Slashdot Mirror
Anti-Santy Worm Patches phpBB Flaw
sebFlyte writes "Interesting Santy worm story -- there's now an anti-Santy worm proliferating, which spreads the same way as a normal worm, but rather than killing machines or taking control of them, it gives them security updates..." We mentioned the Santy worm about ten days ago.
Is reporting that they don't know if the worm actually patches it sucessfully. For all we know, it could be infecting the System. When searching, only 3 results came up.
worms that remove/kill the MS OS is the same as a security patch?
Ho-ho-holes
"You see Mom, there are Good worms and there are Bad worms"
I feel that white worms, when done correctly, are a good thing. This is a case where the ends justify the means, even if it does mean comprimising vulnerable systems.
bash: rtfm: command not found
Is it possible the "benevolent" worm actually does damage covertly? Has this been investigated thoroughly?
A blog like any other.
Is there a satisfaction guarantee with the virus?
:p
Wasn't there a Welcha worm that cleaned up Blaster, and once the path was clear, it just gave you another virus?
this does sound a bit sneaky and intrusive, but if it's breaking into computers and doing good deeds perhaps we should just let it. After all, people sure as hell aren't doing security updates on their own, might as well let somebody do them.
The author of this worm still doesn't have permission to modify the source code running on people's servers. Yes, they may be idiots, but idiots still have rights (for the moment).
...and the Santy worm come in contact, would it cause the server to asplode in a brilliant flash of light?
The problem with a "good" virus, is that because of an oversight, it may cause more damage. It could open up a new expliot, or subtly damage a part of the server.
Is this the first (fairly) wide-spread example of a white knight virus?
What are the downsides to using a white knight?
- Sites that have been attacked by the anti-Santy worm are defaced with the words: "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."
If I break into your house and clean your bathroom you could call me beneficial, but you might get a little upset if I used spray-paint to write "This house is a bit cleaner, but buy some Lysol" on your front door.Is it digitally signed?
I would "infect" my family's computers to avoid the horror of giving them tech support for their horrible computing habits (not updating AV, refusing spyware checkers, swearing by IE, taking down their firewall because of "slow download speeds")
*sigh*
...give me your IP and I will login and make sure everything is in order.
Using a worm as a way to help instead of wreak havoc, this is an interesting idea. Why don't they carry this idea over to Spam and use it to send me things I'm actually interested in?
...a worm or virus that removes Windoze and runs the Debian-Sarge net installer and it only runs at midnight fridays so when people get to work on monday their Windoze box has bet automagically transformed in to a 1337 Debian-Sarge box complete with all the latest in Linux goodies :^)
How long before someone makes an "Anti-IE" worm that automaticaly installs FF on everyone's computers.
I'm not a doctor, but I play one in bed.
Choice, the problem is choice.
Even if the worm patched the site without defacing it yet again, it's still going to bog down networks by replicating. Perhaps a better alternative would be to send a simple e-mail to vulnerable sites and allow them to make the decision to patch or upgrade to the newest version.
White worms are a nice theory, but I think they should be fought just as vehemently by anti-virus software as malicious ones.
Holes they use should never be left unpatched, even if the worm's patches are not applied.
Consider: If there was a benign strain of HIV out there that immunized you to Herpes upon infection, would you give up condoms?
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
Driftwood: "It's alright, that's in every contract! That's what they call the 'Sanity Clause.'"
Fiorello: "Ha-ha-ha-ha-ha. You can't fool me...there ain't no Sanity Clause."
The "success" of viruses and worms so far have been characterised by their ability to reproduce. This bears some resemblance to their genetic counterparts.
Perhaps the next phase will be a virus or worm that follows genetic theory. The genetic features that would have to be modelled would be:
1) it is considered beneficial
2) it can reproduce
3) it can mutate
The successful entities would then survive, and the unsucessful mutations would die out. Survival of the fittest?
Perhaps this will be the new way of opensource updating..?
http://slashdot.su/
... well, to me anyway because I just don't know. There are a lot of distros out there, including all the various "live" versions, and various ways to install. I am wondering, is there such a beast as a no brainer, one click to install Linux distro that works over the internet and would seamlessly replace a users windows install with a working and safe while downloading and installing linux distro? I mean, a windows user (or another linux user, whatever) clicks on a webpage link and off she goes? With broadband now, it's common to downloand an ISO and burn it, I was just wondering if there was a distro that was designed from the ground up to eliminate that intermediary step. Say someone had finally just had it with windows problems, just said to heck with it, just replace this whole mess with something else, etc. Click, download, install, as easy as a normal app? I know there are "network" installs, but those are usually targeted at corporations where a lot of PCs are on the LAN, etc, I mean one for joe raw beginner newbie home user surfer.
You might have misused your yet unknown magical powers. Bad boy! Go to your room :P
Its possible to understand the motivations of the original virus writer (All your forum are belong to us.), but it makes you wonder what the motivations are of the anti-worm writer.
This is actually a case of using a weakened (or attenuated) HIV to block all other HIV, and that is how most innoculations work today.
This was a nice thought of sorts on the writers hands and is a good wake-up call to make people upgrade their outdated sites. I did a simple google search and found 2 sites that were hit by this anti-santy worm. I wonder what the admins of these sites are going to tell the people they work for?
Below are 2 sites that as of this posting have:
viewtopic.php secured by Anti-Santy-Worm V4
Your site is a bit safer, but upgrade to >= 2.0.11 !!
Upgrsrv:201.255.84.219/
http://www.ifotografi.it/secure.php/
http://www.forum.moto-portal.pl/secure.php/
In the 1970s, Creeper was the first Internet worm, which spread among computers running the Tenex OS. Reaper, the second Internet worm, was sent to destroy copies of Creeper.
slashdot "editor" michael came in contact with an intelligent heterosexual anti-communist male.
OI! OI! OI!
First "Happy New Year, Australia!" post!
And just to go back on-topic, I've believed that a white-hat counterattack of system-patching viruses is long overdue. True, there will be collateral damage to the net with all the excess traffic - but will the short-term system strain be outweighed by the resulting decrease in zombied boxes flooding the net with viruses & spam? I think so, but I'm not nearly smart enough to say a definitive "yes." Any engineers/sysadmins care to weigh in?
What happens to a worm deferred?
Does it get uninstalled
Like a game that's no fun?
Or rename itself--
And then run?
Does it blink like a bad web page?
Or lie ever dormant--
like the XP Search mage?
Maybe it just lags
or forces Safe Mode.
Or does it ASP load?
Are you positive you aren't interested in getting a bigger p3n1s?
That's the E-Robin Hood folks. However, it won't make much of a difference (compared to bad worms) in Windoze though.
Hot off the heels of the hard drive controversy, is it really wise to continue labeling all destructive, harmful, negative worms as "Black" and all constructive, helpful, positive worms as "White"?
Is this how you think of people, too?
Canada said they would match what canadians donated plus 40 million.
;-)
But... it is Canadian money
Full code of asw.txt here....
This is the code of the worm extracted from a vulnerable box.
# asw: anti santy worm
# this worm will try to fix any viewtopic.php on local box
# will use this box for 1 day to search other buggy phpBB forums, and end.
etc...
Oh really? Please, do go on, that sounds most fascinating.
If the administrator is not absolutely dumb, the .php file must be not owned by the same user that runs the webserver. Then teh worm can not patch the file with the vulnerability.
I wish to know more details about how the Anti-Santy patch is done. Any URL?
A self-spreading worm it is always dangerous, another aproach, doubthly legal byut more polite is the strike back philosophy. If someone attacks you then strike back and patch them (and install other strike back worm). With this technic the infection could be reduced without increase the bandwith for all the internet.
Damia
Hasn't this been done before? Everyone praised it as a great idea but later it was found that it also added a, back door. Very sneaky.
In other news...
Overpeer spread anti file sharing worm via vunerable DRM. Is this a anti crime worm too.
So if this is a beneficial worm will it also bait my hook? Or is it only good for WWW php phishing. Speaking of phishing I think I will go do some...(winter stealhead) and forget about the #@$!ISzzz^ net for a while!
Working in a mental health setting, I knew a woman who went into an open house and started washing dishes. Afterwards, she worried more that they took it as an insult to their housekeeping skill, rather than issues of trespassing or intrusiveness.
a website is easier to clean than spraypaint- and anyways it misses the point about intrusiveness or property rights. Even if you broke into my house and just cleaned it, I would hold you responsible for trespassing. Having a clean house is a lot less important to me than the security and privacy of my home.
I know that the white worm doesn't have police legal powers but what if it's a cop that wrote the white worm. Is he then allowed to enter your premisses to catch the bad worm?
...a virus that sends me money
Table-ized A.I.
If you cannot stop people from doing dumb things and running systems that are open to this sort of abuse, then at least they could be nice enough to not bother the rest of us.
/. programming. Had this been of actual importance, you would have been instructed where to browse for further news and information. This is only a rant.
I need a router/switch/filter that recognises worm/virus traffic for what it is and sets QOS down (or out) on such traffic. Better yet, I want my internet provider to have one. So the neighbor next door's got twelve sessions of Butt Trumpet running on his PC and more broadband in Mbps than he has brain cells to rub together, doesn't mean the pipes I use outta here need to be effected.
Niceties would be an ability to recognise interactive traffic and flag it for regular service. Not an original idea, by the by, was first mentioned in sf by John Brunner some years back.
Another project I will never get round to.
This is the end of the rant. We now return you to your regularly scheduled
*whup* "Get along, little electrons. Heeyah!"
---
We're sorry...
... but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected.
We'll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software.
We apologize for the inconvenience, and hope we'll see you again on Google.
---
Try looking at Snort.
"I was just taking reasonable steps to protect my property from the attacks of others"
I think you wanted to say patching another system is OK when the other system is attacking your system and is causing damage or high server load. Sorto self-defense.
A "worm" however, does not restrict itself to systems that attacked you. So it is a bad idea to use. Also, the attacking worm usually causes high load at the infected end, not the attacked end, at least one instance of the worm. So the argument about damage done might not hold here.
I'm still trying to figure out what people mean by 'social skills' here.
Sri Lanka and Indonesia are giving nothing too.
Don't criticise China, it was their nuclear submarine that blew up in the first place - they have to buy a new one.
Let's say that I become aware that my neighbors front door lock is broken, so without their knowledge I enter their house and fix it.
When the police show up am I a good samaritan or a burglar?
I don't think anyone has the right to do things like this without permission.
Has the Patriot Act numbed us all to violation of privacy?
pigfukr
One of my clients run phpBB that was affected over the holidays. I updated PHP to 4.3.10, and now this shit hit. It couldn't apply it's "fix", but kept trying and trying sucking CPU and bandwidth. I had over a 6-fold increase in traffic just because of this dumb thing. There's no banner ads on this site, but how does this affect them I wonder?
I manually added filter logic to viewtopic.php and am now redirecting. Damn it all.
Okay I fell better. Thanks for all the fish.
Consists of removing a left parenthesis and a word from viewtopic.php. It was a simple fix that took maybe five minutes of reading at PHPBB's message board to discover. Or you could have just updated your board to the current version. http://www.phpbb.com/phpBB/viewtopic.php?t=240513
Change is good, but not in a wallet.
You mean like the one with windows?
best analogy ever!
But I like installing my OWN updates. I don't care if it's not malware; if it takes the choice out of my hands it's bad news. Keep your paws of my machine, thank you.
--Tso
The method in the first post here is currently effective against both - which are PITA DoS attacks, even if phpBB is patched or updated, unless blocked by this or a similar method.
"with their freedom lost all virtue lose" - Milton
A truly benign white worm would be a marvel on a level with cold fusion.
Realistically though, white worms are the kudzu of computer science.
Direct away from face when opening.
Whoever wrote this worm never had to clean up Welchia/Nachi. Strike-back, don't worm.
She gets them from eating flea eggs.
Funny and Insightful ;)
To keep this from just being a "me too" though, not only would this be the quickest way to get Microsoft to patch a hole in IE, it would be the quickest way to get millions to think of Firefox as the Bad Guys and MS as the Good Guys, so for the sake of wisdom, DON'T DO IT! (Rememeber how myDoom made linux look by going after SCO?)
I am, and always will be, an idiot. Karma: Coma (mostly effected by
"It should only take a few moments for the anti-santy to find and destroy the santy worm.....wait...OH MY GOD!! IT'S BECOME SELF AWARE! ITS LAUNCHING THE MISSILES!" asdawjfhaebsaeSANTYNET0WNZJ00sadwarawhfsafawd
QOS? Why, just filter The evil Bit out.
Try searching google for "Intrusion detection system" for some of what you might be referring to.
I am, and always will be, an idiot. Karma: Coma (mostly effected by
My white worm:
.pdf or .txt that screams loudly READ THIS NOW TO GET BACK ON THE INTERNET. There are two or three copies of this so the user get's the point. It outlines how the user was blocked offline, includes the sourcecode in c:\"whiteworm" to the worm and the copy of ZA (free trial version of course)/ or whatever OSS w32 firewall you installed was (with source, of course).
I haven't released it, nor do I intend to. But I tested it out on my lan (about 10 pcs).
"Infect" one computer through your preferred insertion method (email, website, java, whatever) and let it go.
It doesn't patch anything.
It sets up and installs CORRECTLY with no back doors a firewall, probably the free version of ZoneAlarm or a home brew/maybe OSS w32 firewall.
It allows NOTHING through it except this little "worm" to communicate through an encrypted p2p network that a system was taken offline.
There is a little
What do you think? I've been dying to c0de something like that for so flipping long it just might happen. Heh. ANyways. Let me know. gmail me or something
Here are the links to two papers describing forensic log analysis of web based attacks. Worth a look.
Fingerprinting Port80 Attacks Part 1
Fingerprinting Port80 Attacks Part 2
What if the "patches went all wrong" they all do these days and it just will end up invading our goods. *Disconnects from the wild* and reformat everything bit for bit... *reconnect to the wild* Try to be smarter this time... Don;t use something that uses such idea, although innovative but danger's lurking behind it... I sense a huge disturbance in the forces amongst us...
May
If you mom is running PHPbb... I think you're ahead of the game already! :-)
How about already infected machines? I know that one patch-worm generated so much traffic getting fixes that it was as bad as the original worm... but how about something that works on an "if-you-attack-me" basis. Years later, I still have countless hits on my webserver from infected MS machines trying to exploit nonexistant flaws (non-MS server).
So really, if I return the volley with something that directs the machine to patch/removal-tool itself, chances are that it's consuming less bandwidth than the virus, and I'm not actively seeking out infected machines myself just responding to an attack against my own.
This ignores the concept of likelyhood though. There aren't many criminals that go around jiggling doorknobs (yes, I'm sure it happens, but not that frequently). On the other hand, the worm propogates itself in a way that makes the likelyhood of infection high (new infected machine=new virus source).
A burglar doesn't spawn new burglars every time he/she enters a house.
To make the analogy closer, it might be something more like - I noticed you had a bad lock on your door, or the door is just unlocked, or the key visibly poking out from a potted plant. I lock up the door nicely, and leave you a note.
To add to the analogy, a recent breakout has occured in the nearby prison. Prisoners have escaped, and are subsequently letting prisoners out of other prisons. So suddenly, the likelyhood of your house being broken into by criminals (akin to virus infection) is high, and increasing.>br?
Having somebody lock your doors and pop you a note under the door is probably an irritation, but better than coming home to a burgled home.
most people who make worms are not fucking $$$ centered bastards...
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F