Slashdot Mirror
RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
I'm taking bets on how long till the first lawsuit comes out against the person or persons who wrote this helpful worm. I say it will happend before the people who wrote the destructive worms are even arrested.
Space for rent, inquire within
Except that white blood cells don't usually cause lots of damage themselves. Even a "white-hat" worm causes lots of traffic and can thus bring down networks and make innocent people pay for lots of wasted bandwidth.
Programming can be fun again. Film at 11.
This is probaly the best internet virus news I've heard in a long time. Unfortunately, it's only a matter of time before the creator is tracked down and prosecuted for violation of internet security laws.
D
The first, last, and only tech news site on the net
No good deed goes unpunished. Who's going to give odds that the writer(s) of the 'good' worm will get caught and strung up by the short hairs under the DMCA? As long as it only affects machines that haven't already been patched- great. But what if it's flawed and actually causes unintentional damage? And if the original authors of the Blaster worm's intent was to teach people who ignore warnings a lesson, might this not start a virus war, of sorts? Sounds cool, but I'm not convinced this is an entirely good thing.
666-607: 6th floor apartment of the beast
Let's see...
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
The other question I have is whether or not the W32/Nachi worm cleans up itself it it can not find a host to spread to. The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
You know, a really cool way to get around this is have the worm only trigger an infection when a Slammer infection attempt is detected. This way, you'll only hit infected machines. Then, coupled with an expiry time, this thing could be relatively benign (well, other than the whole "break into computers and install software without permission" thing).
These worms are child's play; it is only a matter of time before someone decides to do something *really* nasty with a well thought out worm.
There are probably thousands of programmers out there that could have written the blaster worm. Most did not want to do it. Of those that would, most seem to be content to write prankster-style worms. One individual decided to write an anti-worm-worm.
What if one had decided to write a *really* malicious worm? In my mind, it is a 99% certainty that eventually some pissed off malcontent will do so. And they do not even have to be in the country.
Imagine a malicious government, with 100 dedicated programmers.
Or a well funded terrorist or anarchist.
Imagine, multiple simultaneously spreading worms, helping each other by opening backdoors, targeting Windows systems, Apache web servers, hardware routers, telephone switchboards, and whatever else they can find. And the payload? Designed to inflict the most economical damage. Perhaps even a smokescreen to illicitly gain access to systems that manage power, water, electricity, and actually cause physical damage too.
Governments need to sit up and take notice, this is serious stuff.
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
If Blaster wasn't in the wild, Nachi would be abhorent. But the thing is, Blaster is in the wild. It's folly to pretend otherwise.
I can see the pragmatic value of this form of worm, as long as it follows the rule that it should under no circumstances do more damage than the worm that it blocks. Sure, I'd still like to kick the crap out of whoever released it, but I'd shake his hand first.
If you were blocking sigs, you wouldn't have to read this.
I see a new arms race coming up. "White hat" virus/worm writer vs "Black Hat" virus/worm vriters.
Or perhaps it was just that one of them finally realized that to make headlines (and get the attention that these guys seem to crave for) it had to be different from the rest. Since worms usually cause damage, what better way to be different than by fixing damage
Or perhaps it's simply microsofts latest patch distribution strategy. "We use our holes to patch our holes". (So they're not bugs, just an update distribution feature)
- We are the slashdot. Resistance is futile. Prepare to be moderated -