Slate On Worms That Plug Security Holes

gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"

No.

[mirko]

But are 'good viruses' really a good idea?

No.
These could be Trojan.
If I give you some worm that's supposed to cure another but which in fact is another one...
No.

Re:No.

[munter]

I agree. There's a fine line between a white worm and black worm. Before you know it, worms will be the next ICBM, with people seizing the transport to change the payload. Bad bad bad.

Re:No.

[mwvdlee]

If it were a Trojan, it wouldn't be a "good virus" anymore :) It isn't about worms purporting to be good, it's about worms that are actually trying to do some good.

I'd prefer that no worms existed at all but given the choice I'd much rather have my idiot neighbor to open a good virus then a bad one, there's going to be wasted bandwith either way but atleast the good virus could stop some waste in the future.

Re:No.

Remember, surf without rhythym and you won't attract the worm.

Re:No.

[tallman68]

Nachi was the last worm to actually have a noticible impact on our network. MyDoom hardly affected us at all. We don't care what your intentions are, worms are bad.

Is a there such a thing as "good SPAM" or "good junk mail?" Aren't they just all an unneeded drain on our resources? Same goes with these worms. When are these kids going to get it? Breaking into our networks does not help us!

And, yes, we need to have proactive security (for the most part we do) but just because we have an opening is not an invitation to come on in. If I have a crappy lock on the front door of my house it does not give you leave to break in and install a better lock.

(\rant) Now I feel better.

Re:No.

[rjoseph]

No, you're wrong. We've taken the term "virus" from the medical field, so lets take one more: vaccine. Wikipedia says a vaccine "[is] a weakened bacterium or virus that lost its virulence, or a toxoid (a modified, weakened toxin or particle from the infectious agent)." Straight from the horses mouth, if you will.

The problem is you're not even addressing the "good" viruses These could be Trojan. Well then they wouldn't be the *good* viruses anymore, would they.

Not only are these "good" virsues the perfect way to patch security holes that both the vendors and users are not patching, but they are the natural evolution of computer viruses. If we're to continute to use the biological metaphor in computing, we might as well exploit it to the fullest.

One bad idea

[gowen]

It could even launch warnings on the user's screen for a few days ("Hey dummy! Click here to protect yourself!")

Gee. Thats a fine way to train users to just click "OK" on every dialogue box they see. And we all know what a great idea that is....

There is no "good virus".

[JanMark]

Next thing in line: an automatic spyware remover. Followed by: an automatic licence checker. And in true 1984 style: an automatic open source software remover.

Re:There is no "good virus".

[AntonyBartlett]

Yes, but it would be kind of nice if all those spam-zombies out there got white-knighted and fell quiet, all the same.

Here is a related article...

[Sun+Tzu]

...on the problems with beneficial computer viruses.

Re:Here is a related article...

[Tony-A]

"how would a good virus tell another good virus from a bad one?"

Easy. They're all bad, including the good.

It might be justified if "enough is enough!", but if you have to ask, it is never justified. It might be good at the moment, but once the moment is past, it is a bad virus.

Nachi was in response to Blaster

[asdavis]

Nachi took advantage of a RPC/DCOM vuln, a WEBDav vuln or a Blaster infected system. It had nothing to do with MyDoom.

Re:Nachi was in response to Blaster

[dalamarian]

I am not sure if nachi was re-released but it did also try to take down older versions of mydoom (a and b) Not surprised if was released as a new version
******** From Symantec **********

W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese (Simplified), Chinese (Traditional), Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.

The worm also attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.

Also Known As: W32/Nachi.worm.b [McAfee], W32/Nachi-B [Sophos], Win32.Nachi.B [Computer Associates], WORM_NACHI.B [Trend],

Probably..

[manavendra]

for most users, who experience bewildering slowdown of the internect connectivity, or the intranet access, which mysteriously disappears after a few days - for them, such "White Knights" may probably be useful. For grannys, gramps and other naive users it would be a blessing.

For others, who have mission critical application or other extensions on the target OS, such "White Knights" may send a shiver down the spine:

What if it plugs a hole, but breaks something else?

From what I have seen, such socialist stuff doesn't really go down well with corporations. They don't give away things for free, and they don't expect anything given to them for free.

Re:Probably..

[iLEZ]

Also, virus writers, black or white hatted, should never do the work that every experienced sysadmin should do.
Kind of like having robbers in charge of security in a bank.

Re:Probably..

[Mr.Cookieface]

It would be interesting to see some trusted repair networks emerge which deliver fixes to unpatched vulnerabilities for users who want them, similar to those who maintain spammer lists. The patches could be delivered over a trusted P2P network which has as its only purpose to deliver these files and of course would use hashes to verify the integrity of the files it delivered. That way, the white worms would only travel where they are wanted and could be tested a lot better than by the lone hacker.

The only problem is that the users who would most benefit from this type of service aren't the type to be proactive in their fight against viruses and would probably never use something like that unless it came preloaded and turned on by default and Micro$oft would never let that happen.

Perhaps the ISPs need to take more responsibility for identifying viral network activity and block it, while notifying the end users. Something like when they go to connect to the internet, they get a page notifying them that their machine is infected and they need to call a certain phone number before they are let back on.

Re:Probably..

[StarChamber]

Why not just turn ISPs providing broadband access into operators of managed networks? Would it not be easier to either have the ISPs provide managed Anti-virus and host based IDS software to their users or, if the user opted out, have them perform periodic scans of those PCs and shutdown any of their subscribers connection until they patched the hole? If the average user is too inept to secure their own PC as routine function of PC ownership, then a reasonable alternative could be a managed solution as a term of service. As for corporate PCs, companies that refuse to secure their PCs should be held liable for the damage that those owned PCs unleash on other companies. The only way to get corporate America to take notice is to hit them where it hurts - their pocketbook. After enough of them are seen shelling out millions of dollars in damages; other companies will then fall into line and secure their networks. I am not for more government regulation, but something has to be done to protect the rest of us from the ever increasing number of ignorant broadband users allowing all types of viruses and worms to spread.

Viruses to attack Viruses which patch Viruses

[singleantler]

If White Knight viruses become common there will be viruses designed to attack them as well, it's just making an extra battleground. This has happened with anti-adware products - many of the new trojans and viruses try to stop software like Adaware working.

The answer is to have a secure system, as that's not happening in the Windows world at the moment, then frequent patches to plug the holes and a way to encourage everyone who uses Windows on the net to download them is the way to go, as is installing more secure software (e.g. Firefox rather than Internet Explorer.)

Re:Viruses to attack Viruses which patch Viruses

[FireFury03]

The problem with patches (and this goes for the linux world as well) is that people who don't have DSL are stuffed - how am I going to convince my dad to download all 70 meg of WinXP-SP2 over his pay-per-minute 56k dialup?

(and no, "White Knight" viruses are not the answer)

If ISPs start taking a hard line against exploits instead of ignoring them then people might pay more attention - it's not rocket science for the ISP to detect the signatures of worms scanning the network and automatically pull the plug on anyone compromised. I favor a "internet rating" system in the same way you get a "credit rating" - if you're shown to repeatedly get compromised then it's clear you can't run a secure system and no ISP should allow you full unrestricted internet access.

I'd also like network-connected software you pay for (e.g. Windows) come with free updates _on CD_ for a reasonable life of the product instead of requireing you to download it. If my car has a fault (e.g. the brakes don't work under some conditions) then the manufacturer writes to me and fixes it at their own expense - they don't quietly put a notice up somewhere out of the way saying that if I want to I can send off for the replacement part and then wait for the media to actually publicise it after a few people crash coz their brakes didn't work.

Before anyone complains, the whole on-CD updates idea wouldn't apply to free linux downloads like Fedora since you're not paying for it in the first place, but quite rightly it should apply to stuff you do pay for like RedHat Enterprise, etc.

Re:Viruses to attack Viruses which patch Viruses

[Val314]

microsoft allready offers Free Update CDs (but its from Feb 04 so not that usefull for current exploits. i expect them to offer a free XP SP2 CD once its out

Like stealing your bike

It's like somebody is stealing your bike just to take it for a service.

Would you like that?

Re:Like stealing your bike

[Zebbers]

ummm...please dont equate physical theft with digital concepts. It doesn't work.

Are they a good thing?

[rebeka+thomas]

No. My reasoning is that a trojan, no matter how it modifies a system, has a chance of fucking it up.

Even valid updates from manufacturers have the odd really bad messup. Making a service crash, modifying a config file so it doesn't work, causing unexpected behaviour.

To give support to those writing such whiteknight worms gives support to any anonymous coder who might wish to fix a problem, with no concept of testing things on a system other than their own or a few others belonging to a "friend of a friend".

Re:Are they a good thing?

[zijus]

I DO think automatic, "valid" updates can be considered as viruses in the effect they may have. They can actually halt a production system. This is real life experience: I have seen network emulation updates, source code sontrol systems updates fucking up production. More than once. No kidding: even anti-viruses updates broke the prod for some dlls incompatible with XYZ. Isn't it a nightmare? The anti-virus stuff becomes a virus!

The point is, in production you are assumed to know what's on your box. Anything automatic that you can not 100% predict, is braking this statement. You don't know any more. And the point of the automatic update stuff is "you don't want to care" and it is legitimate.

So my point: yes a trojan, no matter how it modifies a system, has a chance of fucking it up. Non acceptable.

Ciao ciao.

How would Anti-virus programs react ?

[phreakv6]

Anti-virus programs like Norton AV,McAfee etc would still block these intelligent programs.They are still viruses.are they not?

Illegal

[vi+(editor)]

One should note that a "white kight" worm is illegal like "bad" worm and would fall under the same criminal charges. And the author would have to pay civil damages as the worm consumes bandwidth. The affected party might even argue that such a worm requires a complete security check-up with reinstalls etc. as the source of the worm can't be trusted.
A white kight worm author would end up with the same civil damages to pay only gaining perhaps a small reduction of the criminal charges.

No, no, and no.

[mercan01]

"White Knights" are a horrible idea. They're a horrible idea for the very same reasons letting MS automatically push upadates onto your computer without your knowledge or permission are a bad idea.

It's not for someone who "knows better" to decide for me how to "Secure" my computer. What happens if one of these virus-like apps(either from MS or a third part) "patches" my server with my multi-million dollar application system and somehow breaks it, as unintentional as it may be?

If these hackers want to do good and create 3rd party patches that people can download and install on their own, that's one thing and I applaud them for their efforts. But, please, don't insult my intelligence and do something that's "best" for me without my knowledge or consent.

Wrong approach

[vandan]

I really am sick of viruses.
Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers.

Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation.

If I were writing a worm, however, I'd take a different approach. I'd make it spread quietly, and then destroy the Windows install completely 1 day after infection. The whole fucking lot. People who get viruses are asking for it. If you put your computer on the internet, you have a responsibility to do the right thing by everyone else. If you stick your head in the sand and click on all the 'click here' and 'free hardcore XXX' links, then come bitching to me when the whole thing comes crumbling to the ground then you really only have yourself to blame.

ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean.

Once a few viruses start doing this, people will get the hint and keep their systems secure.

The road to hell is paved with good intentions

[minus9]

Blaster had very little impact on our network. Nachi on the other hand caused absolute bloody chaos.
There is absolutely nothing "white hat" about running code on someone elses machine without their permission.

To minimize the traffic

[Prong_Thunder]

The white worm needs to be passive; a compromised system will try and attack other systems - all the "good" virus has to do is wait for an attack. When an attack occurs, our "good" virus has the IP of a compromised machine on which to mount a counterattack/patch.

The white worm should also uninstall itself after a predetermined length of time, say 10 days.

I understand the concern people have about auto-patching, however I am certain that none of those people would put themselves into a situation where they were vulnerable in any case - they would only see a benefit from this, in the overall lessening of net traffic.

they stuff up networks

[sejanus]

I'm a network engineer at a reasonable size isp.

These bloody worms caused us so much bother, our customer terminating (ethernet) routers (Cisco 7206 NPE300 VXR's) really suffered CPU wise against these because the ethernet based services are procssed switch unlike ATM/POS etc unfortunately. And the netflow accounting tables were just out of control.

AND the old legacy routers we have that still ran snmp based ip accounting, the cpu on them went ballistic. It was a big pain in the butt and took a lot of stuffing around to fix/block etc.

Unfortunately just blocking the traffic doesn't help as you have to recieve the traffic in order to block it, so I was dumping netflow tables and getting the support guys to call infected customers. Many hours of work just because some little shit script kiddie/newbie programmer thought it'd be funny.

On the bright side though, it promped management to give me a lot of money to get some more grunty gear so we are now better prepared for the next time it happens, and I'm sure it will.

Subscription system

[Lord+Grey]

There are pros and cons to having 'good worms' patch systems. For most Slashdot readers, it's probably not a good thing. We tend to pay attention to patches, what our systems are doing (so as to detect strange activity), etc.. But as others have pointed out, such a worm might not be a bad thing for the non-tech computer users.

What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.

Its NOT for Slash readers

[SalsaDot]

Of course we want control of our machines and would object to anything running on them. Thats why WE protect and patch them regularly, RIGHT?

NO... this is for those Joe Sixpacks, grandmas and - worse of all - the selfish dumbasses who dont know OR CARE if their machine on their spanking new broadband connection is fouling the net for the rest of us.

If ISPs dont employ some kind of active blocking, then the combination of the worlds most used OS (STILL having gaping holes) + users who'll open any attachment and OK every install query + broadband means the battle will be lost without some "friendly agent" on our side.

And whats with these PCs you buy with one years free subscription to virus updates? Whaddaya think happens when that expires? The expiry warning dialogs get dismissed, the machines become increasingly vulnerable.

For these users, patching needs to be proactive, automatic and on by default.

Course the nay sayers will argue that an auto update mechanism creates a vulnerability in itself. This is arguable, but the fact is you're not gonna win trying to "educate" users.

You could just sit back until a nice cosy CLOSED internet standard is imposed on us by the powers that be when the frustration level reaches breaking point.

A REALLY black-hat one would be healthier

[CaraCalla]

If someone came along to write a really nasty one, that could have certain beneficial side-effects

• zero-day remote hole
• replicate for 24 hours
• then really mess up the filesystem, destroying most of the data

That would teach most people to patch there systems.

The Big One, anyone taking?

no sig

Paper by Vesselin Bontchev

[sheriff_p]

The definitive (and about ten-year-old) paper on this is:

http://www.virusbtn.com/old/OtherPapers/GoodVir/

Well worth a read if you've not seen it before

Like linux doesn't get worms.

[oliverthered]

Linux has it's fair share of worms to, and if you move the same 'stupid' windows users over to linux there still going to be stupid, and your still going to get worms and trojans and spyware, though more will be at user not system level, since it's harder to evevate priviilages on a Unix bos than a Windows one.

Re:Mission Critical

[9Nails]

If your system is a mission critical one, you should be running a firewall and anti-virus to begin with. You should also stay on top of software updates. This is standard computing in my book.

There is no excuse for Corporate security exploits. Unless the corporation just doesn't care about it's computing.

Push vs Pull

[gad_zuki!]

I dont want to see any "friendly trojans" but a while ago someone wrote a very neat java app which acted like an IIS server, listened for attacks, and used the exploit from the exploited to send the infected party a "net send localhost YOUVE GOT A VIRUS!!" message or something to that effect. What was that worm called? Red Alert? I think the software was called red alert vigilante or somesuch.

Anyway, I should have the right to take attackers and use their own exploit to inform them about their situation. A real world comparision would be me finding a trespasser and instead of just kicking them out, telling them they are doing wrong and then kicking them out.

Granted, this kind of vigilate action can be seen as, say, tracking down the trespasser and going on his property to yell at him. I guess this is where the analogy breaks down, but its a good concept and doesnt waste bandwidth like the "friendly trojan" shotgun approach.

This would only work with worms with machines with open firewalls, but it sure beats nothing.

TMBG said it best

[I+don't+want+to+spen]

From Dr. Worm

I'm not a real doctor but I am a real worm

I agree with Schneier

[stromthurman]

Bruce Schneier touched on this very subject in his September 2003 cryptogram in response to Nachi (or Blast.D), you can find his original article in the cryptogram archives.

Automatically installing code on a user's system without their consent is never a good idea. Virally propegated code, no matter the intent, still generates network traffic, just because the payload is different doesn't mean the virus/worm/whathaveyou isn't adding to the problem of conjested networks. And as someone else pointed out, even if the 'white hat' programmer has good intentions, that doesn't mean they won't make mistakes in their code which could have adverse effects on the systems they are attempting to patch.

While I don't think users should have to directly interface with security protocols/techniques, I do think they should be aware of them. If they are made fully aware of the damages that can be done to them, they're more likely to patch, or back away from the internet in fear, either way, there is a reduction in exploitable hosts.

Re: "People who get viruses are asking for it"

[Photo_Nut]

The parent poster writes:
"I really am sick of viruses. Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers."

Welcome to the IT club. So far, you aren't sounding special.

"Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation."

I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera. How do I get my pictures and video into the computer? Oh, and I bought a new printer, too. I want to print my new pictures with my new printer. Oh, oh, and my cellphone has this cool service where I can download ringtones... I want to do that, too. I need to do XYZ with some application I use for XYZ. How do I get it on my Linux PC?" Face it. Linux is still a second-class citizen in the desktop market. Having one or two category apps isn't the same thing as having 99% of the market.

"If I were writing a worm, ..."

Then I would hope that you got caught and spent a few years in jail to think about it, and have it on your record for the rest of your life. Maybe you'll be branded as a terrorist! Talking about writing worms doesn't get you my respect. Even hypothetically. It has been done before. It has been discussed to death before. There were viruses that damaged your equipment. There were other viruses that repartitioned your hard drive. Plenty of worms can do these things.

"ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean."

A) What are reasonable steps?

B) What is secure? If I get an email from "you" telling me to run the attached security update to my computer, and don't know any better, and I run it, and it is an emailing worm, then I am now hosed. Worms do this all the time. Do I blame you because I thought I could trust you, or do I blame the worm author who masqueraded as you through their program.

If some application I download to do X has a bug that's exploited and does Y, and I don't know it, is it my fault?

C) Your statements are quite harsh. Have you ever had your hard disks wiped clean with all of your hard work on them? Your statement is akin to saying, "People who get diseases should be shot. That'll teach 'em to get sick!"

I can't believe your post was modded insightful. Flaimbait, yes. Insightful, no.

a virus is a virus is a virus..

[ryane67]

no matter how you slice it, its still code executing on your computer without your permission and That's a virus.

As a usually security minded person, I do what I can to keep my system up to date and to keep any non-requested traffic off my network. So.. most of these "white knight" viruses wont even get to my computer. Im sure most /. readers fall into this category as well.

As for the general public, These could be used for good.. but there is much more potential for evil, as is usual with situations like this.

"Hey, Im a program that unknown to you got onto your computer.. My intentions are good, I promise... You should click yes to fix the security hole that I got in through and distribute me to all your friends"(muahahaha)

The biology analogy

[Organic_Info]

Well we keep seeing the "white virus" explained as a computer/network immune system. Well ok lets consider this for a second or two my immune system is restricted to my body, my phagocytes don't go invading other people in a bid to help them out.

So the same should be applied to the software immune system, after all nature knows its shit better than we do.

user edumacation

[Mickey+Jameson]

This crap will be around forever, and the main problem is user education. I tell all 150 of my users twice a month to make sure their systems are up to date, and nearly 300 times a month I get the proverbial "yeah, yeah." It is not my job to do patch their systems. That's another guy's job, who doesn't do his job. I put out reminders because of this.

So when we got hit by Nachi, I tracked down the weak link. It was our Netware admin, who deliberately went around my firewall so he could peruse porn, logged into his dialup ISP, checked his personal POP mail at said dialup ISP, and within minutes, bam. Nachi in the house. Of course, this wouldn't have been a problem if he (and the 2 dozen other users that got hit because of him) had kept their systems up to date.

I was found to be the blame of this, despite the fact that there was absolutely nothing I could do about it, since he bypassed my security. After a week of TRYING to explain to management why it happened, that nobody should bypass security and so on, I took a long hard look at the incident.

While Nachi was good in concept, it had fatal programming errors in it that caused it to be more harmful than Blaster. We all know this. I chalk it up to a learning experience - whoever wrote Nachi definitely learned from this. Too bad there weren't any real variants of Nachi. Yes, I'm serious. However, people actually learned from Nachi. Three weeks after Nachi infections slammed into my firewall, it stopped. Nachi just went away.

Yet I still get pounded by Codered and Nimda YEARS after information, patches, and global press about it were made highly available and easily accessible.

Everybody bitches about spam and viruses and worms and popups, yet so few people actually do anything about it. Don't complain to me about pop-ups. Use a different browser. Refuse to "learn" a new browser, fine. Get Google toolbar. Don't know how check for viruses? Get AVG. Sick of spam? Fine, I'll adjust your SpamAssassin threshold.

But people don't want to do these things. In their minds, everything should just work, and work the way they want it to work. Everybody at my company knows that we have AVG, AdAware, Spybot S&D and so on. When new software is made available, I pass it on to my users. A user came up to me last week and asked why AdAware never has any updates anymore, for like the last year. Because she disregarded my notice about the new AdAware and kept using the old.

I have strict rules about email, and my SpamAssassin 50_scores.cf file is very, very harsh. My users have been told that some of their email contacts may be tagged as spam, and if that happens, let me know and I'll whitelist them. Not one person has asked me to whitelist anyone, yet everyone bitches behind my back that I'm a lousy admin because *I* somehow personally tagged their email as spam. Even the president asked me to remove all graphic/audio/video attachments, so I complied. Yet he complains that he can no longer get pictures and other non-work-related material through email.

It's an endless cycle. No appreciation for jobs well done. This is why I actually welcome such attempts to clean up the filth on the 'net. I originally despised Nachi. I now praise it.

As long as the end user refuses to heed educational advice about how dangerous the Internet is, the Internet needs vigilanteism.

Bring it on.

Confusing situation - but use biology as a model

[Corpus_Callosum]

Think of the net as a big organism. We have invading viruses and worms [and other nasties], but no real immune system to speak of...

While there are certain to be real dillemas and dragons here, it seems that exploring the idea of white worms and whatnot is a good idea, after all, is there any other solution for the systems that are not managed? However, white worms should have oversight (e.g. registered source code to some oversight body, managed release into the wilderness, etc..) somewhat akin to oversight for the immune system in an organism..

When in doubt, consult how nature does it - the more complex our systems become, the more similar our solutions look to natures.. Very intriguing..

Re:I don't know about that...

[manavendra]

That is a very interesting observation, and one that I agree with.

However, is it really a divide of the rich and the poor on internet? and what are the criteria for being the rich or the poor? it surely can't be software or AV updates, since there are a number of tools out there that are free..

worms are colorblind

[ed.han]

guys, the problem worms create beyond their security-related issues is one very simply of bandwidth consumption. come on, guys. it's the same exact problem as chain letters: even if the payload/content is innocuous, if these things are all over, stressing the pipes, how is this doing anybody any good?

and this ignores the problem that in a lot of shops, the IT staff likes to test out patches & make sure the patch doesn't break anything. if a patch hasn't been installed on an office box, there might very well be a good reason for it. a worm is a one-size-fits-all sledgehammer of a solution to the problem of unpatched boxes. how would you feel about allowing an unknown process, not critical to apps or OS function, run on every desktop in a LAN?

ed

Well, Slate *is* still owned by Microsoft.

[argent]

They couldn't say "if everyone stopped using Internet Explorer and Outlook Express worms and viruses would be a fraction of the problem they are", now could they?

Sometimes I think the whole antivirus industry mostly serves as a diversionary tactic that lets companies keep shipping software with deep, fundamental security problems.

Wild West Vigilante-ism

[rjamestaylor]

Before the (US) West was settled and governed by laws and law-men (well, back when it was more obviously not governed by laws and law-men) people took the law into their own hands. It wasn't that people didn't like the legal system -- there wasn't one. So, in order to continue to live and attempt to make a real society out in the Wild West, they hung the "bad" guys. These were vigilantes, the "good" side of lawlessness. While vigilantes are necessary in uncivilized lands, they are counter-productive in civil society.

The Internet is a Wild West (or, to use 1990's terms, the Information Superhighway is overrun with Highwaymen) and those trying to make it a civil society (non-profit or for-profit) should not be expected to sit back and let maurading groups of Russia spammers and Nigerian Scammers ruin it for them and us. Once there is an authority in place to stop the MS-empowered superworms autopatching worms will necessarily be outlawed, too, but until then...some will do what they have to do.

Note to Paul Boutin...

[krinsh]

You, and that other frogtard out there that espouse the virtues of 'white worms' every single bleeping time a virus or worm makes it on CNN, suck. I'll avoid further commentary because I really don't want my post to be rated flamebait. First things first. As several other posters have rightfully indicated; competent system administrators will do what they can to mitigate malware outbreaks. Strong, zero-tolerance acceptable use policy for Internet and e-mail will mitigate most virus issues. Yes, I said zero tolerance. It disgusts me that people would 'just want to see what it looked like', or deliberately jack their workstation to get to play instead of produce, or feel that they should not have to exercise common sense when performing daily work activities - "my IT person should be preventing these from ever arriving so if I open them it's not my fault". This will not happen - the competent admin will do their best; but the antivirus updates and system patches may not always be there in time. I still cannot comprehend why anyone with even a fraction of IT experience would condone PATCHING WITHOUT TESTING. Fool. Any single one of us has horror stories about applying a hotfix or patch and then struggling to get it to work right or roll the system back because it fried a critical company application. Entire books; entire industries have sprung up around the phenomenon of not thinking - uhm, testing before you patch. This is common for non-security updates - remember ODBC and Jet database engine fiascos? I sure do. DLL protection my left... eye. Finally, anyone that supports the 'white worm' concept, even on controlled internal nets, needs to examine the path that lead to their support and then burn it clean. Nachi taught us that releasing a worm that spreads the same way as the malicious version WILL cause as much damage - by crashing systems, hammering network devices, breaking applications that have not been tested with the patch, saturating bandwidth... often causing more damage than the bad worm it is trying to fix. Secondary to that, the worm intended to fix runs the risk of being modified and used for 3V1L itself.

Re: "People who get viruses are asking for it"

[colinleroy]

> Being an IT professional, ... install linux

I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera.

Er, I may be slow, but I fail to see how the grandparent poster's users, in a professional environment, couly justify the need of fancy stuff like digital cameras or downloading ringtones, or installing printers themselves. If there's an IT professional where he works, it is most probably in an environment big enough so that users should not mess with their computers.

How do you define White?

[johkir]

Besides all the technical problems with traffic, breakning other code, and just another trojan, who decides what is good v. bad? What if there is a over-zealous religious fanatic that writes code which will prevnet you from visiting any sit that THEY feel is inappropriate, not just pr0n? Kinda like what a vigilante is doing in Utah Or a government agency preventing access to public records until a investigation completes? Or maybe a political party might release a worm that prevents you from looking up the goods on a candidates business history, or typing 'miserable failure' into Google. Maybe Microsoft could release BHO code which looks at the URL before IE sends the request, and if the URL contains Linux or Apple, whoops, here is microsoft.com

keeping the upside without the downsides

[Grimwiz]

There are a few common things that viruses and worms do that we can use, without causing the bad things and avoiding many of the ethical problems

Start with a small set of manually seeded machines that have the white hat virus installed.

1. The "white hat" virus sits quiescently on a machine and monitors its own infection vector passively, therefore not utilising any bandwidth. Upon receiving an attack from the virus it is programmed to protect against it will move to step 2 and remembers not to approach the attacker again within a week.

2. Using the same known vulnerability that the virus exploits it is able to put itself on the attacking, infected machine. It then pops up a dialog box saying "your machine is infected with a XXX virus, may I deal with it?" with a cancel button which cancels, but if OK is clicked then we move to step 3.

3. It installs its package so it can be removed by the control panel, it paches the system so it is not vulnerable, cleans the virus and starts itself scanning, adding itself to the group of machines waiting in step 1.

4. if a month goes by without detecting anything, uninstall itself.

Benefits : minimal network traffic since only validated victims are addressed, no changes without authorisation and if the OS is secured then the white hat virus cannot propogate.

Worst case scenario : if someone is infected and will not patch their machine or remove the virus they may get irritated by popups.