People who bought buggy software got ripped off, and you're discouraging conscientious software engineers from providing free, automatic service to those people, and preventing them from becoming unwitting dupes in spreading the bad viri around the world.

      But you shouldn't live in fear that this will become epidemic. People who do know right from wrong and who do choose to do right understand that doing right is often mistaken for doing wrong by people who don't know the difference, and our system of justice isn't based on right and wrong, it's based on perception, so they won't take the chance of being railroaded, Good Samaritan law or no.

      --Blair

  7. Darwinian Predator - Prey relationship on the net by hillct · · Score: 5, Insightful

    So now you have a bunch of viruses, and counter-viruses roaming the net. This is not so bad until you have self-mutating viruses and antigens, several generations down the line. Eventually chaos theory will dictate that the nature of the relationship has become so complex as to be unknowable. This is a pandoras box we don't want to open. It's similar to the human cloning issue, in that there are a lot of good arguments not to do it, but there's one overwhelming argument for making it legal, lincensed and monitored; that is, if it's not legal, those who choose to pursue it will not be hindered in that activity, but will be forced to pursue it without oversight, while in hiding and possible in poorly controlled conditions.

    All you can do here is appeal to the logic of those who would pursue such an activity and suggest that they not undertake it, but regardless of how much you argue, convince and suggest, someone will eventually do it and there will be severe concequences - not all negative, but severe, with respect to how we look at technology and how we use it.

    It could further be argued that those against such undertakings, need to ajust to changing technology and make the appropriate changes to their world view. This is what the recording industry is having to do, as well as companies in other well established industries. The same will eventually be true of how we look at software design (computer viruses), and biology (human cloning).

    --CTH

    --

    --Got Lists? | Top 95 Star Wars Line
  8. Re:There is another way... by friscolr · · Score: 4, Informative
    You don't need to do the lookups/etc yourself. You can help security focus send out the mail.

    from the bugtraq post:

    To: BugTraq
    Subject: Infection Notification
    Date: Sun Aug 05 2001 10:50:22
    Author:
    Message-ID:

    If you'd like to help us notify users they are infected please send offending IP data to aris-report@securityfocus.com. Please use the following format:

    IP ADDRESS DATE/TIME WITH TIMEZONE

    Or something similar to this. Please ensure the information is constrained to IP address and date per line as we do our notification automatically and our systems need to be able to understand the data you send us.

    --
    Elias Levy
    SecurityFocus.com
    http://www.securityfocus.com/
    Si vis pacem, para bellum

    ---end bugtraq post---

    --

    -f
    www.blackant.net

  9. Illegal by 3prong · · Score: 4, Insightful

    I keep seeing people talk about how invading a server in some cases is legal, because "the intent was good". That is an incorrect interpretation of the word intent. Intent only refers to the crime itself, i.e. did the criminal intend to break-and-enter or was it accidental.

    This means that unauthorized access in the attempt to do a "good deed" is just as illegal as black-hat unauthorized access.

    For this to happen, someone with the antidote virus would have to break the law to spread it and apply it. Of course, Robin Hood was considered a criminal too.

  10. Because... by 11223 · · Score: 5, Insightful
    Everybody with the ability to do something like that and the lack of ethics to consider it realistically actually wants the rooted boxes for themselves?

    Seriously, folks, everybody who *could* write something like that either (a) recognizes that infecting someone's box is infecting someone's box, closing holes or not or (b) sees no problems in having the rooted boxen out there anyway. I doubt that anybody else actually has the skills to do it.

  11. Re:Its entirely possible by ryanvm · · Score: 4, Funny
    I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

    The problem is that 'self defense' only exists in a situation where your personal safety is at risk - like the above scenario.

    It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?

    Basically, you can't violate someone else's rights unless your own safety is in danger.

  12. You could do that, but don't! by Mendax+Veritas · · Score: 4, Insightful

    A "white hat worm" of this sort could be made, but its deployment would be just as illegal as the original "black hat worm" it was created to fight. You're still making unauthorized use of someone else's computer. It doesn't matter that you have good intentions. And what if a bug in your code crashes some machines? How do you prove it wasn't intentional, and that your "white hat worm" isn't really a "black hat worm" in disguise?

  13. Re:Its entirely possible by Chris+Burke · · Score: 4, Funny

    It's like asking: If someone is breaking into your house to use your coffee maker, are you allowed to kick down their door and throw away all their coffee?

    That's a great analogy. Mostly because of the image it conjurs.

    --

    The enemies of Democracy are
  14. Already been done by Xeger · · Score: 4, Interesting

    I thought of doing this a few days ago and I started coding. I got as far as a script to automatically reboot attacking machines, to help slow the spread of Code Red.

    I had begun work on a worm called Code Blue that would infect Code Red machines and clean them of Code Red. This kind of work is very laborious since it involves writing Intel assembly code that uses the Win32 API and runs in a Windows environment.

    Before I could finish, my best friend (who is a security consultant) informed me that somebody has already done this. There is a perl CGI script going around that you can put into your root directory and name "default.ida" so that infected machines will cause it to execute.

    The script connects to the IP of the attacking machine, uses the Code Red II backdoor to clean the system of trojanned files. Then it uses the very same buffer overflow exploit used by Code Red to send a binary to the server that patches IIS, removes Code Red-related registry entries and reboots the machine.

    1. Re:Already been done by startled · · Score: 4, Interesting

      2 things.
      1. Where's the script?
      2. Shouldn't it be modified to install itself? Otherwise, it'll get drastically outpaced.

      Note: yeah, yeah, ethics and so on. Disclaimer, and another one.

    2. Re:Already been done by iabervon · · Score: 4, Insightful

      While you're at it, why not set up your server to document that it does that? E.g.

      Go <a href="default.ida">here</a> to check your server for the Code Red worm and remove it if found.

      Unlike an actual anti-security-hole virus, in this situation you are providing a legitimate and documented response to an actual request. If you're not scanning other machines unless they actually ask (either by following the link or by attacking you), it's not really any more unethical than, say, active FTP (if you send this message, I will open a connection back to you and send some data over it). It is no more using the other person's machine than, say, slashdot forcing my machine to render an HTML document or an FTP server forcing my machine to store the document I download.

  15. Why not put up a webpage that people can use? by Keeper · · Score: 5, Insightful

    Just put up a website on your computer that advertises the ability to automatically clean the CodeRedII virus off of the viewer's system, if present.

    All the viewer has to do is click a button at the bottom of the screen.

    Just so happens that this particular button sends a request to /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (etc), which then scans the sender's IP and proceeds to start a command session, download the patches, and do whatever else is needed to done to vanquish the worm.

    Afterall, they did click on the link, right? :)

    Seriously though, if someone wants to get all pissy about you going to their box and fixing their screwup, threatening to sue and the like, I'd just countersue ... afterall, they tried to hack your box first. ;)

  16. I've done some of this by RobertGraham · · Score: 4, Interesting
    I created a program that automatically checked for the backdoor upon receipt of a /default.ida attack (/scripts/root.exe?). It didn't work: the CodeRedII worm is DoSing itself - after enough reinfections, the server stops being able to respond with requests.

    As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.

    You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).

    You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.

    CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.

  17. There is another way... by FatOldGoth · · Score: 5, Insightful

    ...though it's not quite as effective.

    Since the start of this week, I've been running a Perl script as an hourly cron job that parses my firewall logs, gets the originating IP addresses of any Code Red scans, does a reverse lookup, attempts to extract a meaningful domain name and then mails a polite notification to postmaster and webmaster at that domain. The notification contains a link to the MS page with the details of the relevant patches.

    Since doing so, I've had a number of responses from people thanking me for pointing out the problem and confirming that their server has now been patched. The response rate is only about 1%, largely due to the fact that around 90% of the problem servers are on dial-ups/cable modems/DSL, but it's better than nothing.

    I'm not advocating that everybody, or even a large number of people, do this, as the amount of traffic it would generate would only add to the problem, but it seems like a more legal solution than another, white-hatted, worm.

    --

    I would be a paid subscriber if Taco and Hemos weren't such cunts
  18. Re:Its entirely possible by jgerman · · Score: 5, Informative
    It's not necessarily true that an American citizen can respond with deadly force to criminal trespass. That varies state by state. Here, in MD, for example, if someone breaks into your home and threatens you, you must make every effort to vacate the home. You can not just shoot him for trespassing, breaking and entering, or anything else.

    Guees that means if my machine gets hacked here I have to give it over to whomever hacked it.

    --
    I'm the big fish in the big pond bitch.
  19. You'd spawn a war that hasnt escalated so far by SirSlud · · Score: 4, Insightful

    Actually, there's nothing like a challenge to a virus writer .. so I'll bet if you started spreading a good one, you'd just start escalating the war. Sometimes I believe viruses havn't caused major catastrophes yet because we dont fight viruses with viruses. Think of guns .. since we fight guns with guns, it really ends up coming down to who has the most/biggest guns. Do we really want to find out who has the most time and haxoring genius, the black hats or the white hats?

    --
    "Old man yells at systemd"
  20. Re:Its entirely possible by VivianC · · Score: 4, Insightful

    IANAL but....

    There is really no single law that covers this so a lawyer would be useless in this case. You could get ten different opinions from five different lawyers and any or all of them could be right. Or wrong. That's what Judges do.

    Now, with the PHP or CGI programs that do something to a computer, it would be a very grey area. After all, the 'attacking' computer is actualy requesting information from your machine. You are simply returning information. Then you can get into the motive of the requestor and the motive of the author and it gets even worse.

    Basically, all a lawyer is going to tell you is his theory of how a set of laws will be interpretted. Only Judges can actualy do the interpretting.

    --
    Viv

    Gmail invites for ip
  21. net police by SKicker · · Score: 5, Insightful

    If these worms are illegal because they gain unauthorised entry then of course making a 'friendly' virus is illegal because it is doing the same thing.

    Having good intentions is nice but consider this (fictional) scenario: A local cat keeps trying to have 'relations' with my cat and I dont know who the owner is, plus the owner is unaware of their cat's activity. I catch the cat and get it 'fixed' without the owner knowing. When the owner finds out I doubt they or the police would be too pleased about it. Swap 'cat' for 'web server' and you have this code red situation.

    Yes the internet is unpoliced but I dont think the 'Do-Gooder' virus is a very good answer. Internet policing is an interesting new subject but traditional security ideas still apply - the owner of the house is the one responsible for making sure the door is locked. People need to be taught this applies to the internet too.

    (And no jokes about unauthorised entries thank you very much)

  22. Re:Its entirely possible by johnwbyrd · · Score: 5, Insightful

    Slashdot desperately needs is a full-time lawyer. It's a great site for Internet geek stuff but nobody on the site has the first fucking clue about liability law. That in itself would not necessarily be awful if it were not the case that all discussions here invariably end up with a bunch of laymen talking legal theory. Lawyers, help!

  23. Its entirely possible by baptiste · · Score: 5, Interesting
    CodeRed II leaves a huge hole - the virtual C and D drives so even if they remove the root.exe file, as long as the explorer.exe is infected, you can access any file via /c or /d in your GET request (ie /c/winnt/system32/cmd.exe?any cmd you want)

    I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

    Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?

    --
    Top Most Bizarre/Disturbing Error Messages
  24. This is a Bad Idea by Satai · · Score: 4, Insightful

    This is a very Bad Idea. First of all, unauthorized access to a computer is, by definition unauthorized. Any worm which spreads changes is illegal and as such a Bad Idea.

    No matter how good your intentions are (RTM just wanted to play around, right?) you cannot take the "law" into your own hands.

    Ethical issues aside, it would be very dangerous to being publicizing that there was a beneficial worm available; immediately, we would get copycat worms everywhere, appearing the same (yes, this could probably be circumvented by MD5 checksums or something, but jeez, if the webmaster was going to go through THAT much trouble, they'd install the damn patch themselves!) but doing far worse things.

    I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.

    The defenses always have to be kept up - or else you have to start making judgment calls about which outside sources to give access to, which is a path no one wants to go down.