Slashdot Mirror
Slate On Worms That Plug Security Holes
gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"
But are 'good viruses' really a good idea?
No.
These could be Trojan.
If I give you some worm that's supposed to cure another but which in fact is another one...
No.
Trolling using another account since 2005.
isnt microsoft gonna do this with"trusted computing"?
it would have been 1st post.
Invaders must die
Wasn't Nachi supposed to patch against Blaster and NOT MyDoom??
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Next thing in line: an automatic spyware remover. Followed by: an automatic licence checker. And in true 1984 style: an automatic open source software remover.
-- (:> jms cs.vu.nl (_) --"---
The correct PHB word is "incentivize". Thank you for your attention.
...on the problems with beneficial computer viruses.
Geeky modern art T-shirts
Nachi took advantage of a RPC/DCOM vuln, a WEBDav vuln or a Blaster infected system. It had nothing to do with MyDoom.
TECMATIC - Intelligent Technology News
for most users, who experience bewildering slowdown of the internect connectivity, or the intranet access, which mysteriously disappears after a few days - for them, such "White Knights" may probably be useful. For grannys, gramps and other naive users it would be a blessing.
For others, who have mission critical application or other extensions on the target OS, such "White Knights" may send a shiver down the spine:
What if it plugs a hole, but breaks something else?
From what I have seen, such socialist stuff doesn't really go down well with corporations. They don't give away things for free, and they don't expect anything given to them for free.
http://efil.blogspot.com/
If White Knight viruses become common there will be viruses designed to attack them as well, it's just making an extra battleground. This has happened with anti-adware products - many of the new trojans and viruses try to stop software like Adaware working.
The answer is to have a secure system, as that's not happening in the Windows world at the moment, then frequent patches to plug the holes and a way to encourage everyone who uses Windows on the net to download them is the way to go, as is installing more secure software (e.g. Firefox rather than Internet Explorer.)
"What if they're using IE?" "I've dumbed Mozilla down to cope with it." - BOFH
It's like somebody is stealing your bike just to take it for a service.
Would you like that?
A "White Knight" worm can establish a positive compounded interest "pluggin" of potential holes... ie: for each system plugged it can, if coded correctly, decrement the number of systems it evaluates. A good system would be to create a temporary "white list" of plugged systems which a pro-worm could ignore as it had already visited that system and plugged it.
Given this assumption, a white knight worm would have a heavy impact intially but after the first day would drop off dramatically in an exponential manner.
If done correctly it would work amazingly well.
A fool throws a stone into a well and a thousand sages can not remove it.
No. My reasoning is that a trojan, no matter how it modifies a system, has a chance of fucking it up.
Even valid updates from manufacturers have the odd really bad messup. Making a service crash, modifying a config file so it doesn't work, causing unexpected behaviour.
To give support to those writing such whiteknight worms gives support to any anonymous coder who might wish to fix a problem, with no concept of testing things on a system other than their own or a few others belonging to a "friend of a friend".
RST
Supose the PC is like man body. Then, It contains either good and bad germs at the same time. The good are fighting against the bad for us all along with our lives.
you mean like windows autoupdater???
why do think alot of these don't outside a broadband connected home??? prob 'cos of change management within companies so they turn it off, but then they don't have a decent test/patch system to replace it...
of course that assumes the patch doesn't break your favourite application.
Again the problem isn't so much patching the holes (which is a problem with any piece of software) as the massive *monoculture* (sorry market dominance) of WIndows and it's security issues that's the issue. Sure
I don't think we need white hat worms running around plugging all of the security holes in my honey pot servers.
j
"They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety"-B.Franklin
Anti-virus programs like Norton AV,McAfee etc would still block these intelligent programs.They are still viruses.are they not?
fifteen jugglers, five believers
Some of the obvious reactions :
1. What if a "White Knight" leaves or opens a new vulnerability?
2. How is one to know if the "White Knight" is actually what it claims to be? Better still, a "White Knight" closing a vulnerability, but opening a backdoor?
http://efil.blogspot.com/
I chose what runs on my machine. I don't want other people deciding on my behalf. If someone else writes code to run on my PC without my permission then it's breaking the law as far as I'm concerned, or should be. I should choose to download it, and it should tell me what it's going to do.
One should note that a "white kight" worm is illegal like "bad" worm and would fall under the same criminal charges. And the author would have to pay civil damages as the worm consumes bandwidth. The affected party might even argue that such a worm requires a complete security check-up with reinstalls etc. as the source of the worm can't be trusted.
A white kight worm author would end up with the same civil damages to pay only gaining perhaps a small reduction of the criminal charges.
If I want to have something on a system, then I will put it on the system myself. I trust me, as I tend to work in my own best interests. If the virus pops up a box that says 'Protect yourself by clicking...", I still don't want it. If I wanted to use security software, I would make the choice to download it. How do I know this won't interfere with something running on my system? Or worse. Suppose it patches without permission. I can just see someone writing one with the best of intentions, and causing some side effect. What if an important port was closed? Or if the port is in legitimate use? In short, if I want to protect my system, I want to be the one who decides that. Without that choice, I lose control over how my machine is protected, and risk possible conflict with any security I have in place already. Whoops. I'm a Mac user. I guess I'm covered either way. (Awaits the inevitable comeback from a hundred people telling me that just because nobody writes viruses for Macs doesn't mean they can't be!) -Rob
Its bad enough managing several thousand PC's with users who want and try to download everything and anything they can lay their hands on without having the extra administrative burden of so-called good worms screwing things up too! Honestly though, if you tie the machines down and implement regular automatic updating of OS and anti-virus you should be OK, if you dont do the above, well, you only have yourself to blame.
The human body needs good bacteria, parasites etc. to function properly. Why should computers be any different? (This is Slashdot, after all :)
Maybe this is just a step towards software that lives within internet and iPods for example, fighting against bad code... or on the other hand, wreaking havoc.
"White Knights" are a horrible idea. They're a horrible idea for the very same reasons letting MS automatically push upadates onto your computer without your knowledge or permission are a bad idea.
It's not for someone who "knows better" to decide for me how to "Secure" my computer. What happens if one of these virus-like apps(either from MS or a third part) "patches" my server with my multi-million dollar application system and somehow breaks it, as unintentional as it may be?
If these hackers want to do good and create 3rd party patches that people can download and install on their own, that's one thing and I applaud them for their efforts. But, please, don't insult my intelligence and do something that's "best" for me without my knowledge or consent.
So called "white worms" have the habbit of installing their own backdoors (e.g. like Nachi). In many cases, they only fix the vulnerability to gain a stronger foothold in the system and prevent others from taking them away.
Other than that, the usual rule applies: The difference between a criminal and a security expert is written permission!
---- join dshield.org Distributed Intrusion Detec
Whoever tries to muck around other people's computers should be prosecuted and punished. Not doing any damage? I don't care. What's next - random passers by jumping through my window to turn off the light I left on when I went out?
I think this is generally good idea. Like a vaccination for humans, these programs can help us to keep computers healthy.
Visit Tutorials & guides collection
I really am sick of viruses.
Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers.
Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation.
If I were writing a worm, however, I'd take a different approach. I'd make it spread quietly, and then destroy the Windows install completely 1 day after infection. The whole fucking lot. People who get viruses are asking for it. If you put your computer on the internet, you have a responsibility to do the right thing by everyone else. If you stick your head in the sand and click on all the 'click here' and 'free hardcore XXX' links, then come bitching to me when the whole thing comes crumbling to the ground then you really only have yourself to blame.
ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean.
Once a few viruses start doing this, people will get the hint and keep their systems secure.
"What about a socially engineered worm that claims to be doing good?"
That would be called a "Virus".
Bleh. To be honest though, I don't see a whole lot of difference between a "good" worm and "good" bacteria. Your hands, skin, blood, etc, already have millions of bacteria feeding off your system. They assist in choking out the "bad" organisms. Eh... poor analogy, but what do you want for 6am?
-The Libra
"Please be patient--The future will begin momentarily."
Even if you can deceive people about a product through misleading statements, sooner or later the product will speak for itself. - Hajime Karatsu
Too true!
I admit the idea at first sounds very cool, however it never works and always poses as yet another vulnerability. Several times in the past year those "white knight" worms/viruses have done more harm to my networks than good. What is needed is more knowledgeable/competent admin and users, even better patch delivery systems, and for the makers of the OS that dominates most of the market to actually practice security and not just preach it when the media puts the spotlight on them. Yes that was wordy, need more coffee.
I take care of that myself, thankyouverymuch...
Although they only hold 93% of the market last I checked (96% according to some sources), 99.999999999999999% of viruses only affect windows, and/or Microsoft applications. Between fingers and toes (haven't tried honestly) you might just manage to count all the viruses which have affected OTHER platforms combined throughout history... and you don't need any digits to count the number that affect other platforms NOW.
So obvious answer, rape, pillage and murder anywhere you see a windows box. You will see a dramatic decline in viruses. Harmful viruses will generally decrease proportionately to the murdering of course... the raping and pillaging are purely recreational and perfectly harmless if accompanied by murdering anyway.
Besides, I'm almost positive it's in the commandments somewhere... Thou shalt act with holy vengence and slain my enemies who come flying the butterfly standard.
Doing good in bad way??.. alas!!.. .. MS,SUN,IBM and our OpenSource community. Should come to a single path.. Is that possible??
Certainly an alternative to deal virus problem.
Hope it cannot be an effective solution.
Coz, Bad people can take it as an advantage to come with various tricks.. Where end users will be in utter confussion.
If there is a trusted Organization to deal it. Name it as Virus Guards
Every Net users should aware of Virus Guards. This Virus Guards, need to circulate a immune in a way it should not affect network.
Each time Virus Guards need access, They can ask user permission, saying XXX virus affected.. We have immune, should we immune it?.. some thing like this..
If user says ok, it can cure and patch it..
Hope, Prior to all these, there need to be some Apex Body to define, Do's and Do n,t.. Like W3C for Web..
To deal it effectively, Our Biggies
Blaster had very little impact on our network. Nachi on the other hand caused absolute bloody chaos.
There is absolutely nothing "white hat" about running code on someone elses machine without their permission.
The white worm needs to be passive; a compromised system will try and attack other systems - all the "good" virus has to do is wait for an attack. When an attack occurs, our "good" virus has the IP of a compromised machine on which to mount a counterattack/patch.
The white worm should also uninstall itself after a predetermined length of time, say 10 days.
I understand the concern people have about auto-patching, however I am certain that none of those people would put themselves into a situation where they were vulnerable in any case - they would only see a benefit from this, in the overall lessening of net traffic.
Instead of having to patch all their security holes themselves, they can now blame everybody else for not having written a 'white worm' yet for every worm/trojan horse/etc out there that exploits their security holes. Clever.
I'm a network engineer at a reasonable size isp.
These bloody worms caused us so much bother, our customer terminating (ethernet) routers (Cisco 7206 NPE300 VXR's) really suffered CPU wise against these because the ethernet based services are procssed switch unlike ATM/POS etc unfortunately. And the netflow accounting tables were just out of control.
AND the old legacy routers we have that still ran snmp based ip accounting, the cpu on them went ballistic. It was a big pain in the butt and took a lot of stuffing around to fix/block etc.
Unfortunately just blocking the traffic doesn't help as you have to recieve the traffic in order to block it, so I was dumping netflow tables and getting the support guys to call infected customers. Many hours of work just because some little shit script kiddie/newbie programmer thought it'd be funny.
On the bright side though, it promped management to give me a lot of money to get some more grunty gear so we are now better prepared for the next time it happens, and I'm sure it will.
There is nothing wrong with the concept of 'good' worms/viruses. The problem comes in implementation, making sure that your so called 'good' worm really is. So while in theory it's a good thing, in practice it's difficult to provide adequate testing to ensure that the 'good' worms really are.
This colour scheme's making me thirsty.
"The Milliard Gargantubrain? A mere abacus - mention it not."
... if Windows had an "update required" icon as used by Red Hat Linux/Fedora Core (and others). To me, this seems to be the optimum solution. It's not updating files without your knowledge (Windows Update), and you are informed at every stage of the process as to what changes are taking place.
The only way this could be made any simpler is if you had a happy face for a system with all updates installed, an unhappy face when there were new updates available, and an angry face when no updates had been made in several weeks/months.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
What about a worm that points out that the computer has been infected and tells the user where to find a cure for the infection?
well i don't personally think there is any ethical issue in invoking an exploit with the intention of pathching it, an issue does arise when your good worm causes the detrimental effects to a network that the original worm would. An interesting solution would be a passive client that reports the originating IPs of exploit attemts to a database to be processed by one of these autopatchers.
While most of i assume most of these packets would be spoofed at least on a local network they might give enough away to be isolated, and on the internet as a whole, if the clients had knowledge of each other perhaps they use hop counts to attempt to isolate out the infected,
it might be an interesting module for a router firmware distribution
In the physical world, you may be a common carrier but you are not exempt from all control over the things you carry. The US post office is not _allowed_ to carry letters full of anthrax without regard to the consequences. The contents of trucks can be inspected if it is suspected they are illegal. It used to be regarded in some quarters as a joke that strong encryption is treated in the US as a "munition", but it's quite a rational point of view. In the same way if an email contains a virus, it could be considered to be a weapon - intended to cause damage to a system or be used as an adjunct to stealing email addresses. If airlines can be required to screen passengers for concealed weapons, I do not see why ISPs should be exempt.
OK, in the short run it might cost a little more. In the long run, it should save us all time and money.
There is also the separate issue of whether Microsoft is liable in some way for supplying products which make it easy for such things to spread. I guess this occupies the minds of their lawyers since their efforts to fix the problem are now so intensive. I am not suggesting that something which innocently contains a security hole is liable, but I am suggesting that manufacturers of operating systems should have a duty of care. Designing everything to interoperate silently perhaps could be regarded as negligence.
This is not a libertarian attitude, but it is rooted in the idea that the freedom of movement of your fist stops short of my nose. The solution to that kind of problem is rule of law, not to have a crowd of alternative fist-swingers who attempt to collide with your fist before it reaches my nose.
Panurge has posted for the last time. Thanks for the positive moderations.
True Nachi did download and install the Blaster patch, but some of its varients also did things like overwrite a random help file in the windows IIS install. Sophos Analysis of Nachi-G Not to mention its use of a tftp server leaving yet another opening into the system.
As a programmer responsible for production systems I don't want ANY untested programs on my (our) systems. We even (especially) test MS security patches to make sure that they don't break any functioning software systems.
Meddle thou not in the affairs of Dragons, for thou art crunchy and with most anything.
As stated elswhere, clicking on every popup window that comes around is not a good idea. Therefore another proposition: A 'whitehat' virus with the following text:
"You have a security hole and this window is the proof of it. Please go to the ManufactorX site to download a patch, before malicious content can access your computer"
No links, no OK button, just a little clickable X in the upper right corner.
Dump Microsoft and be done with it. Linux, Unix, and Mac are all viable now, and far more modern than anything Microsoft has going. There is no compelling reason to stick with MS for any reason any more. Seriously, they're really stuck, and they have only themselves to blame.
Don't get me wrong. I like the drama of a vulnerable platform as much as anyone. But I prefer to enjoy it from afar. That's why
I stick with Mac and Unix.
On the other hand, there is the cynical satisfaction of watching stupid people buy MS with a smile on their face, thinking they're gaining a source of pride and joy. Little do they know, only weeks from now they'll be paying me dozens of bucks per hour to run AdAware and reinstall their system.
Thank you MS! Your dedication to backwards compatibility for abandonware ensures me and my MCSE-toting buddies years of capitalizing on the inherent flaw of your approach. I would bow before you if you didn't so resemble a dung beetle.
-- thinkyhead software and media
"It could even launch warnings on the user's screen for a few days ("Hey dummy! Click here to protect yourself!") before going ahead and patching the hole itself."
Yeah, teach people to click on unsolicited messages. That'll go a long way towards educating DFUs.
What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.
You know that it's a "good" Worm how does your firewall or AV software? What if "bad" worms start to pretend there "good" ones? Or piggy backs themselves onto "good" worms? Will this "good" worm stay on my machine forever looking for Virus ridden machines to cure, not to mention the increase of network traffic that "good" worms cause. I think there is to much potential for things to go wrong, be abused and just be a plain nuisance
Saying Apple is better than MS is like saying Botulism is better than rabies.
Of course we want control of our machines and would object to anything running on them. Thats why WE protect and patch them regularly, RIGHT?
NO... this is for those Joe Sixpacks, grandmas and - worse of all - the selfish dumbasses who dont know OR CARE if their machine on their spanking new broadband connection is fouling the net for the rest of us.
If ISPs dont employ some kind of active blocking, then the combination of the worlds most used OS (STILL having gaping holes) + users who'll open any attachment and OK every install query + broadband means the battle will be lost without some "friendly agent" on our side.
And whats with these PCs you buy with one years free subscription to virus updates? Whaddaya think happens when that expires? The expiry warning dialogs get dismissed, the machines become increasingly vulnerable.
For these users, patching needs to be proactive, automatic and on by default.
Course the nay sayers will argue that an auto update mechanism creates a vulnerability in itself. This is arguable, but the fact is you're not gonna win trying to "educate" users.
You could just sit back until a nice cosy CLOSED internet standard is imposed on us by the powers that be when the frustration level reaches breaking point.
For one, systems that are critical should be patched anyway, or shouldn't be linked to a risky network. This is about those systems that would be infected by any destructive worm anyway. Those systems should be patched automatically, even if it's through the use of a white worm.
As long as the worm is passive and can self destruct, the risk of one could be acceptible. It would take up more bandwith in the beginning, but every infected system that gets patched will stop it's own broadcast of the black worm, so after a while traffic would be much lower.
Anything that can be fixed automatically saves time and bandwidth in the end.
home
- zero-day remote hole
- replicate for 24 hours
- then really mess up the filesystem, destroying most of the data
That would teach most people to patch there systems.The Big One, anyone taking?
no sig
The definitive (and about ten-year-old) paper on this is:
http://www.virusbtn.com/old/OtherPapers/GoodVir/
Well worth a read if you've not seen it before
Score:-1, Funny
Sir, you system is was fucked in the first place, that's why it's being modified.
:-
It's a bit like the dentist giving you a filing because you teeth are fucked, and will get more and more fucked until the hole is patched.
It would be nice if you could see the source code so that you know nothing else is going to be affected, but then it would also be nice if the dentist told you that the filling contained heavy-metals
thank God the internet isn't a human right.
For those Windows users who are clueless that they are even infected with a virus, there is no alterntative; beyond the ISP detecting infections and blocking the infected computer from the network.
WhiteHat viruses are benificial and necessary. But they need to be smarter than Nachi, move slower and more methodically, and put up a red flag that remains until the user fixes the problem. I think it's okay that they clean off the previous infection(s). And perhaps they should block all ports other than POP and HTTP.
The issue is this. Nature - and by that I mean an awful lot of biological systems evolving at various rates - has not yet - to my knowledge - developed a single system where immunity is by security. That is to say, no non trivial software system can be proved bug free. By induction, no non trivial system can be proved secure against the sort of "security holes" that will allow exploits to happen. If security cant ever be proved... then we better come up with a different idea for mitigating the effects of virus attacks. Perhaps though the "fixes" dont need to be viruses. Viruses have a certain economy of scale that allows them to propogate and infect many machines. Perhaps instead of self propogating patches we deploy a system of server propogated patches to systems. Major ISPs could deploy a network of machines designed to, in the event of a virus exploiting a known weakness, systematically transmit an exploit closing patch. Sure, the counter patch might fuck a number of systems up, but by definition those would be systems that would otherwise be utterly compromised.
...right out of the fucking box. You'll get a windows updates available icon on the systray.
I would like to see the "Swiss army knight", the ultimate white knight for viruses.
It hacks into your computer and disables the network connection after some period. No software/installation damage.
Sure, it stops your buissness, but it minimizes damage for others using the internet.
Linux has it's fair share of worms to, and if you move the same 'stupid' windows users over to linux there still going to be stupid, and your still going to get worms and trojans and spyware, though more will be at user not system level, since it's harder to evevate priviilages on a Unix bos than a Windows one.
thank God the internet isn't a human right.
I have never been infected by any of these viruses and I feel like (at least compaired to the people I know) very lucky.
One of my friends was told by his PC company to do a full format and re-install windows when all that would have been needed was for him to Download Grisoft's AVG
I really feel sorry for the countless hundreds of people who must have been told by advisors to do that same.
All spelling mistakes are due to solar flares...honest
If nachi is a whiteworm, then why the hell
does it have a keylogger installed?
Did I read about a system called Skynet that will take over all our computer systems and free them from suffering caused by humans.
Or was it a movie about a girl named Sarah Connor?
no comment
Installing something on someone's computer without their consent is wrong and there are no exceptions to that rule.
My computer is my property. You have no right to modify or tamper with my property in any way, even if you think it's for a good cause. Just like you have no right to bust in the windows on my house and install properly working smoke detectors.
Not only that, I've seen a few posters point out the obvious bandwidth suckage issues associated with "good" worms.
If your system is a mission critical one, you should be running a firewall and anti-virus to begin with. You should also stay on top of software updates. This is standard computing in my book.
There is no excuse for Corporate security exploits. Unless the corporation just doesn't care about it's computing.
Please, change it back to News For Nerds, Stuff That Matters! That really is GODAWFUL!
(oops, there goes my karma!)
By summer it was all gone...now shesmovedon. --
In the DOS era most viruses (including worms) are destructive, so as to satisfy their creators' appetite for destruction. Now we have harsh law against virus/worm writers, so most people who try this will be expecting some monetary gain, which can be obtained by (for example) opening a backdoor on the victims for spam companies. Destroying the victim's computer gain the cracker nothing in money.
My organisation recently got hit badly with a varient of the Korgo virus.
The virus infected Xp machines which in turn spread the virus to other machines.
The main problem was this varient of Korgo (or our own combination of service packs/software) caused windows 2000 machines to reboot insted of becoming infected.
Now lets say if I created a "White Hat" worm that insted of infecting the PCs patched them. How am I to know every variation of software that should be patched?
The worm could end up doing more harm than good. Many worms are tailored for certain operating system with a given service pack and hotfix level.
If they try to attack other variations they can crash these systems.
In my opinion crashing these systems causes more damage than a system being infected silently.
Will it install Linux?
Banu
... that are used by spammers as well. I thought it might be interesting to do this. I do NOT want somebody putting code on my machine, no matter how 'good'it is for whatever reason.
...
Next you will have a seta@home worm. A worm that starts running seti@home (or distributed.net or whatever.) The maker can claim that is is for a good cause, just like the makers do for this one.
You could also get pop-ups that tell you that you owe them money, because they protected your PC. So pay, or else
That last one could be calld "The Nigerian Virus Protection Plan"
Don't fight for your country, if your country does not fight for you.
mount /home with the noexec option.
HAND.
1989 called. They want their topic back.
Long ago, long before the World Wide Web existed, people were debating the pros and cons of a "good virus". Is there such a thing a s a good virsus? Is it a good idea to even try to write a good virus?
Ultimately the answer is no. People don't want programs running on their computers, multiplying and speading thru a network without their knowledge or consent, even if it supposedly doing something "good".
I'd have no problem if the worm was reactive and not proactive.
In other words, the author puts the worm on his machine and waits to be attacked... his good worm detects an intrusion attempt by the bad worm, and spreads to the attacking machine - both disabling the bad worm and installing itself in place, waiting for another intrusion attempt.
In this way, you don't get madly multiplying traffic - you get a response to every attack.
As far as I'm concerned, anybody who's computer tries to subvert mine is fair game for an armed response.
I dont want to see any "friendly trojans" but a while ago someone wrote a very neat java app which acted like an IIS server, listened for attacks, and used the exploit from the exploited to send the infected party a "net send localhost YOUVE GOT A VIRUS!!" message or something to that effect. What was that worm called? Red Alert? I think the software was called red alert vigilante or somesuch.
Anyway, I should have the right to take attackers and use their own exploit to inform them about their situation. A real world comparision would be me finding a trespasser and instead of just kicking them out, telling them they are doing wrong and then kicking them out.
Granted, this kind of vigilate action can be seen as, say, tracking down the trespasser and going on his property to yell at him. I guess this is where the analogy breaks down, but its a good concept and doesnt waste bandwidth like the "friendly trojan" shotgun approach.
This would only work with worms with machines with open firewalls, but it sure beats nothing.
Hang on, no need to reach for your tin hats (yet)...
People talk of military uses of virus/worm/troyan technology. While problems are numerous (legal and technical) I have even seen a corporate presentation stating they would make virus for military use (yes, I saw it with my own eyes, no friend-of-a-friend story here).
So since it can hardly be avoided I guess that a military worm test project would aim to make a worm that plus holes rather than one that just exploits holes to multiply itself.
It is well known now that in the US bactriological tests were performed on unknowing and uninformed civilians in a military project, I guess little will stop them from doing it again. More so when you can imagine the purpose is to stop the spread of a hostile worm. Then it all becomes self defence.
Hello,
this is your friendly neighborhood good virus, it looks like your computer is vulnerable to a nasty microsoft RPC bug, would you like us to patch this up for you?"
[X] Send this "repair tool" to all my friends.
[X] Notify me of further problems
[X] Automated Fraud checker.
Please enter Credit card number to test:
[________________] ( )Visa ( )Mastercard
Remember to ask your parents permission.
[OK] [CANCEL]
liqbase
redirect all web browser requests to this page
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
I'm not a real doctor but I am a real worm
Don't go to a brothel if you want to buy broth
Nachi try to patch the hole that MyDoom exploits.
Nachi good! Nachi help children!
Love your country always, but respect your government only when it deserves it. -- Mark Twain
Bruce Schneier touched on this very subject in his September 2003 cryptogram in response to Nachi (or Blast.D), you can find his original article in the cryptogram archives.
Automatically installing code on a user's system without their consent is never a good idea. Virally propegated code, no matter the intent, still generates network traffic, just because the payload is different doesn't mean the virus/worm/whathaveyou isn't adding to the problem of conjested networks. And as someone else pointed out, even if the 'white hat' programmer has good intentions, that doesn't mean they won't make mistakes in their code which could have adverse effects on the systems they are attempting to patch.
While I don't think users should have to directly interface with security protocols/techniques, I do think they should be aware of them. If they are made fully aware of the damages that can be done to them, they're more likely to patch, or back away from the internet in fear, either way, there is a reduction in exploitable hosts.
I have discovered a truly remarkable sig which this margin is too small to contain.
Because MS isn't in the anti-virus realm in a serious way, Yet.
But if/when they are, the screams about illegal bundling and monopolies will ring throughout the land.
The parent poster writes:
..."
"I really am sick of viruses. Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers."
Welcome to the IT club. So far, you aren't sounding special.
"Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation."
I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera. How do I get my pictures and video into the computer? Oh, and I bought a new printer, too. I want to print my new pictures with my new printer. Oh, oh, and my cellphone has this cool service where I can download ringtones... I want to do that, too. I need to do XYZ with some application I use for XYZ. How do I get it on my Linux PC?" Face it. Linux is still a second-class citizen in the desktop market. Having one or two category apps isn't the same thing as having 99% of the market.
"If I were writing a worm,
Then I would hope that you got caught and spent a few years in jail to think about it, and have it on your record for the rest of your life. Maybe you'll be branded as a terrorist! Talking about writing worms doesn't get you my respect. Even hypothetically. It has been done before. It has been discussed to death before. There were viruses that damaged your equipment. There were other viruses that repartitioned your hard drive. Plenty of worms can do these things.
"ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean."
A) What are reasonable steps?
B) What is secure? If I get an email from "you" telling me to run the attached security update to my computer, and don't know any better, and I run it, and it is an emailing worm, then I am now hosed. Worms do this all the time. Do I blame you because I thought I could trust you, or do I blame the worm author who masqueraded as you through their program.
If some application I download to do X has a bug that's exploited and does Y, and I don't know it, is it my fault?
C) Your statements are quite harsh. Have you ever had your hard disks wiped clean with all of your hard work on them? Your statement is akin to saying, "People who get diseases should be shot. That'll teach 'em to get sick!"
I can't believe your post was modded insightful. Flaimbait, yes. Insightful, no.
no matter how you slice it, its still code executing on your computer without your permission and That's a virus.
/. readers fall into this category as well.
As a usually security minded person, I do what I can to keep my system up to date and to keep any non-requested traffic off my network. So.. most of these "white knight" viruses wont even get to my computer. Im sure most
As for the general public, These could be used for good.. but there is much more potential for evil, as is usual with situations like this.
"Hey, Im a program that unknown to you got onto your computer.. My intentions are good, I promise... You should click yes to fix the security hole that I got in through and distribute me to all your friends"(muahahaha)
?SYNTAX ERROR IN LINE 42
We live in real world, where most users won't patch their systems even if there Armageddon will depend on that. They are just clueless. And it is social problem. But let's leave that. In reality, we would like to have less exploited Windows boxes in Internet, right? Even if you are Linux/BSD/Mac user/admin, you should wish that, because less exploited Windows boxes => less DoS attacks, less spam (certanly), less talking about dying e-mail, etc. So it overall, if they made properly, "white knight" viruses can form some kind of Internet "white blood cells". It could be very interesting technique and is worth future research.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
It does... (may take several download - reboot cycles, but it sort of works), but most people dont go there - probably because there are 20 other icons in the system tray also clammering for attention, that causes the 'your updates are ready to install' message to be completely ignored.
This is why a White Knight worm is a good idea - the average joe will *not* do a fucking thing to keep their PC patched until something actually breaks.
You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
Well we keep seeing the "white virus" explained as a computer/network immune system. Well ok lets consider this for a second or two my immune system is restricted to my body, my phagocytes don't go invading other people in a bid to help them out.
So the same should be applied to the software immune system, after all nature knows its shit better than we do.
"Things that you own end up owning you" - Tyler Durden (via Diogenes of Sinope).
This crap will be around forever, and the main problem is user education. I tell all 150 of my users twice a month to make sure their systems are up to date, and nearly 300 times a month I get the proverbial "yeah, yeah." It is not my job to do patch their systems. That's another guy's job, who doesn't do his job. I put out reminders because of this.
So when we got hit by Nachi, I tracked down the weak link. It was our Netware admin, who deliberately went around my firewall so he could peruse porn, logged into his dialup ISP, checked his personal POP mail at said dialup ISP, and within minutes, bam. Nachi in the house. Of course, this wouldn't have been a problem if he (and the 2 dozen other users that got hit because of him) had kept their systems up to date.
I was found to be the blame of this, despite the fact that there was absolutely nothing I could do about it, since he bypassed my security. After a week of TRYING to explain to management why it happened, that nobody should bypass security and so on, I took a long hard look at the incident.
While Nachi was good in concept, it had fatal programming errors in it that caused it to be more harmful than Blaster. We all know this. I chalk it up to a learning experience - whoever wrote Nachi definitely learned from this. Too bad there weren't any real variants of Nachi. Yes, I'm serious. However, people actually learned from Nachi. Three weeks after Nachi infections slammed into my firewall, it stopped. Nachi just went away.
Yet I still get pounded by Codered and Nimda YEARS after information, patches, and global press about it were made highly available and easily accessible.
Everybody bitches about spam and viruses and worms and popups, yet so few people actually do anything about it. Don't complain to me about pop-ups. Use a different browser. Refuse to "learn" a new browser, fine. Get Google toolbar. Don't know how check for viruses? Get AVG. Sick of spam? Fine, I'll adjust your SpamAssassin threshold.
But people don't want to do these things. In their minds, everything should just work, and work the way they want it to work. Everybody at my company knows that we have AVG, AdAware, Spybot S&D and so on. When new software is made available, I pass it on to my users. A user came up to me last week and asked why AdAware never has any updates anymore, for like the last year. Because she disregarded my notice about the new AdAware and kept using the old.
I have strict rules about email, and my SpamAssassin 50_scores.cf file is very, very harsh. My users have been told that some of their email contacts may be tagged as spam, and if that happens, let me know and I'll whitelist them. Not one person has asked me to whitelist anyone, yet everyone bitches behind my back that I'm a lousy admin because *I* somehow personally tagged their email as spam. Even the president asked me to remove all graphic/audio/video attachments, so I complied. Yet he complains that he can no longer get pictures and other non-work-related material through email.
It's an endless cycle. No appreciation for jobs well done. This is why I actually welcome such attempts to clean up the filth on the 'net. I originally despised Nachi. I now praise it.
As long as the end user refuses to heed educational advice about how dangerous the Internet is, the Internet needs vigilanteism.
Bring it on.
Spread, change the desktop background to "Infected" then do a shutdown.
If it keeps happening maybe the admins/users might just figure out that something is wrong eh?
There are people who are still running codered and nimda on their machines and are totally clueless. At least this will reduce the amount of wasted bandwidth.
This is how we got hit my MyDoom - a ZIP file turns up with a message to entice the users to open it - this is just social engineering - and they do, to find a plausible looking exectuable file inside named WHOEVER@WHATEVER.COM). The security hole follows next - the user either runs the file, or they don't. Some of our users did. Some were suspicious enough so that they didn't click it. If someone can write a security patch so that the users will know that a .COM file is an executable rather than an email address then I'll gladly give them up to be infected.
Never email donotemail@WeAreSpammers.com
Some trojans might not be written securely and might perhaps be prone to buffer overflows.
So if the trojan tries to attack your machine and you subvert it and shutdown the server, wouldn't that be self-defense or "citizen's arrest"?
I've thought about this one long and hard, but the only solution is a global worm that nukes the computer it lands on..
This is the only way to eliminate all of those asian zombie boxes out there, and to educate the users of those machines..
"But it works just fine", is the answer I always hear people say when I tell them their computer is infected and pumping out more worms. To stop people from clicking attachments and to pay attention to updating their system, you either need to reward or punish users. Otherwise they simply won't care.
Since a worm can't reward, it should punish. Format all drives after say 3 days of the initial infection.. People WILL care after that happened once or twice..
Regardless of wether or not we want them to do this for us, the government in other areas has seen fit to play parent to us. Motorcyclists must wear a helmet (in some states) S.S.I. for retirement.
With the estimated number of zombies out there, I think the bandwidth loss would be a small price to pay to secure the net even one iota.
I am Bennett Haselton! I am Bennett Haselton!
Symantec called a vaccine a piece of information
that helps the system to detect and isolate a virus.
Boy the got it wrong!
A vaccine is a crippled VIRUS! which the system
LEARNS to detect and destroy without the risk of
failing due to the crippled condition of
the virus.
What the net need it is not "White Knights". What the net needs are vaccines. Crippled Viri that eats small % of your bandwith (is crippled) and let's you know you are vulnerable without causing permanent damage. Relase a vaccine in your 300 PC office and find 42 PC's getting infected and quickly patch themselves. Now we are talking high-tech instead of the stupid Mantra: "Have you ran the latest MS/Linux patch eh? uh?"
- these are not the droids you are looking for -
Maybe not good but still better idea than bad viruses. Hey, if somebody's going to write viruses anyway, I'd prefer they write good ones.
At least that way the writers could defend themselves saying their intent was not to harm. I mean doesn't good intent mean something in a court of law?
Preserve old classics: copy your collection onto all hard drives.
I have more information on my site, and could provide you with a convenient link here - but of course slashdot editors think linking to your own site is spam. So, go fish.
Ive thought about it.. and it seemed like a good idea at the time.
But what happens when someone writes a white knight worm which causes more problems (ie. it restricts other services which require the ports or procedures that the 'good' worm blocks...)
They may even end up screwing up the chance to use official patches, when they come out.
Their intentions may be good, but since windows is closed source, itll make it harder to write something that wont cause other harms to a system.
Leave the security patches to the people responsible(M$) and the worms to the script kiddies.
-ank
Do we really want programs jumping onto our systems and 'fixing' them without permission?
Isn't this exactly what Microsoft (and others) are proposing with integrated DRM? They already offer automated download and installation of patches without user intervention; it is a logical next step to integrate this with DRM.
DRM seems like a big ugly hairball waiting to be compromised.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
If the hypothetical "white knight" comes with a proper EULA for the user to click on then it's fine, even if it creates ten security holes for every one that it fixes.
If it doesn't have an EULA then the legal industry will have a field day hanging the author from a tree and subjecting him to all sorts of cruel and unusual punishment which doesn't fit the crime.
The key is the EULA.
+++ATHZ 99:5:80
Think of the net as a big organism. We have invading viruses and worms [and other nasties], but no real immune system to speak of...
While there are certain to be real dillemas and dragons here, it seems that exploring the idea of white worms and whatnot is a good idea, after all, is there any other solution for the systems that are not managed? However, white worms should have oversight (e.g. registered source code to some oversight body, managed release into the wilderness, etc..) somewhat akin to oversight for the immune system in an organism..
When in doubt, consult how nature does it - the more complex our systems become, the more similar our solutions look to natures.. Very intriguing..
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
Now, how many times have we heard of leaks, break-ins, trojan infections, DoS attacks, wormhole/securityhole penetrations in the corporations?
They might be well equipped, but I think the fact remains the best laid plans can be shot to pieces in the kind of world it is out there - now whether that's due to holes and vulnerabilities in the most popular OS, is another story.
Will the machines worldwide hooked up onto the web, and high speed connectivities, the time it takes for a virus/worm to spread, is faster than the time it takes to sense, monitor and plug that vulnerability.
http://efil.blogspot.com/
I know that every /.er does not want any type of virus on their systems and are quite capable of keeping them clean. But if you could force the average user to get rid of Mydoom the internet would be better. It's actual too bad that we almost need these white knights.
this sig intentionally left blank
that you can choose to run on your subnet, and choose to reboot now, not reboot, or wait until a specific time.
Isp's should require the ability to patch systems or disconnect them from the net in the event of a virus/trojan/compromised system.
-- Tim
TKrabec Pahh
How would that help? Linux isn't significantly more secure than Windows.
Remember- there were tons of worms which required victims to type in passwords to open encrypted zip files and then run the executables. AND tons of DUMMIES did, I even recall a columnist saying he was tempted to do it even though he knew he shouldn't.
They were exploiting vulnerabilities and security issues in HUMANS not Windows.
The same HUMANS would run an obfuscated polymorphic perl script from a stranger that did indeterminable things. Think about it.
You'd need a system that by default ran stuff with fewer privileges than the account the user's are using, and flagged suspicious attempts to do more. Best if the system does a snapshot each time you try to run something strange.
Then every 3 months or so, you send the system to a professional for servicing - who patches everything, cleans out unused/unnecessary snapshots, removes any worms that got through etc.
currently My isp provides a cablemodem for each customer into which the customer plugs their router or PC.
perhaps a solution might be for the ISP to provide a combined modem/router with a built in firewall and antivirus software.
wouldn't Joe sixpack be protected then?
Some of us wouldn't want it thats for sure but it probably wouldn't be so difficult to arrange for ports to be opened when required and the majority of users wouldn't even notice the difference.
Blarney Quality Restaurant, Plants
ok check this out gotto google.com>> >> >> >> >> >> type in "what is ir" see the results, i think there is some dangerous site listed/ plz plz plz plz plz check
Sure it will suck up bandwidth just as much as the "bad" virus. But its end goal is to stop all the bandwidth hogging. The problem with it though is that it is still a virus and I don't care if the virus is "good" or "bad" if it gets onto any system that system has been compromised and has to be dealth with.
this is the most important sig ever! In your face 446154!
For the love of God, somebody write a Windows virus that destroys EVERY email address harvested by Outlook so that the next round of viruses stops emailing me! :)
Not even counting the fact that "good" viruses stand a pretty good chance of screwing something up for someone somewhere along the line, the primary thing that stops people from writing these "White Knight" viruses? The Law. You write a virus that compromises someone's system--even under the pretense of doing good--and you go to jail. Done.
I thought it said "orgasm".
That's an interesting point. If "white worms" become popular there's a good chance commercial software vendors will become even lazier about making secure software from the start. If they calculate that a certain percent of their vulnerabilities are statistically likely to be fixed by worm writers then to save money they'll cut their development time relating to security by that same percent. Basically, if they know others will fix it they know they can save money by not preventing or fixing it themselves. It sets up a really bad scenario where commercial software will be of lower quality.
I think open source software will not be as affected by these white worms. One reason is that a hacker will get more public credit for submitting fixes to the project in his own name than having to remain hidden and writing a worm to do the same thing. Plus unix systems tend to be much more secure than Windows when it comes to networking, so worms exploiting holes to spread themselves are far less likely. And then there's the heterogeneous environment that Linux fosters, making it harder to spread worms.
Developers: We can use your help.
Think of the net as a big organism. We have invading viruses and worms [and other nasties], but no real immune system to speak of...
The brain doesn't have to worry about the liver doing a hostile takeover of its functions, and i don't think Big Blue would be too happy about an MS virus, whether good or bad, infecting any of its systems.
Instead maybe IBM erects firewalls and proxy servers an closes off most of its network, similar to a human's nose hairs/mucus and skin, and very minimal orifices. When something gets past those, we have white blood cells in the form of tech workers running around fixing things. Sure that could use some improvement, but the improvement should be implemented by the company in question, not by some other place.
So sure, let's consult nature. Is there any virus out there that will infect me and benefit me? Is there any worm that will grow inside me and give me super powers?
By the way, when consulting nature, keep in mind companies mimic an organism that constantly get organ transplants in the form of upgrades and migrations. With a human's immune system, we'd experience much higher rate of organ rejection, e.g. implementing migrations or new products may be a PITA.
The "poor" in this regard are those without the best/latest updates or anti-virii software or firewalls.
The only real reason this sort of thing gets done is because these 'poor' people interfere with the effectiveness of the rich's internet. Those of us with updates/AV have to deal with the spam/network congestion of those without. There wouldn't be much talk of white worms if all the damage was contained to the infected.
This situation is more analagous to rich people forcibly sterilizing the poor. Or creating robots to give showers to the homeless, etc. While there may some objective benefit to these actions, it is undertaken on behalf of the privileged.
--LordPixie
No, that really wouldn't help anything. Jimbo or Granny wouldn't know that the system went down because it wasn't properly patched. They'd just be forced to rebuild the system, and in all likelihood they once again would NOT patch it because Windows Update would recommend about 80 Mb of downloads to do the patching. "After all, the system was working fine - it must have been a one-time event." And in weeks, it would be re-infected by something else malicious.
No, user education is the only option without changing the operating system.
--Brandon / Split Infinity Music
Well, if you think about it... Isn't Symantec (and other AV software) really a "White Knight" Backdoor or Tojan or something? It calls home to get software it then installs on my machine, even (*gasp*) without prompting me!
How about Windows Update?
Incremental evil it is...
what a novel approach. this "worm" will def. go ...
down in the history books.
i wouldn't call it a worm.
the threat is that maybe some whitehats might
undermining the economical benefits of certain
virus/security companies. it IS a attack against
the busioness "model" of this anti-virus/security
companies
it force-feed lazy people a fix, no harm in that.
bandwidth: it just shows how many people were(!)
vulnurable. the bandwidth usage to manually patch
the system would have been consumbed anyway, but
maybe(!) spread out over a few weeks, instead of a
few days/hours.
i'm walking down the road and i see this car, that
has unlocked doors. now if i check to see if the
key is in the ignition and it is not, is it a
crime to push down the lock and slamp the car door
shut? (plus add this is in a unfriendly
neigbhourhood)
-or-
someone left his stove on fire and when he gets
back, there is this bunch of people soaking his
house. should he be angry that they didn't ask his
permission to extinguish his burning house?
maybe this is a friendly kindda A.I. at work...
Radiation can cause cancer; but chemotherapy uses radiation to destroy cancer.
the patient is usually not at thier most chipper when undergoing radiation therapy - but when all is said and done they are happy for the treatment; in spite of what they had to endure.
This analogy is pretty much the "fight fire with fire" one. imo.
In general, when a complex organism fends of some kind of internal attacker there is often some kind of tradeoff. Your body expactorates during a cold. and you will vomit with the flu (which may not actually help, but vomitting is one of natures oldest tried and true methods for ridding an organism of something internal and unwanted).
In other words, when you're sick, things aren't happy - and they need to be not happy.
A worm can simply redirect someone's webbrowser to windowsupdate.microsoft.com or something like that. The worm itself should never be allowed to run or install code. Basically, the fact that your computer was hijacked and redirected should be incentive enough for people to patch their systems. This would reduce the lost bandwidth.
Also, a good worm passes through once because it closes doors as it leaves. A bad worm will keep reverberating.
A NYC lawyer blogs. http://www.chuangblog.com/
Viruses started as a proof of concept "automatic system updater" way back in the mid-late 80s. When it was realized that it could be used to trash as much as fix, it went on to being used to do so.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
...about white or mallacious worms is that vast numbers of users will never be aware they have either working in the background. I do freelance system maintenance in homes around the city here and most users just don't know. They don't know the difference between a worm or virus, they don't know what spyware is, they don't know what its doing, nor where to go to fix it. These 'white worms' or whatever come with well intentions but some who build harmful worms want you to believe the same thing. IMHO user awareness must be pushed up. I've given my clients steps to perform every two to four weeks to keep their computer clean. Most of them don't quite understand what they're doing, but they're systems have been worm, virus, and spyware free. Microsoft has tried stepping up awareness on their update site, but this hasn't been enough because users don't run updates. How can we step up awareness other than the current method employeed by those who write harmful code?
One of my asshat salesmen took a trip to Japan without updating his anti-virus and brought nachi and a few other things back. The real viruses were found and destroyed almost immeadiatly...Nachi however was left to run rampent. Before all was said and done I had 5 infected machines that would take down my firewall at random times by opening more than 6000 connections to the internet. Sure it cleaned up easy but it made for some shitty days. White hat or not, leave my systems alone.
Apple free since 1990!
guys, the problem worms create beyond their security-related issues is one very simply of bandwidth consumption. come on, guys. it's the same exact problem as chain letters: even if the payload/content is innocuous, if these things are all over, stressing the pipes, how is this doing anybody any good?
and this ignores the problem that in a lot of shops, the IT staff likes to test out patches & make sure the patch doesn't break anything. if a patch hasn't been installed on an office box, there might very well be a good reason for it. a worm is a one-size-fits-all sledgehammer of a solution to the problem of unpatched boxes. how would you feel about allowing an unknown process, not critical to apps or OS function, run on every desktop in a LAN?
ed
how about pki signed worms that must be verified locally. Symantec can go it. Every time there is an exploit, a new one is let loose. It will only run if its signed and the everything checks out.
The war with islam is a war on the beast
The war on terror is a war for peace
In the end, if people lose work, computers, information, etc in a big scale, probably awareness will be much higher, safer choices will be taken (on client software, i.e.) as the ones that will fall will be probably the ones that always gets infected.
Is like a injection, it hurts a bit, but in the end you will end mostly safe from that kind of malware.
If Microsoft were to listen to all of the net traffic pounding their firewalls, they'd be able to pick out the packets created as the result of mydoom or blaster. Then, inspect the IP headers (I'm assuming these worms don't spoof? It would be foolish!), find the machine that's spewing packets, and use the same vulnerability to remotely patch the machine.
At least, this way, it wouldn't be "white" worms doing the patching (ie. no massive proliferation of packets), the patch would only be applied as needed.
But yes, I realize it would still be illegal for Microsoft to intrude on a machine like that. Though perhaps this method would work for the supposed white hat hackers who create the repair worms; it's far less damaging to the internet, as it is not packet intensive.
Visit the Game Programming Wiki!
They couldn't say "if everyone stopped using Internet Explorer and Outlook Express worms and viruses would be a fraction of the problem they are", now could they?
Sometimes I think the whole antivirus industry mostly serves as a diversionary tactic that lets companies keep shipping software with deep, fundamental security problems.
I hear there's going to be a second version called Doom3 which is going to be eating exaflops of computing power and ungodly amounts of memory in under two weeks. Please, please, do something about the Texas virus company before it's too late.
They say you're going to need to have a dual Xeon to even run the virus. That's when you know the whole upgrading thing is way out of hand.
Intolerance for ambiguity is the mark of the authoritarian personality.
I doubt IBM needs white worms to keep them clean - I think they take security pretty seriously. The point of the article and my post was protection for neglected systems that are exploited.
Again, you might be surprised. Nature is full of such things. You have beneficial, simbiotic bacteria and viruses teething through your body. Even beneficial tiny insects on your skin. It is a bizarre place, your body...
Modern day companies do a very poor job of imitating nature. The ones that do a better job seem to be able to keep moving without so much as a hickup when things change inside (take your own cited company, IBM, as an example of that). Aside from that, I don't think there are real viruses that could transplant your liver (but there are some that will destroy it!) - the implication is cool though - a computer virus that could give me a processor upgrade!!! Hey, maybe a transmeta chip white worm upgrade? Hmmm... [scratching on chin]...
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
Linux is a socially engineered worm that claims to be doing good.
Pretty funny... "Think of the net as a big orgasm.."
Dude, that is just way too much pr0n.
I'm a 4th year student at my uni, and this semester I chose to stay inside the campus accomodation
Admitedly I was careless; didn't have zoneAlarm on, anti virus wasn't updated either.
Within less than 1 day the comp was attacked by sasser,welch, etc..etc..whatever their name is(didnt really bother to check)
No harm done;I know how to use the task manager, regedit,msconfig and such.
The rest of the student(almost all) though have no idea to protect much less "heal" their comp.(IT students my ass)
Something like this can be useful then.
I know the potential for abuse is alot, but if the "cure" is released by a trusted source in the network then White Worms can be very effective.
'The dame was really persuasive, somehow most dames are'
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
Yep, there is/was a virus that has infected your ancestors LONG ago, that gave you an advantage - to the point that it has been handed doen from Mother to child for millions of years.....
Mitochondria
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
The thing is most admins would have these kind of these blocked on the router so as long as your network is blocked and your isp is any good, it will work, right? So only the unprotected ppl, ppl most likely to have viruses anyway would get the auto fixes.
Like putting on your seatbelt before driving recklessly...
something that white knights can check on your computer to see if you want to allow them to try and fix your system? who would support this though, i don't know if microsoft would be too keen on just anyone patching their systems, i'm sure they'd manage to get drm'd white knights in there somewhere.
"if i'd known it was harmless, i'd have killed it myself"
Comment removed based on user account deletion
This stuff was not a worm (it was centrally managed), and deployed inside the HP class A network (15.*.*.*), where all machines are owned by the IT department. Thus they could get away with it. Inside the firewall you can do this thing -companies and universities are obvious places. Bu t I wonder about the big broadband ISPs, I dont think I want them scanning my box, as before long the MPAA will want them shutting down BitTorrent services.
Not even going into the obvious problems of spoofed attacks [...]
Spoofed origin is much less harmful here: If the warning returns to a spooded origin, it will either be blocked because that machine is fixed, or it will bet through because the machine is not fixed, in with case the warning still applies (machine already infected or not).
I wouldn't support wide spread adoption of a white knight worms but having them generated underground could have beneficail effects. Since every competent anti-virus program should remove anything viral in nature these benefical worms (like Nachi) could offer a layer of protection to people who are not practing safe computing. Just this effect would take a load off my mind and out of my mailbox - I've just recieved my 9th myDoom generated email from a spoofed address (on my own domain no less).
"Capital punishment makes the state into a murderer. Imprisonment makes the state into a gay dungeon-master"
maybe a virus management program could be a good idea. where there are these white knight worms unleashed out there (though digitally signed by "trusted" people like norton or microsoft maybe, or otherwise just with someones name on (hey, ya might trust em?)) that look for these infected computers then leave a message (in an organised way) on the computer to inform it of the exploit. the user could then use some client program to review any messages that have been left on their system by these white knights.
i guess it'd be like having an anti-virus program that isn't something that sits on your computer and scans it for virus', but something that is out there in the wild looking for holes, and telling people when it find them (though i guess this would probably be for a price if it was to be worth companies whiles developing such a system...)
just an idea...
"if i'd known it was harmless, i'd have killed it myself"
What if the "white knights" only launched from the "immune system" - this would only work for universities/corporate networks, but that's where a lot of the problem is anyway. Instead of a distributed knight, have a central server that scans every computer in the [university/corporation]'s subnet, and if it finds the exploit, patches it. I think any implementation of this idea would have to be managed centrally, not released into the distributed wild - both for bandwith and legal reasons (though IANAL). The scary thing to me is random hackers releasing white knight viruses that actually mess up systems further - many worms have unintended negative side effects - and the plea, "but it was a white knight!" just isn't gonna mean anything to anybody.
Instead of fixing the specific problem, the cleanup worm should completely remove all operating system files, replacing the Windows splash screen with a handy-dandy notice:
THIS PC HAS BEEN DEACTIVATED
FOR VIOLATING PROPER SECURITY
STANDARDS WHEN CONNECTED TO
THE INTERNET.
1) All your data and documents are still on the system, and may be easily recovered and copied to a CDROM by a competant PC technician. On the other hand, why not load them from backup - you do keep regular backups, right?
2) While you (or your designated PC technician) are busy reloading an operating system of your choosing, please take the time to consider properly securing the PC with all available patches and updates now and in the future.
Have a nice day.
Interesting in concept, but the beauty of nature is that it is written in self-modifying code. Good code survives, bad dies off. Also, code that was bad at one time is beneficial or benign now.
Look at the cycles of virii in nature. Initially they are devastating, but with each iteration less so. The cycle goes something like this:
Infection--->Immunity--->Assimilation
Many virii which used to kill human are now part of our DNA.
Computer virii mimic natural ones through the first two steps, but I don't see a way that the third can be achieved.
Also, like in nature (well, through genetic engineering) a virus can be "written" to cure an ailment...there's just no telling if it will kill the host in the process. This is one area where these "white knight" virii are very much like their biological counterparts. They frequently cause the same amount of a disruption as their darkside counterparts, and frequently for the same reasons: Bad Coding on the part of the script kiddie cut-and-pasting the virus in the first place.
Just a rambling...
--Qtone, Not French
There is only one kind of "white knight" virus as far as I'm concerned, and that's not one that cleans up after other viruses. It's one that knocks the infected computer off the Internet until that machine is fully cleaned. The "white knight" will eventually die a death due to no other infected machines being available hence it won't cause as much damage to other people's networks.
And that's the point for me. Other people's networks. I don't care if some lazy corporation gets knocked off the Internet or DDoSs themselves. It's not my concern. I just don't want my bandwidth eaten up by their infected machines trying to connect to mine.
Bob
Listen to my latest album here
Interesting in concept, but the beauty of nature is that it is written in self-modifying code. Good code survives, bad dies off. Also, code that was bad at one time is beneficial or benign now.
Take the broad view, you will see that this happens on the net too...
Computer virii mimic natural ones through the first two steps, but I don't see a way that the third can be achieved.
Are you kidding? Haven't you used Windows lately?
The virus writer may not be considering morality here, but the practical reality instead. The simple fact is worms are a problem that has been escalating almost without bound. Users refuse to be educated, and many of those who know don't care if they're infected until they themselves suffer some ill consequence. At some point you have make a decision between MORALITY and REALITY (please do not try to mix these two). MORALITY: Respect users rights and continue educating them (obviously to no effect) and hope for the best. One never has the right to force their way onto others. If you can't catch the person selling drugs, it's not your place to forcibly rehabilitate the user. REALITY: There is a desperate problem, and desperate times call for desperate measures. Those who perpetuate the problem are part of the problem, their respect is negligible. If a finger is infected with a progressive and contagious disease and you can't tell which, off with the hand. Morally all violations of users rights are wrong, but practically something more needs to be done. This person may see the glass as half empty, and justifiably so since the cup of net safety only seems to be draining.
I hate to say this, but I think it's a good idea to release virii that patch security holes if done in a way that will cause minimal problems for the rest of us.
So why not have the white knight virus author send his code to Symantec, McAfee and the rest 2 or more weeks before he releases the virus. They can then add it to the virus defs, and those of us who keep our systems patched don't get affected. Businesses that roll out security and virus updates in a timely matter should have it patched before it hits.
Then the virus hits a few weeks later and the only people with problems are those that didn't patch in time.
"I, for one, welcome our new %INSERT ARTICLE SUBJECT HERE% overlords."
Funny. Someone is seriously suggesting white hat worms to solve a so far intractable problem.
Someone suggests that maybe that using Linux could be the answer, and what happens? It's called flamebait.
I guess that is called the Microsoft Experience. Enjoy it.
Derek
have robbers in consultant positions for security. Who better to find holes in physical security than the people who naturally look for holes anyway? Though I don't think the white virus idea is really a good thing.
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
...if the OS was properly designed in the first place.
True, but antivirus programs take a few hours to days after the initial outbreak before their virus definitions are updated. Also, the firewall where I work has been circumvented because someone took their laptop on the road or home and got infected. When their laptop was brought back in and placed on the corporate network the firewall was breeched.
Also, I do believe good worms are just as bad as malevolent worms. Whenever a OS patch comes out we test it on our development servers to see if it affects anything critical before we apply it to production. And yes, occasionally the patch negatively impacts our work.
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
The Internet is a Wild West (or, to use 1990's terms, the Information Superhighway is overrun with Highwaymen) and those trying to make it a civil society (non-profit or for-profit) should not be expected to sit back and let maurading groups of Russia spammers and Nigerian Scammers ruin it for them and us. Once there is an authority in place to stop the MS-empowered superworms autopatching worms will necessarily be outlawed, too, but until then...some will do what they have to do.
-- @rjamestaylor on Ello
Mitochondria are basically similar to prokaryotic organisms, so it would be better to think of them as a bacterial infection. They do not resemble viruses, especially since they retain and process their own DNA. Most viruses have no DNA and those that do inject it into the host which processes it.
The 11th Commandment for computer programs: Thou shalt not install or run thyself without permission.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
We've all read disturbing reports on how Trusted Computing is supposed to be nailing open-source software, and keeping keeping good citizens from causing a little less income for the poor media-industry (that just made its record profit this year).
Imagine a whole new kind of knight: black to the industry, but white to freedom-loving people. A knight that, just before no non-signed applications will run anymore, patches all systems it infects to destroy the immoral TCPA-lockdown. I'd like to see how many users, after realizing that they can again run their own programs again, would like to install the latest security (whos security...?) for Windows.
Indeed, the idea is not new, and I'd sure like to see an implementation of that. We'd probably need a freenet-like public-key command structure for such a virus, for one sane person to stay in control.
That would be so cool... Ah, dream on. (And go for it!).
A nice exercise would be to "patch" all iTunes clients out their to save unencrypted AAC-files to the disk. Just an idea... ;)
Support a Europe-related section on Slashdot!
...what anyone thinks on the subject. If you and your staff are competent at your job then MyDoom should never have been a problem for you in the first place; if it was, then by defintion you aren't competent and won't be able to keep Nachi off your system either.
Although it may be able to do what you apparently can't: patch your system against future MyDoom-like attacks. Kinda funny, to think that a program like Nachi can easily outperform you, the supposedly highly-skilled IT staffer. If I were your boss you'd be out the door in a heartbeat.
Either way, the losers who aren't qualified for their positions or pay will no doubt come here to Slashdot to bitch, whine, and moan - and probably demand more laws to prosecute 'white knight' programmers, to cover for their own incompetence.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Sorry, a newbie here.
I wouldn't mind some sort of pop up indicating "A scan of your system has revealed several potential security holes...blah blah blah" with a link to a trusted sponsor site (google,slashdot whatever) providing MD5 checksum downloads to correct the problem along with details of best practices etc.
At least then I have the option to save/destroy my system, or ignore the message. There are a lot of novice or ignorant users that could benefit from such a thing...no?
it seems to me that if someone created an evil virus posing as a white virus the open source community would be albe to find that out rather quickly adn let the world know about it and how to deal with it. So this would mean that virus writters would need to create virii that act very quickly which woudl also make them easier to spot, or create sleepers which increase the ability for them to be found before they do any damage. So it seems to me that once something does what is is not supposed to do, there are 1000s of ubergeeks ready to investigate and deal with it. Now granted it is up to the user to properly research what they install into their computers, but how is that different than now?
Isn't it time for W32.Debian.World.Domination.Plan.Worm?
------- In the end there are no begining
But how much traffic does this white knight worm generate compared to the traffic that would be generated if every computer where to individually download windows update patches. I have a feeling that a lot of organizations (especially those with a large number of workstations) do not have an internal update server. Bandwidth consumed by windows update would probably wreak as much havok (at least for that one organization) as the worm would. Of course, with the worm, the difference is that the good admins (those who update) get punished too.
NT
You, and that other frogtard out there that espouse the virtues of 'white worms' every single bleeping time a virus or worm makes it on CNN, suck. I'll avoid further commentary because I really don't want my post to be rated flamebait. First things first. As several other posters have rightfully indicated; competent system administrators will do what they can to mitigate malware outbreaks. Strong, zero-tolerance acceptable use policy for Internet and e-mail will mitigate most virus issues. Yes, I said zero tolerance. It disgusts me that people would 'just want to see what it looked like', or deliberately jack their workstation to get to play instead of produce, or feel that they should not have to exercise common sense when performing daily work activities - "my IT person should be preventing these from ever arriving so if I open them it's not my fault". This will not happen - the competent admin will do their best; but the antivirus updates and system patches may not always be there in time. I still cannot comprehend why anyone with even a fraction of IT experience would condone PATCHING WITHOUT TESTING. Fool. Any single one of us has horror stories about applying a hotfix or patch and then struggling to get it to work right or roll the system back because it fried a critical company application. Entire books; entire industries have sprung up around the phenomenon of not thinking - uhm, testing before you patch. This is common for non-security updates - remember ODBC and Jet database engine fiascos? I sure do. DLL protection my left... eye. Finally, anyone that supports the 'white worm' concept, even on controlled internal nets, needs to examine the path that lead to their support and then burn it clean. Nachi taught us that releasing a worm that spreads the same way as the malicious version WILL cause as much damage - by crashing systems, hammering network devices, breaking applications that have not been tested with the patch, saturating bandwidth... often causing more damage than the bad worm it is trying to fix. Secondary to that, the worm intended to fix runs the risk of being modified and used for 3V1L itself.
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
So when you are sick, even in the slightest bit, should a doctor proactively immunize you? Does that make you all better?
What about all the people who are saying that we are becomming more resistant to anti-bioics?
Does sending in a "good" worm fix you really fix you through the long term or simply patch you up? It seems to me that if I was forced to maintain my own health I would learn a lot more or ultimately be picked off as a weaker member of the herd...
#1. A "good" worm is written in response to a "bad" worm. The "bad" worm exploits a hole, but doesn't patch the hole. The "good" worm infects the computer, patches the hole and removes the "bad" worm.
I have no problem with this as long as the "good" worm deletes itself after 24 hours and does not hog the bandwidth. This form would not be a problem to anyone who is current on their patches. But, over time, the "bad" worms would evolve into scenario #2.
#2. A "bad" worm infects a computer and patches the hole it used to get in. There's nothing a "good" worm can do in this instance.
#3. A "good" worm is written that infects a computer and installs a patch for the hole that it used to get in.
I have big problems with that. You'd have to do extensive testing to make sure that you weren't breaking anything. Even Microsoft's RPC patch for NT broke some apps and had to be re-released.
So, I don't have problems with #1, but if "good" worms are released for that scenario, the scenario will change to #2.
At which point the only "good" worms will be in scenario #3 and those would be classified as "bad" worms when they break something (even if they were trying to be helpful).
So I would support "good" worms only in limited circumstances and those circumstances would quickly be changed by the "bad" worm writers.
The Net is not an organism, but an environment with many, many organisms in them. We're already taking ineteresting tips from nature within those organisms to protect them from the outside world. The environment doesn't have an immune system, though, and adding one in this way only means more unneeded data clogging up the pipes. I haven't had a worm or virus on any of my computers since 1996 (and that was planted by a mischievious "friend" with a floppy disk), until I picked up Nachi. It's clogged up my local environment to the point that two of my computers had to be taken out of the pond and put in stasis until I have the time to clean them.
> Being an IT professional, ... install linux
I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera.
Er, I may be slow, but I fail to see how the grandparent poster's users, in a professional environment, couly justify the need of fancy stuff like digital cameras or downloading ringtones, or installing printers themselves. If there's an IT professional where he works, it is most probably in an environment big enough so that users should not mess with their computers.
blah
...too much liability.
Basically Slate reporter is asking someone to do something illegal to fix the worm problem. No company would want to accept the liabilities for this. If some hard drive crashed or some other malfunction, these companies would be huge targets for lawsuits. If some guy is arrested for having kiddie porn on his computer, he could use the worm as an excuse [this happend a couple months ago].
Basically, the "I broke into your house to lock your doors" excuse will not hold up in court.
_______________________________
"I'm not Conceited...I'm just a realist..."
Even if there was such a thing as a "good virus" where would you draw the line?
Most mass mailers do include code to remove or disable other mass mailers. Is this good?
Worms often disable other worms. Is this good?
Finally, we have the example of Intel's early experiment with a replicating ethernet driver to indicate what can go wrong. In Intel's case, it took down a good portion of their network and required technicians to go to the affected computers and remove the bad (truncated) driver and install a good one.
LedgerSMB: Open source Accounting/ERP
While there are certain to be real dillemas and dragons here, it seems that exploring the idea of white worms and whatnot is a good idea, after all, is there any other solution for the systems that are not managed? However, white worms should have oversight (e.g. registered source code to some oversight body, managed release into the wilderness, etc..) somewhat akin to oversight for the immune system in an organism.
I agree that the idea of "white worms" has its potential, and should not be dismissed out of hand. At least- it's an interesting approach that should be looked at to see what good ideas we can pull from it. Insofar as computer viruses/worms are comparable to viruses/bacteria (which, they're arguably not comparable at all), then maybe we should be looking into analogous "white blood cells". I mean, maybe we could have some sort of self-replicating self-modifying programs than can roam a network and help fix things.
But these things can also be dangerous, and you'd want to develop them properly. Otherwise, they might turn into the analogue of a cancer (one of your own cells killing you). Also, I think things like this might best be limited to network admins infecting their own networks with "white worms", rather than white-hat hackers infecting the 'net at large, and at their own discretion.
These are some of the things molecules do...... given 4 billion years -Carl Sagan
I like your analogy.
In the same vein I have thought that as our computers become more interconnected they become more interdependent. Because of this there has to be someone or something to take up the slack for the, well, slackers.
Your model for an oversight body is counter-intuitive to me in the analogy. In the human body the reason that the immune system works is because it is distributed, not centralized. Each area has the ability to respond to localized threats, and can contribute to combating holistic problems as well.
The idea that the communication between body cells and immune cells is somehow privileged is misleading. Viruses use the same "authorization" system to gain access to cells and destroy them. The body's response is to immunize itself by releasing antibodies that block the attempts of viruses to penetrate the body cells once they are recognized.
There is a constant barrage of viruses, worms, trojans, etc. and the only thing stopping them is the attentiveness and prowess of the person who owns the computer/network, and we know how fallible they are. This screams to me the need for "white hat worms" if you will use the term. Another way to state it is that there are individuals who are willing to contribute to the health of the system and the individual computers around them and spend their energy and resources protecting them. However you put it, I think the system will benefit from an infusion of antibodies.
In the same analogy, sometimes cells go crazy, reproducing out of control (cancer). Like cancer, zombified boxes spitting out worms, spammers, etc. menace the system, reduce its efficiency, cost other parts of the system resources, and generally degrade the performance of the whole. In the analogy to a biological organism/immune system we need a method to deal with cancerous/gangrenous/toxic parts of the body.
Concentrated gamma rays work well to destroy cancer; I don't see why they won't work on spammers. Har har har! Seriously though, a method to remove those agents from the system, wall them off, or patch them remotely would also be beneficial.
The only reason that this is not more common IMHO is because of a skewed view of property rights emphasizing those of the malignant entity and ignoring those affected because the effects are diluted between millions of people, and lack of respect for "virtual community property."
For justification of my views I will propose some analogous scenarios.
If you left your front door open and went to work, would you be upset if the mailman closed it? What if you left your door open and there were thieves making off with your furniture, would you be upset if someone scared them off and locked your house? That is how I see patching a security hole remotely only it is simplified to only reflect the damage done to the owner of the unpatched computer.
How about if your rent house was run down, dirty, had broken windows and was full of crack dealers. Would you be upset if your neighbors called the cops on the crack heads, and refurbished the home at no cost to you? This is how I see damage done to the "community property" of the internet infrastructure being bogged down by worms or enslaved spam boxes and the shows the individual cost to computer owners.
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
Actually, I'm pretty sure the original smallpox vaccine was cowpox. It was noticed that milkmaids were less likely to be infected with smallpox. This was because of their exposure to cowpox, a closely related virus that is much milder on humans.
If you want to check up on it, I belive it was Jenner who experimented by injecting some pus from a cowpox blister and into a young street-urchin before later exposing him to smallpox.
And allowing users to clog the network with infected machines they are too clueless or too unwilling to fix is a better idea? MS and RedHat both already allow automatic installation of patches. That's all this is.
Virally propegated code, no matter the intent, still generates network traffic
True. And everybody downloading the patch also clogs the network, although not so bad because it damps itself out. But don't foget, such a "white" virus also suffers from its own success because the more machines that are patched, the harder it is for it to find more. When they give up the search, the network congestion ends. Not typically so with a malicious worm.
mistakes in their code which could have adverse effects on the systems they are attempting to patch
Agreed. And I personally have been bitten by a bad patch that sealed a hole while breaking an app. Just because the security patch was something I went and got didn't make me immune from bugs in it. What getting it myself did do was make me know where to go for the patch to the patch. If well known organizations are producing the "white" viruses, and those patches identified themselves as they installed, then you would know where to go for the patch to the patch when this happens.
back away from the internet in fear
True.. But by the same reasoning, if you don't like telemarketers, cancel the telephone, don't like spam, cancel the email account, etc. Not a very reasonable way to live one's life.
So I agree that people should have a grace period to install a patch or otherwise secure their systems from infections. However, after that, there is no reason not to release a white virus to patch the rest of the systems. They already have a virus that self-installed, and the owners already imply their consent to such actions by doing nothing, so I see no reason to worry about a self propagating patch on such systems. The ones that have been manually patched or otherwise secured are not affected.
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
If you don't want white knight viruses fixing your security holes, then fix them yourself. Otherwise, myDoom and alike will exploit them worse.
http://ablegray.com
Part of the problem of worms is the network congestion that they cause when they scan the internet to spread themselves. Worms can easily take out firewalls and routers. In this way, any worm is "bad." If it were just about computers being comprimized, I would say, "Yeah, go for it, white hats."
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
That disables ActiveX and scripting in IE. If you are dumb enough to install it, you need to be stopped for your own good.
On RedHat strains of Linux, check out the Red Hat Network. Turn on auto updating.
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
in first place, we dont want any security holes, and integrity of our system.
but if there's a hole I'd rather have a white knight fixing it, than a black knight expliting it or leave it open.
wouldn't you?
Ofcourse, it would be nice if there's some sort of notification and so on.
by the way, social engineered worms that actually exploit your system are black-knight. it doesent madder what it says, it madders what i does.
social engineering is a "problem" itself (^^) but this does quite not affect this discussion point
I don't really see the bandwidth issues behind viruses that plug holes.
If your system is unsecure, then it's only a matter of time before you will get infected either by "bad worm" or "good worm"
Good worm should plug the hole, which prevents you from
a) Getting infected by bad worm
b) Infecting other people
So while the initial traffic rush may be bigger with both worms, goodworm should cause a decrease in overall traffic over time.
Of course, I wouldn't want to be caught as a writer of either, and I certainly wouldn't want to be responsible for any downage caused by goodworm not doing what is expected, but bandwidth is really not much of a point (except the flurry to contact a patch server.... why not make it P2P from the host that sent the goodworm?)
Then you won't have to worry about it all now will you?
From a corporate perspective, where application and network availability are of critical importance, a White Night program has the same effect as a malicious program. Left to propagate unchecked it will spread across the network in the same manner as the malicious program, and cause the same level of incident handling and remediation work to resolve. A better alternative is for corporations to put into place efficient and repeatable patch management processes that effectively prioritize and distribute patches to the endpoints within thier network. While this might not stop a zero-day exploit from having some effect, it will help to keep poorly-constructed operating systems and applications as secure as possible.
You are right - they are/were actually closer to bacteria, but I stretched a bit to link viruses and bacteria - Just like comparing computer viruses to real viruses is a stretch
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
No one would. But your analogy is inapt. If your bike is dangerously broken, the only person who suffers is you. If your computer is infected, you are actively harming thousands of other people. Not the same thing. At some point, the other people have a responsibility to protect themselves from you, just as if you were firing a gun into a crowd.
we need worms that use p2p networks to patch holes in order to cut down on bandwith usage.
But I'm a girl, you insensitive clod!
Back-formed from incentive, bah! I'll back-form something for you.
http://dictionary.reference.com/search?q=baby-sit
People are thinking about these white knights the wrong way.
First of all, they almost always use the same vulnerability as the virus they exist to destroy. Thus if you are already immunizied you have nothing to fear from this white knight. You won't get it. It won't touch your system. Stop crying.
If however you are unpatched then it is only a matter of time before the worm the white knight is trying to kill gets to you. The worm WILL cause you problems either by using your system in DDOS attacks, sharing your files, logging your keystrokes, etc. It will also harm other people's systems by using your system to attack others. The white knight MAY harm your system and it MAY harm other systems. Either way it is less damaging than the actual worm.
In other words it is always better to get the white knight than to get the worm. If you aren't patched you deserve whatever you get. An even better white knight would donate your computer to someone who knows how to use it.
allow the release of these 'white knight' worms under the following conditions:
3a) machines (to be [dis]infected) must have a specific client-side program (e.g. AV software; p2p client, &c.) enabled,
or3b) machines (to be [dis]infected) must allow open access via a specific port (e.g. 0.0.0.1:6669) which admins/users can easily block - this port being the only one that the worm is allowed to propigate along (should cut down band-width eating port scanning, &c.).
Biologically speaking if there were some new virii infecting humans (say a new flu) I wouldn't want good hearted strangers randomly jabbing me with a needle full of vaccine. It's just not a good idea. I think the intentions are good but the best case scenario I see is a full out war between "white" and "black" worm writers which will eventually fill the networks with worm and vaccine packets. Leaving little to no room for everything else.
Again don't get me wrong, I applaud their effort but it's just not a good idea.
since many people accept windows - they accept the hidden 'features' and the use of it .. they accept the NSA-key , the dominance of MP , that they have to buy virus tools aso. .. my question: Would McAfee&Co kill this pretty worm :-) ? ... who is guilty then .. the worm or the wormkiller ?? it only is a point of view , since Nachi really "fixes" a problem - leading to benefit for more than ONE. ... judgement!
Hell yes I would rather be infected by a worm that patches my system if the alternative was be infected by a worm that wiped out my data.
Plugging security holes? You mean, like skull-fucking users who open e-mail attachments?
The only major, persistent vulnerability is keyboard driver software.
that claims to be doing good?"
Like a Government?
White worms wouldn't be motivated by kindness for individual recipients so much as an attempt to protect oneself and the network in general from the destructive worms. People who maintain unpatched and unprotected systems open to attack from worms have little leg to stand on when complaining about a white worm. They can remove themselves from the game entirely by taking security measures. This seems to me like a reasonable sublimation of the worm writing instinct, which will ultimately do more good than harm.
There ought to be a Windows worm that goes out for the next few months that silently enables Automatic Updates to the agressive apply and reboot when available. Then self terminate in 2 months.
I'd consider that a public service, even more so if you can disable the ability to EVER disable automatic updates.
Can I get an eye poke?
Dog House Forum
Whether or not it patches the hole is secondary -- once some external program told me I have a hole, it's time to wipe the OS and recover data from backups anyway. The important thing in my mind is that it lets me know (though I guess one could argue that saturating your outgoing link counts as informing someone :) )
Unfortunatelly it seems anti-hacking laws prevent even well intentioned testing&informing of sites.
I bet the internet would be a much safer place if it was OK and encouraged to run scripts finding and informing people that their machine's an open relay, etc.
If he's working in a professional environment, he doesn't get to choose to install a different OS to fix his user's problems. Companies have standard desktops and you get paid to support them.
-------
"Every artist is a cannibal, every poet is a thief."
the black hats will do is disguise their worms as white knights.
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
That's the kind of misbehaviour you expect from worms, while it would have been no more work to release a scanner/cleaner that network admininstrators could have run in a controlled fashion with one set of hosts scanning any given subnet instead of multiple worms at random. And of course it _was_ a virus, so you also expect it to accidentally stomp on various machine configurations while it's trying to do the propagation job, and make various errors trying to "clean up" things that weren't actually broken (or at least weren't broken in the specific manner that it expected), and clog host resources, etc.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"Well, you can read the instructions that came with the product. Or you can look at the manual. Or you can request assistance online."
"But I want help now!"
"$300 per hour, two hours minimum, in advance."
"I, uh, found the manual."
No, no, no. We don't need no stinkin worms. If someone really wants to white code how about doing it via a program like adaware? This way it is by choice that we introduce variant code into our systems. Oh wait..... Isn't that anti-virus software? Nevermind...
./what?
Yeah right, you implement a white blood cell anti-worm/virus and then some schmuck invents an electronic AIDS virus to kill your beautiful immune system!
Back in the days of CodeRed I ran a scan on many many class C networks from a large local ISP using free eEye.com scanners.
When I found an infected system I did an ARIN search to find the holder of the IP then sent e-mails to admin, postmaster, webmaster, and any listed domain registry WHOIS e-mails. Oh - and also NET SEND messages to the infected IP, about 60% got thru.
The response was mixed in that many people thanked me for informing them and providing patch links while others (ignorant IT ppl?) sent NASTY responses saying, "We ARE NOT infected and I believe your broadcast e-mail was uncalled for..."
I went back and checked logs and these machines had been infected but had been patched. Probably just covering their asses from their bosses on my CC: list.
In any case, I got some people to plug holes in the aftermath of CodeRed and Nimda with this notification method.
RLC
supposedly in some asian countries 95% of the software in use is pirated MS product. MS is making SP2 not work with the most common pirated XP installation codes. In the future, legitimate (or pirating) users who want relief from massive attacks caused by large concentrations of unpatched XP boxes will embrace viral patching.
I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera etc etc
Of course. Happened just 2 weeks ago. Canon Digital camera. I ssh'd into the box, installed gphoto and gtkam, set up permissions, made sure there was a menu entry, and told them about it. Not so hard. And I've talked people through setting up a print SERVER over the phone.
Then I would hope that you got caught and spent a few years in jail to think about it, and have it on your record for the rest of your life. Maybe you'll be branded as a terrorist!
Oh GOD no! Please don't brand me a terrorist! Right now everyone who calls others a terrorist is most likely to be a terrorist themselves. Take Baby Bush and his owners, the Bin Ladens, for example. And try to keep in mind I'm just making a point. If I actually wanted to write a virus, do you think I'd be so stupid as to post about it here?
A) What are reasonable steps?
How about:
- firewall
- antivirus software
- no Internet Explorer
- no Outlook / Outlook Express
- keeping Windows up-to-date
Is that so hard. If everyone did that, there would be so few viruses that we wouldn't be talking about it now.
B) What is secure? If I get an email from "you" telling me to run the attached security update to my computer, and don't know any better, and I run it, and it is an emailing worm, then I am now hosed. Worms do this all the time. Do I blame you because I thought I could trust you, or do I blame the worm author who masqueraded as you through their program.
WTF? Dude what I'm talking about is people taking some fucking responsibility and learning about what they have to do to keep their computer secure. I don't really see where this point is coming from.
Have you ever had your hard disks wiped clean with all of your hard work on them?
No, because I've taken some responsibility for my computer, and don't get bothered with such garbage. I take it you've had problems though...
Bad link. mid-change transexual pics at other end.
I'd often wondered myself about whether programs like this could work. (At the time, I was wondering if it were possible to virally update Quake 3 to have client-side hit prediction, but that's beside the point).
I think this sort of thing is a good idea. Considering that worms can only work by exploiting security holes in the first place, using this kind of thing in a controlled way could be the answer. I don't think we're ever going to be able to rely on users to take proper precautions themselves, nor companies to always fix the exploits themselves.
"Encourage" is a perfectly good alternative, and it doesn't grate on the nerves either. Or you can use the phrase "give an incentive" or "offer an incentive" if you feel "encourage" doesn't communicate the underlying meaning. "Spur" is good too albeit a little old-fashioned.
"Incent" deserves a slow and painful death, but I will settle for a quick one.
Soylent Green is peoplicious!
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
There are a few common things that viruses and worms do that we can use, without causing the bad things and avoiding many of the ethical problems
Start with a small set of manually seeded machines that have the white hat virus installed.
1. The "white hat" virus sits quiescently on a machine and monitors its own infection vector passively, therefore not utilising any bandwidth. Upon receiving an attack from the virus it is programmed to protect against it will move to step 2 and remembers not to approach the attacker again within a week.
2. Using the same known vulnerability that the virus exploits it is able to put itself on the attacking, infected machine. It then pops up a dialog box saying "your machine is infected with a XXX virus, may I deal with it?" with a cancel button which cancels, but if OK is clicked then we move to step 3.
3. It installs its package so it can be removed by the control panel, it paches the system so it is not vulnerable, cleans the virus and starts itself scanning, adding itself to the group of machines waiting in step 1.
4. if a month goes by without detecting anything, uninstall itself.
Benefits : minimal network traffic since only validated victims are addressed, no changes without authorisation and if the OS is secured then the white hat virus cannot propogate.
Worst case scenario : if someone is infected and will not patch their machine or remove the virus they may get irritated by popups.
-- Don't believe everything you read, hear or think
Of course this solution needs to be thought out carefully. Perhaps display a "user friendly" message including detailed instructions on corrective action(s) needed, and then allow access ONLY to WindowsUpdate and anti-virus vendor sites? This moves the problem from the users to the service providers, where I think more attention needs to be directed!
If you bought a car that turned out to be a lemon you would certainly raise the issues forcefully with both the dealer and the manufacturer, but (perhaps due to slimey stuff like EULAs) we have become accustomed to not only accepting unsafe and badly flawed software and ISP service, we hardly hold the suppliers responsible at all!
Microsoft recently started offering a bounty on virus creators, and this is a good start, but why aren't more resources going into catching these folks? It seems to me that one reason that we get so much of it is that the perpetrators usually get away with it. Why are websites that provide script kiddies with virus writing tools allowed to continue to exist? These folks are like having a crack house on your street.
If the rich and powerful Gates, and other industry leaders like him, don't start going after them soon, then we will get the John Ashcrofts and Orin Hatches of the world trying to do it instead.
Your model for an oversight body is counter-intuitive to me in the analogy. In the human body the reason that the immune system works is because it is distributed, not centralized. Each area has the ability to respond to localized threats, and can contribute to combating holistic problems as well.
Actually, the human body DOES have a centralized clearing authority that approves new immune functions -- the thymus. It has the job of testing new white blood cells to make sure they'll fit in with the rest of the body. When the thymus fails or makes a mistake, the result is an autoimmune disorder.
Range Voting: preference intensity matters
I wrote = >>
:P
vandan (151516) wrote = >
>> I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera etc etc
> Of course. Happened just 2 weeks ago. Canon Digital camera. I ssh'd into the box, installed gphoto and gtkam, set up permissions, made sure there was a menu entry, and told them about it. Not so hard. And I've talked people through setting up a print SERVER over the phone.
So have I. It's not all that hard. "Start->Printers and Faxes, right click on printer, go to Sharing, click 'Share this printer'." Yes, I want a medal. I was a helpdesk worker for 2 years in college. It paid a little more than $10 an hour. Best student job on campus. It taught me to appreciate how out-of-touch people are with their computers. People of all ages.
Oh, and for the Canon camera (I have 3 Canon cameras, and 2 of them are digital), all I did was insert the CD and follow the instructions.
> If I actually wanted to write a virus, do you think I'd be so stupid as to post about it here?
Was that a rhetorical question?
>> A) What are reasonable steps?
> How about:
> - firewall
> - antivirus software
> - keeping Windows up-to-date
You forgot about the "don't download stuff that can be run by your computer". A firewall doesn't protect you from yourself. AntiVirus software is a good first step, but it needs updating, as do IE, OE, and Windows. Microsoft has made it a lot easier to keep up-to-date with XP SP2. If you didn't learn about this before, you can get yourself the latest RC of SP2 by changing the v4.windowsupdate.microsoft.com to v5...
> - no Internet Explorer
> - no Outlook / Outlook Express
I run IE and Outlook (and I use OE for newsgroups). My machine automatically downloads patches from MS, and I install the ones I feel are necessary at my leisure. Since I have no open ports on my external firewall, it doesn't bother me to not run firewall software on my computer, but I leave them on anyway, because in XP SP2, it lets you know when programs are trying to open ports to the outside world, and doesn't open the port until you say so.
> Is that so hard. If everyone did that, there would be so few viruses that we wouldn't be talking about it now.
That's where you make a mistake. Viruses come in all flavors and forms. Outlook and IE don't cause viruses, people do. For every kind of self-propagating or social-engineering+computer propagating program, there are approaches to stopping it. User education is not the most effective or practical.
>> B) What is secure? If I get an email from "you" telling me to run the attached security update to my computer, and don't know any better, and I run it, and it is an emailing worm, then I am now hosed. Worms do this all the time. Do I blame you because I thought I could trust you, or do I blame the worm author who masqueraded as you through their program.
> WTF? Dude what I'm talking about is people taking some fucking responsibility and learning about what they have to do to keep their computer secure. I don't really see where this point is coming from.
This point is coming from the host of mass-mailing worms that come in the form of email. Face it, if someone at a store in the back woods country would accept a one-sided, 3 dollar bill, you might not be able to tell a genuine message related to security from an ingenuine attempt at getting into your computer.
Take this challenge, and get back to me. Did you get 10 of 10?
>> Have you ever had your hard disks wiped clean with all of your hard work on them?
> No, because I've taken some responsibility for my computer, and don't get bothered with such garbage. I take it you've had problems though...
Well, since I got my firs