Slate On Worms That Plug Security Holes

← Back to Stories (view on slashdot.org)

Slate On Worms That Plug Security Holes

Posted by timothy on Tuesday July 27, 2004 @10:44PM from the anti-missile-missile dept.

gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"

4 of 417 comments (clear)

Min score:

Reason:

Sort:

Here is a related article... by Sun+Tzu · 2004-07-27 22:50 · Score: 5, Informative

...on the problems with beneficial computer viruses.

--
Geeky modern art T-shirts
Nachi was in response to Blaster by asdavis · 2004-07-27 22:51 · Score: 5, Informative

Nachi took advantage of a RPC/DCOM vuln, a WEBDav vuln or a Blaster infected system. It had nothing to do with MyDoom.

--
TECMATIC - Intelligent Technology News
1. Re:Nachi was in response to Blaster by dalamarian · 2004-07-27 23:09 · Score: 5, Informative
  
  I am not sure if nachi was re-released but it did also try to take down older versions of mydoom (a and b) Not surprised if was released as a new version
  ******** From Symantec **********
  W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese (Simplified), Chinese (Traditional), Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.
  The worm also attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.
  Also Known As: W32/Nachi.worm.b [McAfee], W32/Nachi-B [Sophos], Win32.Nachi.B [Computer Associates], WORM_NACHI.B [Trend],
they stuff up networks by sejanus · 2004-07-27 23:07 · Score: 5, Informative

I'm a network engineer at a reasonable size isp.

These bloody worms caused us so much bother, our customer terminating (ethernet) routers (Cisco 7206 NPE300 VXR's) really suffered CPU wise against these because the ethernet based services are procssed switch unlike ATM/POS etc unfortunately. And the netflow accounting tables were just out of control.

AND the old legacy routers we have that still ran snmp based ip accounting, the cpu on them went ballistic. It was a big pain in the butt and took a lot of stuffing around to fix/block etc.

Unfortunately just blocking the traffic doesn't help as you have to recieve the traffic in order to block it, so I was dumping netflow tables and getting the support guys to call infected customers. Many hours of work just because some little shit script kiddie/newbie programmer thought it'd be funny.

On the bright side though, it promped management to give me a lot of money to get some more grunty gear so we are now better prepared for the next time it happens, and I'm sure it will.