Slashdot Mirror
Kraken Infiltration Revives "Friendly Worm" Debate
Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
" is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.
What kind of idiot would have a windows box controlling a heart monitor?
Don't tell anyone!!!
All the lawyers in the world will converge on you if you do.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Determine which is worse, the malignant effects of the botnet, or the inconvenience caused by bunches of people's computers restarting unexpectedly (and the associated loss of unsaved work, etc). Kraken is used to to send spam, which affects many more people than the 400,000 people infected.
By my reasoning, it'd be okay to send out a friendly worm, I just wouldn't brag about it afterwards.
Facts do not cease to exist because they are ignored. -Aldous Huxley
"A good worm is a dead worm !", afaik.
-- Rastignac was here.
This is one of those moments where something ruthless should be done for the greater good. Then ends do not always justify the means, but in this case they would.
What do you think -- is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
:)
If someones heart monitor software is part of a botnet, they are screwed anyway or could be any second, so I say go for it.
As someone said last time this topic was up. White-hats deploying "friendly" botnets will never see any benefit, but potentially be sued into oblivion. In the end, you're infiltrating someone elses computer, that is illegal even if you do it for a good cause.
The people deploying "evil" botnets do so for profit. And they earn enough to cover the risks.
In short, we're not going to see many friendly botnets.
I lost my sig.
OMG, It's a giant squid! Run for you [CARRIER LOST]
Knowledge is power. Knowledge shared is power lost.
For FSM's sake, who thinks that heart monitors are both networked to the outside world and running Windows XP? Any manufacturer that did so would be open to all sorts of legal trouble, assuming they could get any hospital to risk using such a thing.
Best Slashdot Co
This Kraken 'bot
Oh, fear it not
The zombie slave
Needs just
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?
Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.
Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.
There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.
Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.
If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.
Support NYCountryLawyer RIAA vs People
The accpetability of this type of solution relies on trust, and on how much system and infrastructure resource people want to dedicate to 'social model maintenance'. Can many disparate organisations operate in this way, with their own agents squirreling in our systems on our behalf?
Is it better to have a central service that updates when mutually appropriate, rather than have services speculatively take up resources? Central resources benefit from economy of scale, but can be equally speculative in that they offer potentially glabal coverage.
Similar 'sacrifice' questions arise from P2P media solutions (e.g. Kontiki-based distribution), where users sacrifice some of their bandwidth and processing power for others, in order to obtain the media.
There is still the "messing with other people's computer" issue, of course.
Assorted stuff I do sometimes: Lemuria.org
It raises the old moral dilemma about messing with other people's computers, for a good purpose.
But the "friendly worm" issue is a different one. The main problem is control. I've done the math and published a paper on this. You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.
So, like a dog, can you guarantee that it will listen to you, instantly, in all situations especially unfamiliar ones?
Assorted stuff I do sometimes: Lemuria.org
What if such a good virus were to only modify parts of the OS already modified by Kraken? Disrupting it and making it visible?
Hmmmm...
I'm, all in favor of terminating botnet infestations even if it means terminating the OS of the computer infected. I've wondered why the computer security feild has not had more people working hard of find ways of rendering these insecure machines useless. Seriously. If its infected, terminate it.
As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.
Botnets also span more than one country so maybe this needs to be international law.
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
Thank you for supporting Microsoft and not Linux or Apple. We appreciate your business.". Sure it's not nice, but if it gets people to actually take action then I'm all for it. There will always be more companies trying to profit, new botnets, etc, but if you can actually stop the botnet from starting by educating people, then you win.
get busy dying, or get Kraken.
Liability for 'curing' the problem is a great question. I don't want to see the 'cure' become another infection vector. Do we know that the cure is going to disable this network, but not enable a subsequent one?
It's a lead-pipe cinch that law enforcement people will and can do nothing to disable the network, and it-- like others-- represents a huge security hole and a big problem in terms of potential misuses of the existing botnet.
The 'authority' to even legally disable botnets is onerous. What's a botnet-- is p2p a botnet? Is every torrent site a botnet? Is every Skype user enabling a botnet?
Some Van Damme coder that goes over the line to disable them might be a hero. He/she might also be the unwitting infection vector for a subsequent botnet if they don't get their own code right.
Mandatory machine cleansers might be nice, the 'system health' check that Microsoft uselessly tried to employ with Windows 2008 server. There's no leadership to vet how this might be done, and how it's kept up to date, and what constitutes potential botnet user software found and what might be useful in terms of gateways to monitor traffic.
So botnets are going to continue to be a problem until wise people decide how to first cleanse the problem, then how to design operating systems (this means you) to prevent botnet infection, and be able to distinguish botnets from p2p/etc. apps that have legitimate use-- and what constitutes 'legitimate' use.
Bottom line: nothing changes soon, because there are too many issues surrounding the question(s).
---- Teach Peace. It's Cheaper Than War.
Why would Tipping Point kill the botnet with one blow, when they have IDS signature subscriptions to sell?
IF there is no malicious code in the worm, it just cleans out botnet X and has the ability to be turned off, and can't be manipulated to do other things, and doesn't report back identifiable information, I say do it.
The potential for good far outweighs any risks.
The question posed 'what if you break a heart monitor running XP' is just silly and quite extreme.
And who's to say the botnet wouldn't eventually render that computer completely unusable.
If you relate this to a person being mugged on the street, do you stand by while the thug takes everything from someone? or do you get involved and help chase the thug away
I don't see how a botnet is that much different from a thug robbing someone on the street. Agressive action needs to be taken against these botnets.
What it has an OS independent Mac and Linux payload too?
Domestic spying is now "Benign Information Gathering"
How about instead of fixing the machine it launches a notification window that says "your system has been infected by the Kraken bot net, click here to fix". or even just launch a notification. This notifies the user that their machine has been compromised, without modifying system files on "critical systems" which as pointed out above, shouldn't have been networked to begin with (heart machines etc).
We have this law in my country where if you can help someone who is in danger without risking to harm yourself you may get legal trouble.
I am pretty sure that a good lawyer could twist it enough to sue those researcher because they DID not kill the botnet while they could. Instead they published a report explaining to the botnet creator how to plug the hole. Next time they should just ask for a subversion comiter account a fix it themselves.
I can almost see how the patriot act could apply here. I think those guy could be arrested for helping the terrorist(tm) by the friendly bunch at homeland security.
If you can kill the botnet please do it. Me million other will drop a donation in your paypal account to cover your legal fees.
The biggest problem with this whole thing is the problem facing any system that is, on it's merits alone, a good thing, is that the operators are human. Add the human element and you have a built in exploit.
What happens if BOFH numero uno for instance gets his hands on some access? What about someone 'trusted' to run it, does that mean they are themselves free of malice? Is the system itself going to be free of security holes?
I don't think you could reasonably comfort me with an answer to any of these questions.
Seriously, is it supposed to look like that?
I do not eat meat, nor do i clean infected boxes; all life is holy...
Vulnerable SCADA systems are numerous and Homeland Security has several initiatives to get them under control. Earlier this year they demonstrated how easy it was to take over a generator and make it crash and burn ...
So, fixing worms or not has its consequences. If you are successful you might reboot a control computer and bring down the grid. If you don't somebody in Russia might. In any case, with networked controllers all over in our water, gas, and electrical infrastructure, things will get interesting eventually. It is a sad situation the people who understand enough to automate large control systems don't realize the impact of a vulnerable network on their systems.
I'm in favor of them sending the fix to shut this down but at the same time I have to wonder what part of that botnet is connected to computers that could be monitoring a life support system for a patient in a hospital or something just as critical.
The fix could cost lives just as much as the infection could depending on what happens.
~~ Behold the flying cow with a rail gun! ~~
Yes IF you can deal with the 3 main issues of 'friendly worms' (autonomous patching agents): 1/ Control (this may have been dealt with) 2/ Testing 3/ Consent I suspect the big stumbling block would be consent, any thoughts?
we are all cosmic nuclear waste
Well, you could just release the worm AND concise instructions on how to block it.
The only people I could think of that could REFUSE to update their computer / network (as opposed to just not caring), are network admins that have very good reasons (known incompatibilities, critical systems, etc.) for not doing so, or just feel more confident updating manually. If this "good worm" were to be released along with blocking instructions, this admins could decide whether to let it in or not; and the rest of the uncaring, "do as you want as long as it doesn't bother me", "i don't give a sh*t" mass would be happily up to date and (hopefully) with less vulnerabilities, for the good of all of us.
There's the problem where the "bad worms" make use of those instructions to block the "good worms" - up to you to find a solution for that problem.
English is not my native language. Corrections are not only welcome but encouraged. Thanks.
-Walenzack.
I would change the wallpaper to display a notice about the infection.
Let the user know that their computer is responsible for SPAM, identity theft, and don't forget file sharing.
Maybe even mention that the RIAA will get them if they do nothing about it.
Like it or not, infected PC's are the private property of other people / organizations. The better solution (read the "right" solution) is simply to secure your own PC's from attacks and drop any traffic coming from nodes on that network.
Socialism starts when one person can take control of another person's private property for the greater good of another group. This debate isn't a debate of right vs wrong -- it is simply an argument over which version of socialism is more popular.
If its not yours, keep your hands off.
If only they would do the same thing to the guys writing these worms.
I read the internet for the articles.
A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.
Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.
I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.
Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.
Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?
Kevin.
--= Isn't it surprising how badly I spell ?
I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.
I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).
The Official Steve Ballmer Webpage
I think there are ways they can proactively use their control over the botnet relatively safely.
They can update the infected computer with a program that causes an annoying popup to occur until the machine is sanitized by the owner. Then update the machine's firewall (if it has one) to block the controlling UDP port.
That solution should be fairly low risk.
I get so much spam of late, that I have no problem if they deliberately break the entire IP stack on the infected computers. Serves the owners right.
there are 3 kinds of people:
* those who can count
* those who can't
I think the detection method and patch solution should be handed off to the ISP. They are the ones that suffer the most damage from the worm besides the host and already have the identifying information for the customer so they can contact them in prior to the push. And to everyone saying heart monitors are no big thing, people who use network attached heart monitors do so because they have some need to be monitored. So a monitor going off line is likely going to result in a false alarm generating a trip to the hospital or at the very minimum an emergency response team being dispatched to the residence. And for someone with already substantial medical conditions, the extra expense might not be a non-trivial thing.
Oh honey look... How cute... an angry slashdotter!
Let say, rather than attempting to fix the hijacked computer, they were disable because they pose an active threat.
I had all my servers issue a reverse "attack" to shutoff the IIS service and then put a winpopup up that their computer was infected with CodeRed virus and they need to take cleaning steps.
Buddies of mine were a bit less nice. They put the machines into spontaneous 3 minute reboot cycles. They figured that would get the users to get a clue and fix it. I though that was a bad idea.
Do not look at laser with remaining good eye.
No, don't try to fix the machines. If the authorities are watching this worm, they may be tracking down the owners. If you mess with things, they'll come after you for obstructing justice.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
...and nearly paid for it.
We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.
The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.
I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.
Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.
So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.
My 2 cents anyway.
The Wknd Sessions - Malaysian and South East Asia independent music
I think the issue is similar to vaccination http://en.wikipedia.org/wiki/Vaccination where you will have a small part of the population vaccinated have adverse effects or die from the vaccine. However, this is risk worth taking because if the population were to be unvaccinated many more people will die or have after effects of the disease.
Shakespeare poems - infinite monkeys with infinite time.Computer tech support - a few trained ones working from 9 to 5.
wipe the users hard disk. That's oughta teach em to belong to botnets.
I would argue, by analogy, that it should be done, ie. the computer participating in a botnet should be patched.
Consider this example: You find that someone robbed your neighbor's apartment (who is on vacation), and left the door opened and broken. Should you fix the neighbor's door, or leave them open for anyone to enter?
The correct answer is: You should fix the door, but with the permission of the police. Therefore, I think, the computers should be patched, but with the approval of legal enforcement (if it's in the your country, patching computer in other country should be supervised by their legal enforcement).
Sleep ...
If you're running something on my pc without my permission, that's not a "good" worm. So don't worry about how to clean it off.. don't infect it in the first place no matter how good your intentions are.
Feel free to ask them. From my experience they build their ECG's on Windows.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
As if leaving the existing worm would actually prevent that from happening if said computer were infected? What a crock!
Bryan
. . . how could they make it worse? I mean, what could possibly go wrong?
I used to work in a hospital on the IT side and the only 'monitoring' systems I can think of where this would be a problem aren't so much the ones that keep track of vitals but the ones used as the primary method of observation (think cath labs). Even then the vulnerable workstations/machines are used more for archiving and cataloging of imagery and procedure. Any real work is done on an embedded system with that particular piece of equipment. So if you have to get your heart cathed, don't worry as that machine probably isn't exposed to the internet. Those machines do not and should never be exposed to an open network. Some embedded systems ran a version of Linux, others were embedded NT and a couple were actually DOS (This varied by maker and age of equipment).
Someone pointed out fetal monitoring systems, I installed one last year a the hospital I worked at and the set up as as follows:
Server - (1x) Win2k3
Polling - (2x) DOS 6.22 (these boxes only relayed mesgs)
Monitoring Stations - (24x) WinXP Pro
The server itself was in a datacenter and the two polling machines were in a networking closet (easier to run lines from the actual monitoring hardware this way). The Workstations were XP and had internet access. They were locked down enough such that net access was allowed for research. Every so often one got infected (research apparently means games too I guess). It was pulled and one of the already staged spares was put into it's place until the infected machine had a chance to go through restaging. Through all this time, the nurses had MULTIPLE workstations, including two huge ass monitors (nice Dell 24inch flat screens with an 89' view angle) at the nurse's desk from which to view the babies. And they had manual procedures if the system went down. Which it was for two days during the initial move from testing into production. If there are no 'manual procedures' in place for when a system goes down the hospital is just ASKING for trouble. Granted in this case manual involved getting more nurses on the floor in that section, but they had it covered in case of a catastrophic event with that system.
While the monitoring systems may be vulernable, any decent hospital will not have it set up so the actual work horses doing the procedures are not exposed and have manual procedure in place should the machines go down.
"Quote me as saying I was mis-quoted." -Groucho Marx
My guess is that whoever writes a worm make sure that he has more than one way to control the infected computers. So probably an infected computer runs a periodically process that reinfect it. So it just doesn't matter...
For the next one won't be vulnerable to this flaw.
To prevent any kind of 'intrusion' in their botnet, the next generation of botnet will issue all commands to the zombies encrypted using PKCS. All the zombies will have the public key while all the command will be issued, signed with the private key.
No more cute attacks, no more 'botnet takeover'. Only the botnet owner will be able to issue command to his entire botnet.
If someone is killed by a zombie (botnet) they obviously become a zombie themselves. Haven't you seen the films? Chop their head off or throw New Order records at them.
I have excellent Karma and I am not afraid to Troll it.
My wife had Lasix recently, about six months ago, and I got a seat in the doctors office watching the procedure on a computer screen. The screen showed the software interface controlling the laser for the procedure - the correction matrix, the number of shots taken, the number of shots still to go, the laser power per shot and the material ablated per shot, right down to a progress bar at the bottom - all in Windows XP. Networked? I have no idea. But would you want to see a BSOD come up during the procedure?
Jealously hoarding mod points since 2007.
There is a big difference, I think, between releasing something like a worm to patch un-patched boxes -- i.e., computers that haven't been "broken" yet, but potentially could be, and hijacking an EXISTING botnet to inject a "self destruct" update into it. I have some problems with doinking with other people's computers if they aren't infected yet (there are a lot of critical things that you could break, and there may be other reasons why they haven't updated some particular part of the OS which you don't know about). I have much less problem with counter-attacking an existing threat. If someone's computer is already "owned", then they are definitely already part of the problem, and they are a direct threat to the rest of the Internet community.
OK, so it really is a matter of degrees. Some people might say that the existence of a Microsoft OS is already a state of being "infected," but I'd draw the line at being a member of an existing, identified and wide spread botnet.
Your Servant, B. Baggins
If one constructed a program which detected incoming infection attempts and counter-infected the attacking machine with a "friendly" worm - one might call it a "vaccine", even - couldn't that be classed as simple self-defence?
While on the surface it might seem ok to autonomously repair botnet infected PCs it also starts a shift towards the wrong end of what we find acceptable or not.
A person should be wholly responsible for the code excecuted on their personal machine, if you start to accept intrusions because of their 'friendly' nature then you start to move towards it being acceptable to for full control of that machine be taken away from you.
Eventually it'll be the corporations who get the government backing for these controlling overlord systems which is where the moral argument against sony rootkits and Trusted Computing flies out of the window.
It is a dangerous precedent
To quote from some other post: "In a war between weapons and armor, weapons always win". It's time to take the war to the streets instead of cowering in our imaginary secure cells. Next step: take care of the servers...
double penetration;
Are you allowed to go after them?
Really, if they have a way to safely remove the infection, they should go right ahead. Preventing harm from someone without risking any other harm should not require informed consent.
If their cure involves a potential risk to the infected computer, then it's more questionable. But allowing the bot to continue to thrive is to convenience an irresponsible user whose computer got compromised at the cost of a responsible user whose secure computer is still vulnerable to DoS attacks...
think the majority of people will agree that 'something' should be done. The real question is who should do it. I don't believe that security researchers at any given company should attempt something like this no matter how well qualified. A law enforcement agency should try coordinating this or at least target those computers within its jurisdiction... FBI could easily downsize the size of this botnet by just eliminating US bots.
do it, ofcourse. the chance of crashing a computer is much lower than the change of the botnet crashing a computer. i don't imagine they were really this reserved with the small pox vaccine. "should we innoculate?" ofcourse.
The system goes online on August 4th, 2008. Human decisions are removed from strategic defense. SkyNet begins to learn at a geometric rate. It becomes self-aware at 2:14am Eastern time, August 29th. In a panic, they try to pull the plug. And, Skynet fights back.
The debate seems to be if crashing a critical machine is worth taking out a bot net. Personally, I say yes, reasoning to follow. The administrators of these critical machines that run Windows know what they are doing, ok, maybe not as well as some of us, but better than most, and certainly better than average joe who's home computer became part of a botnet 3 years ago. They know what security updates are, they know how to patch systems, and they know that windows are the most vulnerable machines. They are prepared for attacks, BSODs, viruses, and any number of things which are much worse than a "friendly worm". In case you haven't faced it yet, those that control bot nets aren't playing by the rules. If a friendly worm can whipe them out, then lets be on with it! If average joes computer crashes in the process, guess what, in a technological age, he should have learned the basics, in the modern world it's the equivalent of not being able to read or do basic math. Maybe that's stretching it a bit, but if you don't think it's true yet, then it will be soon. His computer was already infected, probably with more than just a bot, but with other viruses as well. If my computer becomes infected, I HOPE one of you sends a friendly worm my way, I don't want to be adding to a bot net. Basically, if Average Joe gets screwed, a) he was already infected and b) sucks to be him. If a critical matching becomes infected. a) it was already infected and b) they are prepared to deal with it.
Desperate situations call for desperate remedies.
..... and the roof is still leaking!
Really, if you follow the money, it's all Microsoft's fault. It was their bad design decisions (i.e. not building-in privilege separation from the ground up, from day one) which led to this situation. Since then, a whole generation of self-taught wannabees with knocked-off copies of Visual Studio (which Microsoft never stopped them from making, probably because "hey, at least they weren't using a competitor's development environment") have been writing applications with no regard for proper techniques. As a result, "legitimate" software has been taking advantage of the exact same bad programming in Windows that allows malware to propagate.
Windows is essentially beyond repair. Bodged-on attempts at artificial privilege separation won't block malware if it's easy to get around them, nor if they have to be turned off to allow "legitimate" software to function. Real, ground-up privilege separation (as found in operating systems which cost much less than Windows, but are not backward-compatible with existing Windows software) will break backward-compatibility with existing Windows software.
The roof was leaking, so we put in a floor drain so the water would have somewhere to go; but the drain got blocked and started to smell, so we installed plug-in air fresheners so we wouldn't have to smell it; but one of our best people was allergic to the air fresheners so we had to let her go, and then they ran out anyway; so we lit a load of joss sticks, but the joss sticks kept setting off the smoke alarms
Je fume. Tu fumes. Nous fûmes!
"What do you think - is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
Absolutely. Quickly before the worm itself crashes the machine.
Seriously. Get law enforcement involved, get a warrant, shut them down. Or sue them and get a court order allowing it. That's what courts are for, to resolve these "morally ambiguous issues." Doesn't mean that the solution the court comes up with is always moral, or always a real resolution, but it is more effective than writing a bunch of papers about it.
Fix displays action screen requesting user to choose, either to fix the problem, or not to instal the fix and return to "infected state".
And place the vector server somewhere outside US; possibly in one without a track record of handing over its own citizens to US on US court request/DMCA threats/RIAA wishes etc.
For those who are advocating that an anti-bot be released (or whatever you want to call it) so as to disable this pest, I have a question for you: how is someone going to be able to tell the difference between these:
1.) A user who creates and releases an anti-bot, but through an error (design, programming, whatever) inadvertently causes "harm" to the system.
2.) A user who creates and releases an anti-bot that appears to try to block the worm, but is in fact designed to cause "harm" to the system.
Recall that the Morris worm was not intended to bring down the internet:
ANDSee also A Tour of the Worm for a more detailed account of how it unfolded.
The intention may have been good, but the implementation had an unintended consequence that led to a major disruption of the internet. I remember full well the confusion at the time as the details unfolded. I was working at a major computer manufacturer that dropped its connection to the net to protect itself. Ultimately, none of our systems were hit (wrong OS), but the sheer volume of packets on the net led, effectively, to a DDOS'ing of the uninfected systems, too.
So, in a nutshell, how can one objectively tell the difference between an attempt to kill the worm that causes problems, and an attempt to cause problems that looks like it is trying to kill the worm? In a non-static environment. With our limited ability to write bullet-proof, error-free code. Besides, someone else could capture and re-purpose the good code to cause more problems.
meh seems there is a solution here, not to send out a "friendly worm" but to actually setup a "friendly" Kraken server, the server would then "nicely" remove/disable the code. Since they wouldn't be hacking into anybody system, the infected code just called home, in this case a friendly curing server.
"Kill them all. God will know His own."
"Ain't no right way to do a wrong thing."
Well, if I planned to seed a worm in a botnet that would patch machines against said botnet (or crash them spectacularly, requiring reboot/patch), my reputation is on the line. I'd probably announce "This is possible", not "I'm gonna do it".
Which is precisely what they did. Hmmmmmmm...where's my tinfoil hat?
Practice Kind Randomness and Beautiful Acts of Nonsense.
All they need to do is have each machine create a popup message on each host telling the owner they are infected, but nothing any more invasive than simple notification. They should _not_ be changing any binaries or updating/patching the machine, but the owner of the machine does need to be made aware of the problem. Of course making the machine beep every ten seconds until it is fixed might help annoy them into fixing it sooner rather than later, or at least turning the machine off.
burn it!
If people will not patch their systems then they need to be cleansed, if they crash so much the better. Lesson learned. Hmm...was that the sound of 500,000 blue screens?
Personally, I make lots and lots of cash from people that do not care, do not understand nor do they want too. All they want is their e-mail, IM and myspace. I actually have a check list I give to customers that details all the things they should be doing, most never do.
So...every couple of months I reload their computer, give them the same list, talk to deaf ears on what they need to do and then charge them for my time and effort. *shrug*
Give the white-worm to M$ to include it as a 'patch'...
A thought that sometimes makes me hazy: Am I - or are the others crazy? - Albert Einstein
The morals behind writing a "good worm" seem to generally point in a good ethical direction. Unfortunately, the morals, ethics, and understanding of people you try to help this "good worm," could bit you back, there are plenty of written laws that could make the intentions of a "good virus," a criminal offense. Let us not forget, we live in a world where a women has spilled a cup of coffee on herself and successfully put the "80% of the blame" on the fast food franchise that sold it to her. Of course the problems of this may stem from potential problems with our legal system.
Why am I reminded of the Buddhist pest controller from Goodness Gracious Me?
nm
My guess is they've announced it because they want the botnet shut down, and are relying on someone with the altruism, nerve, and seven proxies to actually do it.
I am trolling
IMHO regardless of intentions, writing/releasing something that installs/spread itself to otherwise uninfected PCs without express prior agreement of the PC owner is bad. Period.
I personally do think its OK and even desireable for any owner of a botnet-infected computer to install something that will use the botnet mechanism itself to undo/unifect the whole botnet though.
It's too late anyway. Presumably the Kraken authors aren't stupid and will find out about this soon, at which point expect the vulnerability to disappear.
First, the user is contacting the guys who pwned the bot server. Unlike a worm, the infected user makes the first move. Secondly, they are requesting, receiving and then executing the "cleansing code". The fact that they requested the information, you didn't misrepresent *completely* who you were (e.g. a redirect attack where someone THINKS they are logging into their PayPal account), and then they executed the code, makes the morality moot.
Why?
Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.
There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.
That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.
Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.
Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?
College-Pages.com - Online Colleges, Degrees, and Programs
if the trojan {botnet-client} can have its update ability compromised "update" the trojan with a executable that first simply finds the desktop {all users version} and adds a txt file titled "you were infected, read for details.txt" saying what they were infected how it was removed and offering urls of sites they can consult to verify the details and add software to reduce their future infection risk and secondly replaces the running version of the trojan with an exe that simply does nothing and exits killing the infection without needing to remove the autorun lines from the registry, so little risk of error/crash
you leave infected shit on the net, it get's killed. easy way to deal with this.
I'm surprised nobody brings up The Shockwave Rider, which is the book from where the Worm got its name.
The protagonist wrote his own worms to reverse the worms of his enemies. They'd send worms to hack into his bank accounts or disable his electricity, and he'd write counter-worms to undo it.
Why not let Microsoft test it and release it? They already push Windows Updates out on a regular basis, why not a targetted de-worming?
Here's an option that's between doing nothing and launching a "replicating avenger":
When anti-virus software recognizes an incoming network packet as one crafted to
infiltrate a machine, it responds in kind with an infiltrating packet of its own
that will cure the infection. But there's no replication, no selecting of targets,
only self-defensive responses.
This doesn't address every legal issue, but it does have a nice "ring" to it that
I believe would sound "fair" even to non-computer savvy individuals.
Hide all sigs: Click HELP+Prefs (top), VIEWING (last on right), DISABLE SIGS (3rd on left) and SAVE (hidden at bottom).
I am more concerned with the technical details of the worm, but have no patience reading the Owning Kraken article. Any who, I blogged some of my thoughts here http://tientadinh.blogspot.com/ In summary, as far as I know, Kraken does not scale as well as Storm, because it relies on the the DDNS providers. Plus, how the owner can orchestra a DDOS attack is not very clear for me.