Anti-Santy Worm Patches phpBB Flaw

sebFlyte writes "Interesting Santy worm story -- there's now an anti-Santy worm proliferating, which spreads the same way as a normal worm, but rather than killing machines or taking control of them, it gives them security updates..." We mentioned the Santy worm about ten days ago.

Not very benificial

[lightdarkness]

Is reporting that they don't know if the worm actually patches it sucessfully. For all we know, it could be infecting the System. When searching, only 3 results came up.

Re:Not very benificial

[lightdarkness]

MSN's index updates quicker.

Google wouldn't show as many results. I am a google junkie, but MSN previals in this aspect.

Re:Not very benificial

[smartdreamer]

If you are waiting for a Anti-Virus company to say "this virus is good and effective" you will wait a long time.

What I see is a company saying we are first to report but we wont say anything that can be good for our "enemy". There is nothing difficult about testing its efficiency but it is not in their interest.

I am not saying this worm is good, but that if they wanted to verify it would be easy.

Aren't...

worms that remove/kill the MS OS is the same as a security patch?

Re:Aren't...

hummmm. I guess that would make my Linux admin a worm?

Re:Aren't...

[adlaiff6]

Only if they install linux...otherwise, it's just a blessing.

Re:Aren't...

[spectre_240sx]

Only in the eyes of the marketing department.

Re:Aren't...

[zallus]

They call me Dr. Worm... I'm not a real doctor, but I am a real worm, I am an actual worm...

hohoho

Ho-ho-holes

I can imagine explaining this...

[Chemisor]

"You see Mom, there are Good worms and there are Bad worms"

Re:I can imagine explaining this...

[RPI+Geek]

Wow! I just had to do that exact thing! She's in the room with me, and when I mentioned the story she thought that "patching" meant something bad. So I needed to explain what it really meant :P

Re:I can imagine explaining this...

[krautcanman]

Ralph: "And when the doctor told me I didn't have any more worms was the best day of my life."

White Worms

[ErichTheWebGuy]

I feel that white worms, when done correctly, are a good thing. This is a case where the ends justify the means, even if it does mean comprimising vulnerable systems.

Re:White Worms

[savagedome]

White worms? Ha! I prefer to call them Earthworms since they belong to both sides!

Re:White Worms

[Texodore]

I have a white worm the updates my system. It pops with the name "Automatic Updates."

Re:White Worms

[antifoidulus]

Till the worm installs a security patch that causes a bug that it takes someone hours upon hours of debugging to locate. People should be allowed to patch when they want. Patches aren't always 100% correct, and some can cause some major havoc. Let each person decide if/when the patch is needed...

Re:White Worms

[rvw14]

I remember the nachi worm, which patched blaster, actually caused more problems.

Re:White Worms

[aborchers]

In principle they seem good, but what about when a white worm installs a patch that interferes with legitimate operation of the system? It is perfectly possible a vulnerability was left alone by the operator because the patch would have rendered the system unusable and that security measures external to the vulnerable system render the vulnerability moot.

Of course, such machines aren't the ones likely to intersect common worm spread vectors...

Re:White Worms

[ErichTheWebGuy]

And viruses and worms don't cause even more "major havoc?"

Re:White Worms

[GoofyBoy]

From the article;

"If a site is infected, the worm causes a huge amount of traffic and slows down the site. I don't think it's possible to write a beneficial worm."

Re:White Worms

[lukewarmfusion]

If it comes into my system without my permission, it's a bad thing. I don't care if it's coming with good intentions or not, any kind of unauthorized access is unacceptable.

As others have pointed out, patching isn't always something you should do right away. In any enterprise system, you should be testing the patches and updates before you deploy them to your users. For instance, many of us wait to see if Service Pack 2 is stable before installing it. I haven't put it on my own machine yet (partly for fear of instability and partly out of laziness). If a worm came around that forced users to upgrade to SP2 right after it was released, that could be a very bad thing.

Re:White Worms

[orthogonal]

I feel that white worms, when done correctly, are a good thing

This is a code-phrase used by guys who meet at rest-stops or in bathhouses, isn't it?

This is a case where the ends justify the means....

Yeah, I though so.

Not that there's anything wrong with that....

Re:White Worms

[SwimsWithTheFishes]

The ends justify the means? I don't think so! When the white worm author determines what the ends are, and what correctly is, it is still just a worm. Anything installed behind my back on my computer is bad, evil, no-good-nick!

Re:White Worms

[antifoidulus]

Yes they do, but there are more ways to deal with them than just "patching" ya know. Everyone knows their own situation best, it's a bit arrogant to force other people to do "what is good for them". Everyone should be in charge of their own systems, simple as that.

Re:White Worms

[grumbel]

### Patches aren't always 100% correct, and some can cause some major havoc.

If I have the choice between havoc caused by a patch and havoc caused by a hostile breakin into the system, I'll pick the havoc caused by the patch, that at least doesn't leave any hidden backdoors behind.

Re:White Worms

Also purple worms, when handled correctly, are a good thing. If you're wearing a ring of slow digestion you can try to get swallowed on purpose for a respite. Even better, charm one for a pet; they're very tough, superior to Archons even in the endgame. (A pet purple worm can clear out the Castle easily) Or you could always polymorph to one, assuming you have some sort of polymorph control.

If, somehow, you get infected by a worm, or maybe Juiblex, remember to use a unicorn horn immediately, or eat some eucalyptus leaves if you have them handy. (Tip: you can generate lots by shattering boulders, stone-to-fleshing the resultant rocks and polymorphing the resulting meatballs. It may take several tries.) Or, you could cast or zap cure disease.

Good luck fighting these worms. They are surely a menace.

Sincerely,
@

Re:White Worms

[grumbel]

I agree with that, white worm when done right is a good thing. However to be really a good thing such a white worm needs to be official, ie. signed by those who have written the valuable software, else any bad worm could come by, add a little "I patched your system" message and in reality just install a backdoor. There is of course still the danger that a evil worm got first into the system before the white worm could fix it so some audit on what changed in the system is still necessary, but it could at least stop the spreading of the bad worm.

Re:White Worms

[jnguy]

What about for worms like blaster. If an antiworm was released, it could have prevented the mass chaos that broke out on the internet, slowing everything down... I think.

Re:White Worms

[seann]

I 100% agree.

Good thing I didn't write it either.

Re:White Worms

[AndroidCat]

Even if it really is a white worm, that's not always a good thing.

Re:White Worms

[capilot]

If it comes into your system, your system was insecure. By running an insecure system, you harm us all by helping worms & viruses to spread.

I think worms that go around closing the security holes that let them in are a Good Thing and it's about time they started appearing.

Re:White Worms

[Niet3sche]

I feel that white worms, when done correctly, are a good thing. This is a case where the ends justify the means, even if it does mean comprimising vulnerable systems.

I disagree.

I very nearly wrote an anti-code-blue worm a few years back, and got to the point of payload (patch) deployment when the glaring flaw came to me: any time that you or a program that you made does something unexpected, or makes a connection to another machine, YOU are liable for what happens. Given that heterogeneous computers and networks exist, can you test for 100% of all possible cases? Likely not.

It's not so much that I disagree with the sentiment, you see, but I find it impossible to ever run into the case that a white worm is done correctly and can be certified as such.

In the example above, for instance, all that an attacker would have to do would be to infect a netblock with Code Blue, point them at my anti-blue worm launcher, and then watch the fun as I "cause" a DDOS with all the network traffic that will go spewing back and forth between the two sites. The attacker has now been able to effect the Availability of two sites in one go. Not exactly something that I'd like my name attached to, hence the reason that no anti-code-blue-worms have been released into the wild from me.

Re:White Worms

[Snipes420]

Nothing is impossible

Re:White Worms

[Eskarel]

Perhaps, but if you're a qualified admin with test machines and all that sort of thing you've probably got some basic security which will keep things reasonably safe in the first place, patches or no patches.

Of course given that you haven't even tried SP2 yet then you're obviously not a qualified admin(leastways not for windows) because you have no idea of whether it causes problems for your system or not.

Re:White Worms

[ViolentGreen]

Till the worm installs a security patch that causes a bug that it takes someone hours upon hours of debugging to locate. People should be allowed to patch when they want. Patches aren't always 100% correct, and some can cause some major havoc. Let each person decide if/when the patch is needed...

For home users this should be a non-issue. Just install the patch. Businesses need to be a little more careful.

Re:White Worms

[wertarbyte]

It is perfectly possible a vulnerability was left alone by the operator because the patch would have rendered the system unusable and that security measures external to the vulnerable system render the vulnerability moot.

No, it is not, since the patch-worm uses the same vulnerability the bad-worm exploits. So if the good worm can get in, the bad worn can do this as well.

Re:White Worms

[Proud+like+a+god]

But if they are in charge and haven't patched against a malicious worm, they have no cause to complain when a white worm gets in first and possibly causes problems from patching the exploit, rather than definately causing harm when the black worm comes by.

Re:White Worms

[SeaFox]

If it comes into my system without my permission, it's a bad thing. I don't care if it's coming with good intentions or not, any kind of unauthorized access is unacceptable

For users that know what they are doing, I would agree with that sentiment. But for all the consoomers out there who dont know how to install updates, I think a white worm can be a good thing.

There are many users (especially on dialup) who don't want to deal with the hassle or have the updates bogging down their internet connection (which they don't really). Their unpatched systems cause the spread of worms and viruses that effect the quality of everyone's Internet expierience. Is it fair for us to be effected by their laziness?

In any enterprise system, you should be testing the patches and updates before you deploy them to your users. For instance, many of us wait to see if Service Pack 2 is stable before installing it.

That would be an example of a group that should be exempt from such worms.

For people like this, I think the forced update of a white worm is justified. After all, we're talking about patching venerabilities that should have never been in the software to begin with.

For instance, many of us wait to see if Service Pack 2 is stable before installing it. I haven't put it on my own machine yet (partly for fear of instability and partly out of laziness). If a worm came around that forced users to upgrade to SP2 right after it was released, that could be a very bad thing.

What if the worm didn't come out right after the software was released? What if it was put out, lets say after three to six months or even a year considering how old some exploits still being used are. That would give adequate time for testing before it becomes manditory.

Re:White Worms

[Bam359]

Let each person decide if/when the patch is needed

What kind of sewed vision of the world do you have that would allow you to make such a comment?

If a person is intelligent enough to patch their system, then they need not worry about the worm, as they will have patched their systems against it! Those not intelligent enough to patch their systems will get infected, and then have their system patched, its win-win.

It is a similar concept to those bar code scanners we have at work: The letters of the alphabet are arranged in alphabetical order (used to input username and password), ostensibly so that those who are not familiar with QWERTY keyboards can find the letters easier, which is the stupidest idea I have ever heard of, and seen implemented, because _EVERYONE_ now has to hunt and peck on those dammed things, even those who are familiar with QWERTY keyboards. I know the alphabet, but try to find a single letter on those scanners is maddening.

Re:White Worms

[Chrispy1000000+the+2]

Believe me when I say dial-up users being infected do not cause any problems. You could take 40 dial-up'ers DDOSing the same site for 24/7, and it would be equivilant to having a single cable line doing the same, except that the people on dial-up would be much more likely to fix it, as they would instantly notice that something was wrong.

Re:White Worms

[spectre_240sx]

You raise an interesting point. Maybe these white knight worms should be looked at in the perspective of systems being patched to slow down the worms progress and protect the rest of the internet rather than systems being patched to protect the administrator of that specific system. If an administrator becomes lazy and that causes grief to other admins, maybe this is deserved. It seems a lot like an ISP disconnecting a user for having a virus on there system, however a little more invasive.

Re:White Worms

[Pantero+Blanco]

Those worried about being attacked by this variant of the "White Worm" need only update their village well with the latest security patch (metal covering) and properly dispose of oddly-shaped fish in the future.

Re:White Worms

[spectre_240sx]

What exactly are you waiting for with service pack 2? It's pretty well past the initial testing phase. I'm all for waiting to see if a new patch or upgrade is going to be an effective fix or whether it's buggier than the previous software, but there comes a time when you have to be a little proactive about it and actually search to see what peoples experiences are with it, not to mention installing it on a test system.

The bottom line is that these things need to happen to keep us all running well. If the patch is known to break software, then send an email to the company that wrote the software and ask for a patch from them. AFAIK SP2 only broke support for applications that were written in an insecure manner, in which case the companies that wrote them should be responsible and get upgrades out that fix those issues, especially whith a service pack that fixes as many bugs as SP2.

Re:White Worms

[N0N1337H41]

It seems to me that you're thinking about people that perform regular upkeep on their computer. People like this probably don't need any whitehats "helping" them. But I would dare say that the majority of people that use the internet could benefit from such worms, because zombie comps aren't helping any of us.

An analogy: I know absolutetly nothing about cars. As a matter of fact, I don't even check my oil or tire pressure. I let everything having to do with upkeep go unnatended. While I'm sure that that there are many motorheads out there that would hate the idea of something that would come along and do all of these things for them. Me (and many other people) being a novice when it comes to the inner workings of a car would LOVE to have this type of service. And for FREE?! I think that there is much more benefit to be had for the computer communtiy with a whiteworm than negative.

Please excuse any spelling errors because I'm here at work and don't have access to a program with spellcheck, nor do I have time to proof read with dictionary.com. Thanks for taking the time to listen!

Re:White Worms

[danila]

I suggest we stop these useless speculations and wait until your hypothetical case becomes reality. And even in the unlikely case that this white worm causes harm to one system, this is more than compensated by many other systems that it successfully fixes.

Re:White Worms

[v1]

But if someone's machine has a security hole and they are say, already infected with a virus/worm that is actively attacking and attempting to infect other machines, and the user is blissfully unaware of this, (read: negligent) then isn't this a fair way to react to the problem that they are facillitating?

If someone's car stalls out on a travel lane of a highway and they just leave it to go home and think about what to do, the police will have it towed, to protect public safety. If the driver returns to find his car gone off to impound, waaaaah. It's not the driver's fault that their car broke down, but it is their fault for not noticing the problem they are now involved with, and not doing something about it, inconveniencing the rest of the planet.

Re:White Worms

[scot4875]

Obviously you're not the admin of an enterprise server room.

Pretty much any organization of a decent size is going to have a production environment, and a pre-production testing environment. Pretty much all of these organizations are going to have checklists to make ANY changes to the production environment -- one of which is usually an installation/test period in the pre-production environment.

Let's say there's a worm out there that can infect a system in the production environment. Let's say there's also a white worm out there that causes the production server to crash while protecting from this infection.

Now pretend you're a multi-million/billion dollar institution. Do you want your production, end-user facing servers to be crashed by a 'beneficial' white worm? And if your servers are crashed by this white worm, shouldn't the author be held accountable? Or are they protected because of their good intentions? What if they cost me tens of thousands of dollars in downtime? Is it better to be 0wned but still doing business, or crashed but protected? And who are you to judge?

If you can't understand this scenario because your only administrative experience is your family's Linux boxes, you aren't qualified to criticize people maintaining a real production environment. And a worm is *definitely* not qualified to force someone to patch.

--Jeremy

Re:White Worms

[aborchers]

You miss the point. If I have a system with a vulnerability on the network that is protected by an external layer of security (e.g. a firewall or gateway that blocks access to the vulnerable service) then the machine is effectively as invulnerable as if it had been patched (with respect to traffic from outside that gateway). Example: my httpd may have a security flaw, but if I have blocked port 80 at the firewall, then no request will ever be able to exploit that it.

It is routine security practice to test patches to ensure they do not have unintended consequences. A worm bypasses the system operator, and is therefore unacceptable.

As I closed in the original post, the situation is highly hypothetical and it is unlikely a system under such close management would be unlikely to be in the spread vector of a worm (i.e. it's probably not running an unsafe email client or unnecessary/unmonitored services). Nonetheless, responsibility for the security of a node rests with the operator of the node. A white worm has no more right or authority to enter uninvited than any other worm or virus.

Re:White Worms

[aborchers]

It's not a question of building around the flaw, but of not knowing whether and testing whether the patch for the flaw will harm other, more critical services. I elaborated in a different reply:

http://slashdot.org/comments.pl?sid=134480&cid=1 12 31983

Re:White Worms

[aborchers]

Aren't you making an awful lot of assumptions about the nature of the machines fixed? Is it worth it to patch 1000 spam zombies but bring down one air traffic control system?

Re:White Worms

[wertarbyte]

You miss the point. If I have a system with a vulnerability on the network that is protected by an external layer of security (e.g. a firewall or gateway that blocks access to the vulnerable service) then the machine is effectively as invulnerable as if it had been patched (with respect to traffic from outside that gateway). Example: my httpd may have a security flaw, but if I have blocked port 80 at the firewall, then no request will ever be able to exploit that it.

But if port 80 is blocked, the good worm will never reach your system; So these antiworm-worms only work if you system is either infected by or vulnerable for the evil [tm] worm :-)

Re:White Worms

[Overzeetop]

Said simply:

It's far easier to cause damage than to fix it.

Re:White Worms

[danila]

I am making just one assumption - that this exploit can be exploited. By leaving the machine unpatched you are taking much greater risks than patching it with a not fully tested counterworm.

I am also saying that the chances of a remote exploit, a backdoor, a troyan or some other crap bringing down an air traffic control system inadvertently are greater than the chances of a white worm causing this. So even though it remains theoretically possible that white worm may cause damage, a rational decision would be to allow it to operate, because it produces an expected net benefit.

Re:White Worms

[kent_eh]

that at least doesn't leave any hidden backdoors behind.

as far as you know...

Re:White Worms

[Bam359]

You are right. I am not.

When I made my comment, I was thinking of the average home luser, who NEVER does any updates, who still uses KaZaA, and who is not running any virus protection at all. These are the systems I see daily.

I did consider enterprise networks, but assumed that any competent admin would be running a firewall, and decent antivirus package whose heuristic analysis would obviously detect any white worm. Because I also assumed that any (truly) white worm would be using an old exploit that most systems should be patched against, and be easily picked up by an antivirus scanner, or blocked by a firewall (indicating that the system is protected).

Though I guess that there are some server room admin's whose production equipment is not protected by firewall and antivirus, and whose updates are 6 months or more out of date... Gods, I hope not.

But like I said I am not a server room administrator, I interned as one for a few months, but that by no means makes me experienced in the field in any way. Too bad we cant just eliminate the treat all together.

Re:White Worms

[HTH+NE1]

Ah yes, the worm that countered another that was to do a denial of service attack on Windows Update, where the new worm would download and install a patch from... Windows Update, thereby effectively triggering the denial of service attack itself.

And brought to you by the Good-Intentions Division of the Department of Roads.

Concealed ends?

[mOoZik]

Is it possible the "benevolent" worm actually does damage covertly? Has this been investigated thoroughly?

Re:Concealed ends?

[bigberk]

Is it possible the "benevolent" worm actually does damage covertly? Has this been investigated thoroughly?

The only way to know for sure is if it's released under a free/open source license, such as the GNU GPL.

Re:Concealed ends?

Dude, you just read this on Slashdot.

Of course it hasn't been "investigated thoroughly."

Re:Concealed ends?

[GoofyBoy]

Using open source as a method of determining what a worm in the wild does?!?!?

Once its in the wild, how do you know what it is?

Re:Concealed ends?

[Tony+Hoyle]

Heh. If it patched non-GPL code the worm victim could also be sued by the FSF!

Even better, if it managed to infect MS source then Windows would become GPL!!

Re:Concealed ends?

[nazarijo]

yes, this has been thoroughly investigated. i've done several writeups and linked to papers and analysis on wormblog.

i am wholeheartedly against "benevolent worms".

Satisfaction Guarantee?

[someonewhois]

Is there a satisfaction guarantee with the virus?

Wasn't there a Welcha worm that cleaned up Blaster, and once the path was clear, it just gave you another virus? :p

A bit uneasy...

[BlueThunderArmy]

this does sound a bit sneaky and intrusive, but if it's breaking into computers and doing good deeds perhaps we should just let it. After all, people sure as hell aren't doing security updates on their own, might as well let somebody do them.

Re:A bit uneasy...

[Tired_Blood]

If everyone were using the same indentical machines and configuration, then perhaps. But that's just not going to be the case.

Here's my take on these types of worms:

I have evidence which leads me to strongly believe that your kitchen faucet is leaking, badly. This will no doubt cause flooding and damage. Instead of warning you about it, I (a random citizen) will now fix this problem for you.

Of course, since I don't know your home, I may break something unrelated to your current problem. But don't worry, because I'll be back to fix THAT problem later, in the same fashion (at which time I might break something else, etc etc).

Still illegal

The author of this worm still doesn't have permission to modify the source code running on people's servers. Yes, they may be idiots, but idiots still have rights (for the moment).

Re:Still illegal

[Bonker]

This is like the vigilante cop who knows beyond a shadow of a doubt that a suspect is guilty of a heinous crime and also knows that he'll never get enough evidence to convite the suspect before he strikes again. So he goes and 'anonymously' drops a cap in the suspects head.

Is it just? The cop thought so.
Is it ethical or legal? Nope.
Is it safe? Uh-uh.
Did he save lives? Very possibly.

The cop can sleep at night and the 'bad guy' doesn't committ any more crimes. Society is served... assuming the cop was right about the bad guy.

In the real world, however, vigilante justice is often flawed and often destroys the lives of innocents. It's not hard to find examples from the lowest level-- the accidental killing of people living next door to a bail-jumper-- to the highest-- the unilateral invasion of a sovreign nation on false pretense.

Re:Still illegal

[theLOUDroom]

The author of this worm still doesn't have permission to modify the source code running on people's servers. Yes, they may be idiots, but idiots still have rights (for the moment).

Which raises the question:
Should the law change?

Re:Still illegal

[fyngyrz]

In the real world, however, vigilante justice is often flawed and often destroys the lives of innocents. It's not hard to find examples from the lowest level-- the accidental killing of people living next door to a bail-jumper-- to the highest-- the unilateral invasion of a sovreign nation on false pretense.

Note: My reply is entirely US-centric.

Although both your examples in the quoted passage are examples of the system screwing up, not vigilantes screwing up, I think I do recognize the tone you're trying to take -- that vigilantes can make errors. I interpret your message as carrying an underlying tone that this is a reason to avoid citizen level responses. You weren't explicit about this, so feel free to correct me if I got it wrong. Proceeding on that assumption, though:

That, and more, can be said for the formal justice system as well. The only difference is that the mistakes are made by someone who represents "duly constituted authority and power", rather than someone who took authority and power for themselves.

Look at the facts. Judges and juries put innocents behind bars on a regular basis. (Witness the recent DNA exoneration of those folks on death row and the subsequent removal of all prisoners from death row by the governor, a man who I frankly consider a hero for this action.) Citizen's supposedly inviolate rights are trampled, and hard, by the courts. Every day. Guantanimo. Registration. Double jeopardy. Freedom of speech. Freedom from unreasonable search. Restrictions on travel. Government support of religion. Etc., ad nauseum. Reparations for errors in prosecution and punishment are minimal or non-existant, and of course for capital punishment, impossible. "Mommy" laws that should never become law are inflicted on us left and right, and at times with terrible social and personal consequences (drug laws are the poster child for this one, though they are hardly isolated in either "mommyness" or inherently being agents of harm.)

The fact is, you should not trust the system to "do right." It hasn't, doesn't, and will not. The evidence is right there before your face each and every day. So the issue of citizen response naturally arises because of pressure from the system.

Turning to our network experience, consider spam. I don't know about you, but spam has cost me a lot of hours. Not just on my desk, but interfering with my business (asswipes using our domain names as return addresses for spam is one way, there are others.) What has the government done about it? Not a #$%^#$%^ thing in practical terms. In fact, with the CAN-SPAM act, they basically climbed right in bed with the spammers. Should I sit there like a turnip and not respond when the spammers screw with my life? The government isn't addressing the problem, so what is the correct course of action? Bending over?

Consider software piracy and shrink wrap licensing and software patents. At the legislative level, these issues have been well and truly fumbled, though that surely under-describes the problem. Should I sit there like a turnip and not respond when the pirates steal my software? The government isn't addressing this problem either, so again, what is the correct course of action? Still bending over?

Viruses and worms -- again, we're supposed to bend over and take it without lube or even a reach-around, right? Because... well, why? Why should we? Why? Most people have been doing just that, and what do we have to show for it? I'll tell you -- we have a bumper crop of viruses and worms, that's what we have.

It all comes down to one thing: If you trust and wait for the duly-constituted authorities to "do what is right" then you are simply naive. They're almost certainly not going to. They rarely do.

It turns out that the correct course of action becomes very clear when you think about the important things in your life, and what is actually best for society.

For instance, i

Re:Still illegal

[fyngyrz]

Which is of course absolutely fine and dandy. Right up until your daughter points out that the "thug" you just shot dead was, in fact, her new boyfriend.

See, you make assumptions, you're going to screw up your argument. Where did I say I was going to shoot anyone? You're assuming I require, or use, a firearm to deal with invaders of my home. I don't. My physical abilities are almost certain to be sufficient, and are of course much, much safer to use than a gun -- only the person I'm after is at risk. Guns shoot through walls, and there is little control over the amount of damage you do. With hand to hand, there's always plenty of time for someone to say "It's (whoever it is)" and avoid having their neck, and possibly other optional parts, broken.

There's more. By the content of your message, you're telling me that you expect kids to sneak partners by parents. This kind of issue arises from a severe lack of parenting skills. Perhaps the parent(s) is/are afraid they'll discover sex, and/or drugs, and/or rock and roll. In that case, the parent(s), and the kid(s), will have problems, sure enough. It is perfectly fair that the parent(s) have to deal with these problems, since they caused them. But they're not problems for me and mine -- if my kids want to bring a partner in, they'll let me know, and there won't be any misunderstandings. They are well aware that I won't object. They are also well aware that it is my home - not theirs - and they are 100% obligated to keep me informed. Let me emphasize that: It's not a courtesy, it's an obligation. And they know it.

The courts aren't perfect, but they bring in checks and balances. Vigilantism usually operates on a presumption of guilt, and that is not acceptable in a civilised society.

First of all, I have my own checks and balances, and they are far more conservative than any US court would ever think of applying. I described them in the grandparent; if you had read them and understood what you were reading, you wouldn't have your foot so deep in your mouth right now.

Secondly, the courts operate on a presumption of guilt. Why do you think they jail people before the "trial"? The fact is, if they decide you might have done something, you're screwed, starting right then. There is, of course, a chance you'll be able to come out with some remaining fragments of your life intact, assuming you have the funds for the required level of legal defense and a modicum of luck, but even if you do, you've probably already lost your job, the income from your job, the ability to get a new job, been ostracized by large chunks of society, etc. The US legal system's most profound lie is "innocent until proven guilty." The fact is that you are "guilty until proven innocent, and punished either way." That's the way it works. No way around it. Checks? You bet. Write them to the lawyers and bail-bonds-persons. Balances? You bet - your future is balanced on a knife edge. The courts are far more broken than any citizen's direct response to a crime being comitted against them right at that point in time by a known assailant.

The bottom line, though, is: Don't sneak into my home, don't assault my family, and you have nothing to worry about. Try it, and your next of kin will be the ones doing the worrying. Don't like it? Frankly, I don't care. Liberal hand-wringing for the "rights" of home invaders only serves as a source of amusment to me. You surrender all your rights if you choose to cross my threshold without my permission. It is a matter of personal responsibility -- something liberals are mightily confused about. My family, however, isn't. Every one of them is a martial artist, every one of them understands responsibility to their very core. And every one of them could tear your average home invader into little bloody fragments without breaking a sweat. I love my kids. :)

Re:Still illegal

[fyngyrz]

Most of what you said seems to be bewildered left-wing nonsense, and I'll just ignore it unless you can put some solid reasoning behind it. However, this bit is worth responding to:

You've got to stop to think that maybe the system has screwed that guy barging into your house too. Maybe its screwed him so much that the only thing he can do is barge in.

No. I don't. There is absolutely no reason or pressure for me to do such a thing. And any potential assailant had best realize it before the decision is made to invade my premises or assault my family. It is not in the least any concern of mine what motivated such a person. It is not my responsibility to "solve their problems" at that point. They've gone way too far. What I'm going to do at this juncture is eliminate their problems, as well as the problems they pose for everyone else. I take a risk here; but no one else does. I can live with that.

From your message, I take it that you have a mindset that says that risk to your family is acceptable if the person who brings the risk to you isn't "ok." Additionally, you think that letting this person go off and assault others is ok, also. That does not in any way resemble my position on these matters.

I take it as a matter of personal responsibility: I know this person is a threat to people and society; it is my obligation to do something about it, because (a) it is the right thing to do, and (b), because I am able to do so, and (c), because I know for a fact that society won't adequately deal with the problem if I leave it to them, and (d) because if I don't deal with it -- and this is really important, you should pay attention -- then it is my responsibility when this moron enters your home and hurts your family, and I can't live with that. No one who attacks my family is likely to survive in any condition where they would ever be able to attack your family. Even if I let them live. Even if it would have been ok with you. No matter if you can understand the issues or not. I understand them; that's the key here. Once you understand that, you understand why you shouldn't ever screw with me or mine.

If the anti-Santy worm...

[shigelojoe]

...and the Santy worm come in contact, would it cause the server to asplode in a brilliant flash of light?

Nice, but at what cost?

[Novous]

The problem with a "good" virus, is that because of an oversight, it may cause more damage. It could open up a new expliot, or subtly damage a part of the server.

Re:Nice, but at what cost?

[bairy]

From what I pickup, it changes something in viewtopic.php. If someone's gonna go to the effort of creating a self spreading "fix" then I should think they've tested to make sure it won't do any further damage. That is assuming it is a 'white' worm and if it only touches one file.

Re:Nice, but at what cost?

[danila]

But the net effect is that a patched system is still better than vulnerable or even exploited one. If you were in the middle of a deadly virus outbreak, wouldn't you prefer to use a vaccine, even if you were only 90% sure that it works?

White Knight Viruses/Worms?

[naer_dinsul]

Is this the first (fairly) wide-spread example of a white knight virus?

What are the downsides to using a white knight?

Re:White Knight Viruses/Worms?

[lachlan76]

No, there was another one, the Nachi virus.

IIRC, this caused as much damage as a normal worm. It crashed systems, destroyed windows installations, etc. etc.

Re:White Knight Viruses/Worms?

[CrazyDuke]

Yeah, there is a chance it will screw your virgin system.

Re:White Knight Viruses/Worms?

[lachlan76]

I have to admit that I thought the exact same thing as I was typing it.

Security update?

[jacobcaz]

Is this really a "security update" as much as it's fiddling a bit with some PHP code? And this "beneficial" worm still defaces the site too:

• Sites that have been attacked by the anti-Santy worm are defaced with the words: "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."

If I break into your house and clean your bathroom you could call me beneficial, but you might get a little upset if I used spray-paint to write "This house is a bit cleaner, but buy some Lysol" on your front door.

Re:Security update?

[imsabbel]

No, its more like , after finding your car unlocked and doors open, closing the door and put a piece of paper on the dashboard to lock it the next time...

Re:Security update?

[Durzel]

Sites that have been hit by the worm will already have been defaced, so there will be no chance of recovering the file short of using a backup. I suppose from a PR point of view a public-facing website saying "x is secured by y" is better than "This site is defaced!".

If the worm was clever enough it should be able to root out vulnerable sites that have not yet been defaced by Santy (by searching for Santys calling card in the source), and instead of defacing it anyway to say "x is secured by y", it could patch the hole and leave the site as is.

No idea whether it does this though, I suspect it doesn't.

Re:Security update?

[matth]

Indeed.. to use the original analogy. It would be like seeing the front door of your house wide open.. and no one there. I close the door and lock it and leave you a note.

Re:Security update?

[Avenger337]

If you want to clean my bathroom, knock on my door and ask -- I'll let you. I'll still be pissed if you broke in, regardless of whether my bathroom's clean.

Re:Security update?

No. It is more like knowing that a kick to the door will pop it open, after which you replace the faulty tumbler.

The open door analogy is flawed because it operates under the pretense that an open door is faulty. A door can be open by design. A programming bug is not open by design. It is an error, just like a tumbler on a closed door which fails under physical pressure.

Re:Security update?

[Denyer]

By running a publically-available webserver, you're inviting them in. By running a forum, you're even inviting them to upload and modify data. Bottom line: you're responsible for what scripts running on your space do, including accepting commands from strangers to wipe files and attack other servers.

Re:Security update?

[Propaganda13]

I wonder how many people who think the white worm is a good thing, also think that all software and OS should have automatic updates with no control over the updating process. Games, Windows, Distros, Window managers would automatically have access through your firewall to update at will.

Would you let someone walk into your house at will, if they promised to clean one thing, and do nothing else? If so post your address, and times that you will be available to let us in.

Good Worms, Bad Worms

[mohrt]

Using a worm as a way to help instead of wreak havoc, this is an interesting idea. Why don't they carry this idea over to Spam and use it to send me things I'm actually interested in?

Re:Good Worms, Bad Worms

[ScrewMaster]

They're working on that. It's why they want all your personal information in the first place ... it's called "targeted advertising."

Personally, I'd rather keep my buying habits to myself and deal with random spam. Better yet, I'd rather not deal with spam at all.

Re:Good Worms, Bad Worms

[bairy]

I hope they don't have forced patching that spreads itself, SP2 already bugs the crap out of me to install it, I don't want it just doing as it likes.

Re:Good Worms, Bad Worms

[Geoffreyerffoeg]

Aren't you interested in enlargement or buying a Rolex lookalike?

Anti-IE worm...

[Vague+but+True]

How long before someone makes an "Anti-IE" worm that automaticaly installs FF on everyone's computers.

Re:Anti-IE worm...

[myukew]

There were already worms installing SETI@Home on peoples' computers. Alas, not very successfull

Re:Anti-IE worm...

[Sepodati]

How about one that installs a BHO automatically and sets the homepage to the FF page? Have it periodically pop up boxes about how they should try FF, too... :)

---John Holmes...

Re:Anti-IE worm...

[4vidar]

An Anti-IE worm sounds just too beneficial to me...

Re:Anti-IE worm...

[Enrico+Pulatzo]

My system admin already did that. It's called an Active Directory Group Policy.

Re:Anti-IE worm...

[stuuf]

They've probably already done it, and it was probably the only thing Microsoft ever patched in a timely manner.

In my mind

[Prince+Vegeta+SSJ4]

anything that surreptitiously enters my computer for any reason would be considered damage, even if the intent is benevolent. Why? Because I like my ability to choose what to do and not to do, or at least choose the option to let things happen automatically.

Choice, the problem is choice.

Re:In my mind

[jnguy]

You assume that everyone can make the right choice, and quick enough to have any effect. I'm a believer in democracy, and freedom, or whatever, but there are times when a dictatorship are absolutely necessary.

No such thing as a white worm

[genessy]

Even if the worm patched the site without defacing it yet again, it's still going to bog down networks by replicating. Perhaps a better alternative would be to send a simple e-mail to vulnerable sites and allow them to make the decision to patch or upgrade to the newest version.

Re:No such thing as a white worm

[fxer]

It's a good thought, but I already get tons of spam that says "Virus Found On Your System, Run This Immediately!" or something similar. It would seem unlikely that another, even legitimate, email about your system being "insecure" might not make it through the noise.

Re:No such thing as a white worm

[jnguy]

As I mentioned before, everyone is assuming that even if an admin knew about the vulnerability, they would do something, or know how to do something about it. Worms cause martial law on the internet.

Re:No such thing as a white worm

[DeVilla]

Perhaps a better alternative would be to send a simple e-mail to vulnerable sites and allow them to make the decision to patch or upgrade to the newest version.

This sounds really great in theory. Unfortunately, I know too many people who politely explained to someone that that had a security problem, just to have an embarressed admin turn around and claim that the person pointing it out must a hacker breaking into the system.

I even know a case where a person explained that the password on windows 95 was not meant for security purposes and that you could bypass it by clicking cancel, just to be reprimanded for breaking into computers he was authorized to use.

These day's, I would think real hard before telling somebody you don't know that they have a security problem. People don't turn down the opporunity to punish good deeds often enough.

BTW. I'm not saying the worm is a good idea. Even if the intentions are all good, if it fails in some unexpected way, it is still the author's fault. He/she has no right to be tampering with other people's system without their permission.

Re:No such thing as a white worm

[aoteoroa]

In the article Mikko Hyppönen, complained that, "although the worm may seem beneficial, in fact it is likely to cause problems for administrators who will have to handle the increase in traffic."

But the way I see it your site only gets infected by this worm if you are running an old version of php (less than php-4.3.10). The best way for an admin to deal with the traffic is just patch your system in the first place.

No vulnerability.
No worm.
No increased traffic.

The time to patch your servers was two weeks ago, but better late than never.

Re:No such thing as a white worm

[genessy]

I agree with your thoughts and didn't mean an e-mail as an end all. I still think it's a better alternative than writing a worm though. Maybe those sys/net admins that still haven't patched/upgraded their PHP after a week or so of news would be more likely to listen to a "Your system is insecure." e-mail than the average, on-the-ball sys/net admin that has most likely already taken care of the vulnerability.

Re:No such thing as a white worm

[swv3752]

People also have no right leaving an attractive nuisance on the net.

Re:No such thing as a white worm

[genessy]

In this case the vulnerabilty is obvious due to PHP version numbers appearing on most sites. If the information that points to the flaw is publicly available, you can't really be accused of hacking.

Re:Well, in that case...

[ErichTheWebGuy]

...give me your IP and I will login and make sure everything is in order.

Sure, and thanks! I appreciate it. My ip is 127.0.0.1. Let me know if you find anything worth patching!

Conundrum

[jabber01]

White worms are a nice theory, but I think they should be fought just as vehemently by anti-virus software as malicious ones.

Holes they use should never be left unpatched, even if the worm's patches are not applied.

Consider: If there was a benign strain of HIV out there that immunized you to Herpes upon infection, would you give up condoms?

Re:Conundrum

[poopdeville]

Only if I had a vasectomy too.

What? That doesn't exist!

[Epistax]

Driftwood: "It's alright, that's in every contract! That's what they call the 'Sanity Clause.'"
Fiorello: "Ha-ha-ha-ha-ha. You can't fool me...there ain't no Sanity Clause."

Re:Well, in that case...

Oh my God! I've never seen so much child and bestiality porn! You sicken me.

Survival of the fittest

[melvo]

The "success" of viruses and worms so far have been characterised by their ability to reproduce. This bears some resemblance to their genetic counterparts.

Perhaps the next phase will be a virus or worm that follows genetic theory. The genetic features that would have to be modelled would be:

1) it is considered beneficial
2) it can reproduce
3) it can mutate

The successful entities would then survive, and the unsucessful mutations would die out. Survival of the fittest?

Re:Survival of the fittest

[Justin205]

While good in theory, if it worked anything like the human race, you'd get a bunch of worms which would do nothing of any importance at all, and feed off other's work.

Yes, you'd get the management worms...

Updating

[bredk]

Perhaps this will be the new way of opensource updating..?

which brings up another question...

[zogger]

... well, to me anyway because I just don't know. There are a lot of distros out there, including all the various "live" versions, and various ways to install. I am wondering, is there such a beast as a no brainer, one click to install Linux distro that works over the internet and would seamlessly replace a users windows install with a working and safe while downloading and installing linux distro? I mean, a windows user (or another linux user, whatever) clicks on a webpage link and off she goes? With broadband now, it's common to downloand an ISO and burn it, I was just wondering if there was a distro that was designed from the ground up to eliminate that intermediary step. Say someone had finally just had it with windows problems, just said to heck with it, just replace this whole mess with something else, etc. Click, download, install, as easy as a normal app? I know there are "network" installs, but those are usually targeted at corporations where a lot of PCs are on the LAN, etc, I mean one for joe raw beginner newbie home user surfer.

Re:which brings up another question...

[mobby_6kl]

You can just download the BeOS setup file (about 45-50mb) and run it as any other program. The rather normal installation process follows, it creates some files on a (preferably) FAT partition, all you then need to do is double-click the BeOS icon and the computer will reboot into BeOS. Download is availible here.

Re:which brings up another question...

[IchBinEinPenguin]

That's exactly what Joe Average needs: a do-it-yourself brainsurgery kit for his computer...... [/sarcasm]

Makes you think.

[northcat]

Its possible to understand the motivations of the original virus writer (All your forum are belong to us.), but it makes you wonder what the motivations are of the anti-worm writer.

Re:Makes you think.

[Bad+Ad]

his site was infected and he wanted to do something about it?

hes a dev of phpbb and knows most users wont update and doesnt want his app getting a bad name?

theres numerous possible reasons.

Re:Makes you think.

[shadowsurfr1]

Or he's trying to actually help people.

Nice thought but...

[Tajas]

This was a nice thought of sorts on the writers hands and is a good wake-up call to make people upgrade their outdated sites. I did a simple google search and found 2 sites that were hit by this anti-santy worm. I wonder what the admins of these sites are going to tell the people they work for?

Below are 2 sites that as of this posting have:
viewtopic.php secured by Anti-Santy-Worm V4

Your site is a bit safer, but upgrade to >= 2.0.11 !!
Upgrsrv:201.255.84.219/

http://www.ifotografi.it/secure.php/

http://www.forum.moto-portal.pl/secure.php/

Creeper and Reaper

[tepples]

In the 1970s, Creeper was the first Internet worm, which spread among computers running the Tenex OS. Reaper, the second Internet worm, was sent to destroy copies of Creeper.

Re:Creeper and Reaper

[tepples]

I though creeper was just a virus

It did spread from one system to another, unlike the local EXE viruses common during the MS-DOS days. I haven't found any evidence as to whether Creeper ran in its own process, and I'm not sure of how Tenex worked to know whether such a distinction is even useful.

Robin hood

[adeydas]

That's the E-Robin Hood folks. However, it won't make much of a difference (compared to bad worms) in Windoze though.

The Code

[RobertTaylor]

Full code of asw.txt here....

This is the code of the worm extracted from a vulnerable box.

# asw: anti santy worm
# this worm will try to fix any viewtopic.php on local box
# will use this box for 1 day to search other buggy phpBB forums, and end.
etc...

Re:The Code

[RobertTaylor]

It was there for 48 hours I have now removed it.

Btw, get an account and some balls Mr 'Anon'.

Re:Worm Racism?

Of course not. I think of constructive, helpful, positive people as "white" and of destructive, harmful, negative people as "my mother-in-law Warranetta."

Patching not posible... or not always...

[nereid666]

If the administrator is not absolutely dumb, the .php file must be not owned by the same user that runs the webserver. Then teh worm can not patch the file with the vulnerability.
I wish to know more details about how the Anti-Santy patch is done. Any URL?
A self-spreading worm it is always dangerous, another aproach, doubthly legal byut more polite is the strike back philosophy. If someone attacks you then strike back and patch them (and install other strike back worm). With this technic the infection could be reduced without increase the bandwith for all the internet.

Re:Patching not posible... or not always...

[b374]

I wish to know more details about how the Anti-Santy patch is done. Any URL?

It's mentioned in TFA that it uses the same vulnerability, hence you can follow the steps recomended by phpBB devs and upgrade to 2.0.11.

Source of the virus is available here and for the phpBB it's just regular update.

Re:Patching not posible... or not always...

[eyeye]

LOL - Its written in perl, take that php weenies ;-)

Re:Patching not posible... or not always...

[bani]

so basically, use perl when you want to be destructive and php when you want to be productive.

got it. thanks.

Re:Patching not posible... or not always...

[eyeye]

beep beep beep.. defensive php user detected...

I never mentioned the merits of php/perl only that there are weenies who take the whole thing too seriously ;-)

Done before?

[Easy2RememberNick]

Hasn't this been done before? Everyone praised it as a great idea but later it was found that it also added a, back door. Very sneaky.

Just one step away from

[Tablizer]

...a virus that sends me money

Good Worms Bad Worms. When can we QOS these things

[human+bean]

If you cannot stop people from doing dumb things and running systems that are open to this sort of abuse, then at least they could be nice enough to not bother the rest of us.

I need a router/switch/filter that recognises worm/virus traffic for what it is and sets QOS down (or out) on such traffic. Better yet, I want my internet provider to have one. So the neighbor next door's got twelve sessions of Butt Trumpet running on his PC and more broadband in Mbps than he has brain cells to rub together, doesn't mean the pipes I use outta here need to be effected.

Niceties would be an ability to recognise interactive traffic and flag it for regular service. Not an original idea, by the by, was first mentioned in sf by John Brunner some years back.

Another project I will never get round to.

This is the end of the rant. We now return you to your regularly scheduled /. programming. Had this been of actual importance, you would have been instructed where to browse for further news and information. This is only a rant.

Reasonable force

[PurpleWizard]

Be interesting to see if you could use the "reasonable force" defence for actions such as writing a palladin worm.

"I was just taking reasonable steps to protect my property from the attacks of others"

Re:Reasonable force

[adamwood]

Unlikely. Even if you could use some equivalent of reasonable force to protect your own machines, a palladin worm that modifies machines not under your control is beyond reasonable (think locking people up so they can't rob you -- not punching them as they come through the door.)

Re:Reasonable force

[Kalak]

And I thought I was going through get through a /. discussion w/o a reference to Bush. Shal I propose a new corrolary to Goodwin's law? /. discussions will always degenerate to a Bush analogy. The one who makes that analogy, loses.

And thus one more step is in place for Bush to be compard to the Nazis.

Doh! I just violated Goodwin's Law! And my own!

/me ducks

Re:Reasonable force

[PurpleWizard]

I would compare it more to automated ballista in other peoples gardens and going in to shut them down or going over and closing your neighbours gates to stop the bad guys going and putting one of their automated ballista on the neighbours lawns.

I do however agree it is unlikely. Mind you, if music giants want to treat music like the crown jewels it as example partly opens the door of credibility to such a defense.

I think you wanted to say patching is OK ..

[RedLaggedTeut]

I think you wanted to say patching another system is OK when the other system is attacking your system and is causing damage or high server load. Sorto self-defense.

A "worm" however, does not restrict itself to systems that attacked you. So it is a bad idea to use. Also, the attacking worm usually causes high load at the infected end, not the attacked end, at least one instance of the worm. So the argument about damage done might not hold here.

Bandwidth gobbled up

[stripe42]

One of my clients run phpBB that was affected over the holidays. I updated PHP to 4.3.10, and now this shit hit. It couldn't apply it's "fix", but kept trying and trying sucking CPU and bandwidth. I had over a 6-fold increase in traffic just because of this dumb thing. There's no banner ads on this site, but how does this affect them I wonder?

I manually added filter logic to viewtopic.php and am now redirecting. Damn it all.

Okay I fell better. Thanks for all the fish.

The PHPBB2 patch...

[Raijin+Z]

Consists of removing a left parenthesis and a word from viewtopic.php. It was a simple fix that took maybe five minutes of reading at PHPBB's message board to discover. Or you could have just updated your board to the current version. http://www.phpbb.com/phpBB/viewtopic.php?t=240513

Re:Satisfaction Guarantee? You mean...

[b1scuit]

You mean like the one with windows?

Re:I think everyone is missing a point here

[Nyder]

except, when you police contact your neighbor, and they find out that they live next to you, nothing was taken, and all you were doing is fixing their lock (let's face it, if the locks broken, you don't need to break in the house, and unless the door swings inwards, you may not even need to step into their house), chances are pretty good that you won't be convicted of anything, if it even made it as far as court.

Now, it would be sort of suspisous on how you knew the lock was broken, and the risk if someone else actually broken the lock to get into the house and stoled stuff, then you might get the blame.
So basicly, it's not a good idea to fix stuff on others property without their permission.

But as the article said, the fix did cause a slow down to the site. Maybe the fix virus writer might of been more effective to make a program that checks for vulnerable files, and then updates them. Then email the admin (probably think it was spam)

I guess the only good solution is for admins to keep up with the updates.

Call Me Crazy...

[General_Tso]

But I like installing my OWN updates. I don't care if it's not malware; if it takes the choice out of my hands it's bad news. Keep your paws of my machine, thank you.

--Tso

Re:I think everyone is missing a point here

[LO0G]

How do you know that the worm's just fixing the problem?

What happens when someone releases a version of the worm with a rootkit attached? It'll fix the vulnerability, and then install its rootkit (which will then hide its traces).

ALL worms are evil, even the worms in sheeps clothing (ok, I'm mixing metaphors, but...)

This will block both black and white worms

[wytcld]

The method in the first post here is currently effective against both - which are PITA DoS attacks, even if phpBB is patched or updated, unless blocked by this or a similar method.

a poetic response...

[St.+Arbirix]

A truly benign white worm would be a marvel on a level with cold fusion.

Realistically though, white worms are the kudzu of computer science.

Re:Well, in that case...

[Geoffreyerffoeg]

That joke is old. I knew something like it was coming when I got to the phrase "127.0.0.1" in the parent.

This is one of those cases where "Redundant" is valid for the first such post in a thread.

Incidentally, the parent is old, too, but it's slightly more funny and relevant.

MY CAT HAS WHITE WORMS

[TheLittleJetson]

She gets them from eating flea eggs.

Mod Parent up and another comment

[Kalak]

Funny and Insightful ;)

To keep this from just being a "me too" though, not only would this be the quickest way to get Microsoft to patch a hole in IE, it would be the quickest way to get millions to think of Firefox as the Bad Guys and MS as the Good Guys, so for the sake of wisdom, DON'T DO IT! (Rememeber how myDoom made linux look by going after SCO?)

Santynet

[TheMster]

"It should only take a few moments for the anti-santy to find and destroy the santy worm.....wait...OH MY GOD!! IT'S BECOME SELF AWARE! ITS LAUNCHING THE MISSILES!" asdawjfhaebsaeSANTYNET0WNZJ00sadwarawhfsafawd

Re:Good Worms Bad Worms. When can we QOS these thi

[Kalak]

QOS? Why, just filter The evil Bit out.

Try searching google for "Intrusion detection system" for some of what you might be referring to.

Re:Google result interesting

[Kalak]

If the AC is still watching thread, then follow the suggestions on Google, because that query works for me.

My white worm

[zoloto]

My white worm:

I haven't released it, nor do I intend to. But I tested it out on my lan (about 10 pcs).

"Infect" one computer through your preferred insertion method (email, website, java, whatever) and let it go.

It doesn't patch anything.
It sets up and installs CORRECTLY with no back doors a firewall, probably the free version of ZoneAlarm or a home brew/maybe OSS w32 firewall.

It allows NOTHING through it except this little "worm" to communicate through an encrypted p2p network that a system was taken offline.

There is a little .pdf or .txt that screams loudly READ THIS NOW TO GET BACK ON THE INTERNET. There are two or three copies of this so the user get's the point. It outlines how the user was blocked offline, includes the sourcecode in c:\"whiteworm" to the worm and the copy of ZA (free trial version of course)/ or whatever OSS w32 firewall you installed was (with source, of course).

What do you think? I've been dying to c0de something like that for so flipping long it just might happen. Heh. ANyways. Let me know. gmail me or something

Re:Well, in that case...

[CharlesF]

Did you happen to save any of it? By the time I got there, it was already slashdotted, and now the server won't respond.

PHPBB?

[phorm]

If you mom is running PHPbb... I think you're ahead of the game already! :-)

Touche?

[phorm]

How about already infected machines? I know that one patch-worm generated so much traffic getting fixes that it was as bad as the original worm... but how about something that works on an "if-you-attack-me" basis. Years later, I still have countless hits on my webserver from infected MS machines trying to exploit nonexistant flaws (non-MS server).

So really, if I return the volley with something that directs the machine to patch/removal-tool itself, chances are that it's consuming less bandwidth than the virus, and I'm not actively seeking out infected machines myself just responding to an attack against my own.

Re:Touche?

[Niet3sche]

How about already infected machines? I know that one patch-worm generated so much traffic getting fixes that it was as bad as the original worm... but how about something that works on an "if-you-attack-me" basis. Years later, I still have countless hits on my webserver from infected MS machines trying to exploit nonexistant flaws (non-MS server).

That's actually where the payload deployment option came in - it was only WHEN I had been attacked that it would launch against the end-target machine. However, it still seems legally reckless to do something like that, however technically interesting - or necessary. What it all came down to, for me, was two-fold: 1) Would I like it if someone else did this to me (either correctly or incorrectly, as packets can be spoofed)? 2) What assurance of fail-safe operation can I generate in a tool that would be able to, in the presence of loads of spoofed packets, bombard a remote network/host/link?

Again, though, I want to point out that the technical aspect of this is appealing, but is overwhelmed - for me, anyway - by the concern of creating something potentially far worse than the original "bad" worm.

So really, if I return the volley with something that directs the machine to patch/removal-tool itself, chances are that it's consuming less bandwidth than the virus, and I'm not actively seeking out infected machines myself just responding to an attack against my own.

Well ... is it? I'm not being an ass when I ask this, but I'm genuinely interested. You know ... this all comes under the research stream heading of "computer immunology" - hopefully someone who is into it would have something useful to say here. It seems like a good area to get into - interesting, definitely! - but I'm not sure how the legal system here (USA) would work. I might be wrong, but I'd imagine that at the first comment that the defendant is a "security person who wrote a program that goes out and contacts other machines without their consent", the judge wouldn't have the technical prowess to fully understand how this is different than a computer crime (B&E). Maybe - hopefully - I'm wrong, but it appears to me that, in the United States, cyber-law is lagging behind contract and common law (obviously, given the relative timeframes involved). Also, if you or your worm were to target the WRONG system ... how would you feel? I would rather not take the chance to write something that can hose a lot of machines to save just a few that could be manually patched and secured anyway. Again, this is just my $0.02, and I do like the points made here, but for me it'd be too difficult to be 100% accurate in determining where the attack originated from ... and anything less than this means that innocent machines and system operators are being targeted, which is unacceptable in my mind.

Re:Touche?

[phorm]

On the issue of spoofing... if a patch were to use the initial vulnerability as the way in, then only "infected" or "vulnerable" machines being spoofed would be bothered by a misplaced patching attempt. In that case, they're still just waiting to be infected by the real virus - and if the virus were spoofing said IP then why wouldn't it have already infected.

The issue of hosing machines is definately a delicate on though. Perhaps what's needed is a standards body to designate "official" patches that could be used in such a situation. One idea though... if your infected machine is attacking mine - aren't you more liable for its actions in disruption my machines/bandwidth? Sueing would be a bad idea then, unless it came down to the old "who lost more money." In that case it migh still not work as who knows how many other machines an infected box may attack.

Ignores likelyhood

[phorm]

This ignores the concept of likelyhood though. There aren't many criminals that go around jiggling doorknobs (yes, I'm sure it happens, but not that frequently). On the other hand, the worm propogates itself in a way that makes the likelyhood of infection high (new infected machine=new virus source).

A burglar doesn't spawn new burglars every time he/she enters a house.

To make the analogy closer, it might be something more like - I noticed you had a bad lock on your door, or the door is just unlocked, or the key visibly poking out from a potted plant. I lock up the door nicely, and leave you a note.

To add to the analogy, a recent breakout has occured in the nearby prison. Prisoners have escaped, and are subsequently letting prisoners out of other prisons. So suddenly, the likelyhood of your house being broken into by criminals (akin to virus infection) is high, and increasing.>br?
Having somebody lock your doors and pop you a note under the door is probably an irritation, but better than coming home to a burgled home.

Because...

[rbarreira]

most people who make worms are not fucking $$$ centered bastards...