Slashdot Mirror
RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
I'm taking bets on how long till the first lawsuit comes out against the person or persons who wrote this helpful worm. I say it will happend before the people who wrote the destructive worms are even arrested.
Space for rent, inquire within
Heh, if this turned into a trend, it could spell the end of an industry - the virus-removal industry. Imagine: Open Sourced, hunter-seeker virus removal worms, out in the wild nearly as fast as the original, cleaning up the mess some scridiot created in a fit of juvinle mischief. Somehow, I don't think the virus writer/scanner cartel will not let this become a trend.
People who think they know everything are a great annoyance to those of us who do.
Except that white blood cells don't usually cause lots of damage themselves. Even a "white-hat" worm causes lots of traffic and can thus bring down networks and make innocent people pay for lots of wasted bandwidth.
Programming can be fun again. Film at 11.
This is probaly the best internet virus news I've heard in a long time. Unfortunately, it's only a matter of time before the creator is tracked down and prosecuted for violation of internet security laws.
D
The first, last, and only tech news site on the net
No good deed goes unpunished. Who's going to give odds that the writer(s) of the 'good' worm will get caught and strung up by the short hairs under the DMCA? As long as it only affects machines that haven't already been patched- great. But what if it's flawed and actually causes unintentional damage? And if the original authors of the Blaster worm's intent was to teach people who ignore warnings a lesson, might this not start a virus war, of sorts? Sounds cool, but I'm not convinced this is an entirely good thing.
666-607: 6th floor apartment of the beast
Last week we were discussing the MSBlast worm here in the office and I commented, rather offhandly, "I wonder how long it will take before someone writes a phage worm that uses the same hole, but eats MSBlast?"
Apparently the answer is 'Four days at most...'
The extent to which the Internet recapitulates evolution and biological systems is astounding!
- -
Are you an SF Fan? Are you a Tru-Fan?
Let's see...
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
What happens when someone releases an...
[starts coding furiously on a anti-Gator worm]
Life is the leading cause of death in America.
The thing about the "white-hat" worm is that it'll eventually kill itself - as it runs around patching machines, there are less vulnerable machines out there, so it will lose its ability to spread.
Or, put another way, if there were no "white-hat" worm that might also up traffic for a while, there will probably be a black-hat one that WILL up traffic for a while, AND format a few hard drives to boot. Erm, not boot.
paintball
I've been getting a lot of firewalled ping activity today, must be that cleanup worm. Machines that the Blaster worm never even tried to hit. I wouldn't trust a cleanup worm one bit more than I would Blaster. Everyone knows (or should know) you can't count on good intentions on the Internet!
>> However it can be sort of viewed in the way vaccines are
Sure... but when was the last time a nurse jabbed you in the ass with a vaccine while you were walking down the street stuffing your mouth with dounuts?
Even vaccines are voluntary things that have risks...
MadCow.
I used to have a sig, but I set it free and it never came back.
You seem to overestimate the common person's knowledge and saavy about even the very need to patch their systems. See this personal account. You would be surprised just how innocent people can be. Start-Windows Update ? Sure, it's there, but if they don't know *why* it is there and it hasn't been scared into them at a personal level, they probably won't play with it, for fear they'll break something and have to pay a repair man at a shop somewhere to fix it.
The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
You know, a really cool way to get around this is have the worm only trigger an infection when a Slammer infection attempt is detected. This way, you'll only hit infected machines. Then, coupled with an expiry time, this thing could be relatively benign (well, other than the whole "break into computers and install software without permission" thing).
You would be surprised just how innocent people can be
You seem to be confusing innocence with willful ignorance. If you want to own and use a computer, especially one connected to the internet, you have an implied obligation to make sure you know how to use and care for it properly. Just like when you own a car. When your ignorance begins to impact and harm other people, any claim of innocence gets tossed right out.
---- El diablo esta en mis pantalones! Mire, mire!
These worms are child's play; it is only a matter of time before someone decides to do something *really* nasty with a well thought out worm.
There are probably thousands of programmers out there that could have written the blaster worm. Most did not want to do it. Of those that would, most seem to be content to write prankster-style worms. One individual decided to write an anti-worm-worm.
What if one had decided to write a *really* malicious worm? In my mind, it is a 99% certainty that eventually some pissed off malcontent will do so. And they do not even have to be in the country.
Imagine a malicious government, with 100 dedicated programmers.
Or a well funded terrorist or anarchist.
Imagine, multiple simultaneously spreading worms, helping each other by opening backdoors, targeting Windows systems, Apache web servers, hardware routers, telephone switchboards, and whatever else they can find. And the payload? Designed to inflict the most economical damage. Perhaps even a smokescreen to illicitly gain access to systems that manage power, water, electricity, and actually cause physical damage too.
Governments need to sit up and take notice, this is serious stuff.
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
If Blaster wasn't in the wild, Nachi would be abhorent. But the thing is, Blaster is in the wild. It's folly to pretend otherwise.
I can see the pragmatic value of this form of worm, as long as it follows the rule that it should under no circumstances do more damage than the worm that it blocks. Sure, I'd still like to kick the crap out of whoever released it, but I'd shake his hand first.
If you were blocking sigs, you wouldn't have to read this.
It's a nice thought, but when it comes down to it, it's still a worm. It installs itself on your machine, without your permission, exploiting a hole in the Windows RPC code, downloads patches without your permission, installs the patches, still without your permission, and then sits there until it kills itself on Jan 1, 2004. I know on Slashdot there are enough people paranoid about Windows patches to want to not download them anyway, this will surely set them off. If worm/virus authors were ever tracked down and prosecuted, I'd demand the author of this worm to be dealt with in the same manner.
On a more practical side, though, perhaps we need more of these, enough people seem to not patch their systems themselves...
After a while, these analogies become completely pointless. We all understand how these programs work, and we can talk about them specifically. Right or wrong on it's own merits, not because it's 'like' something both hypothetical and ridiculous in the real world.
autopr0n is like, down and stuff.
I see a new arms race coming up. "White hat" virus/worm writer vs "Black Hat" virus/worm vriters.
Or perhaps it was just that one of them finally realized that to make headlines (and get the attention that these guys seem to crave for) it had to be different from the rest. Since worms usually cause damage, what better way to be different than by fixing damage
Or perhaps it's simply microsofts latest patch distribution strategy. "We use our holes to patch our holes". (So they're not bugs, just an update distribution feature)
- We are the slashdot. Resistance is futile. Prepare to be moderated -