Slashdot Mirror
Kraken Infiltration Revives "Friendly Worm" Debate
Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
" is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.
What kind of idiot would have a windows box controlling a heart monitor?
Don't tell anyone!!!
All the lawyers in the world will converge on you if you do.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Determine which is worse, the malignant effects of the botnet, or the inconvenience caused by bunches of people's computers restarting unexpectedly (and the associated loss of unsaved work, etc). Kraken is used to to send spam, which affects many more people than the 400,000 people infected.
By my reasoning, it'd be okay to send out a friendly worm, I just wouldn't brag about it afterwards.
Facts do not cease to exist because they are ignored. -Aldous Huxley
"A good worm is a dead worm !", afaik.
-- Rastignac was here.
This is one of those moments where something ruthless should be done for the greater good. Then ends do not always justify the means, but in this case they would.
What do you think -- is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
:)
If someones heart monitor software is part of a botnet, they are screwed anyway or could be any second, so I say go for it.
As someone said last time this topic was up. White-hats deploying "friendly" botnets will never see any benefit, but potentially be sued into oblivion. In the end, you're infiltrating someone elses computer, that is illegal even if you do it for a good cause.
The people deploying "evil" botnets do so for profit. And they earn enough to cover the risks.
In short, we're not going to see many friendly botnets.
I lost my sig.
OMG, It's a giant squid! Run for you [CARRIER LOST]
Knowledge is power. Knowledge shared is power lost.
For FSM's sake, who thinks that heart monitors are both networked to the outside world and running Windows XP? Any manufacturer that did so would be open to all sorts of legal trouble, assuming they could get any hospital to risk using such a thing.
Best Slashdot Co
This Kraken 'bot
Oh, fear it not
The zombie slave
Needs just
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?
Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.
Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.
There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.
Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.
If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.
Support NYCountryLawyer RIAA vs People
The accpetability of this type of solution relies on trust, and on how much system and infrastructure resource people want to dedicate to 'social model maintenance'. Can many disparate organisations operate in this way, with their own agents squirreling in our systems on our behalf?
Is it better to have a central service that updates when mutually appropriate, rather than have services speculatively take up resources? Central resources benefit from economy of scale, but can be equally speculative in that they offer potentially glabal coverage.
Similar 'sacrifice' questions arise from P2P media solutions (e.g. Kontiki-based distribution), where users sacrifice some of their bandwidth and processing power for others, in order to obtain the media.
There is still the "messing with other people's computer" issue, of course.
Assorted stuff I do sometimes: Lemuria.org
It raises the old moral dilemma about messing with other people's computers, for a good purpose.
But the "friendly worm" issue is a different one. The main problem is control. I've done the math and published a paper on this. You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.
So, like a dog, can you guarantee that it will listen to you, instantly, in all situations especially unfamiliar ones?
Assorted stuff I do sometimes: Lemuria.org
I'm, all in favor of terminating botnet infestations even if it means terminating the OS of the computer infected. I've wondered why the computer security feild has not had more people working hard of find ways of rendering these insecure machines useless. Seriously. If its infected, terminate it.
As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.
Botnets also span more than one country so maybe this needs to be international law.
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
Thank you for supporting Microsoft and not Linux or Apple. We appreciate your business.". Sure it's not nice, but if it gets people to actually take action then I'm all for it. There will always be more companies trying to profit, new botnets, etc, but if you can actually stop the botnet from starting by educating people, then you win.
Liability for 'curing' the problem is a great question. I don't want to see the 'cure' become another infection vector. Do we know that the cure is going to disable this network, but not enable a subsequent one?
It's a lead-pipe cinch that law enforcement people will and can do nothing to disable the network, and it-- like others-- represents a huge security hole and a big problem in terms of potential misuses of the existing botnet.
The 'authority' to even legally disable botnets is onerous. What's a botnet-- is p2p a botnet? Is every torrent site a botnet? Is every Skype user enabling a botnet?
Some Van Damme coder that goes over the line to disable them might be a hero. He/she might also be the unwitting infection vector for a subsequent botnet if they don't get their own code right.
Mandatory machine cleansers might be nice, the 'system health' check that Microsoft uselessly tried to employ with Windows 2008 server. There's no leadership to vet how this might be done, and how it's kept up to date, and what constitutes potential botnet user software found and what might be useful in terms of gateways to monitor traffic.
So botnets are going to continue to be a problem until wise people decide how to first cleanse the problem, then how to design operating systems (this means you) to prevent botnet infection, and be able to distinguish botnets from p2p/etc. apps that have legitimate use-- and what constitutes 'legitimate' use.
Bottom line: nothing changes soon, because there are too many issues surrounding the question(s).
---- Teach Peace. It's Cheaper Than War.
What it has an OS independent Mac and Linux payload too?
Domestic spying is now "Benign Information Gathering"
We have this law in my country where if you can help someone who is in danger without risking to harm yourself you may get legal trouble.
I am pretty sure that a good lawyer could twist it enough to sue those researcher because they DID not kill the botnet while they could. Instead they published a report explaining to the botnet creator how to plug the hole. Next time they should just ask for a subversion comiter account a fix it themselves.
I can almost see how the patriot act could apply here. I think those guy could be arrested for helping the terrorist(tm) by the friendly bunch at homeland security.
If you can kill the botnet please do it. Me million other will drop a donation in your paypal account to cover your legal fees.
The biggest problem with this whole thing is the problem facing any system that is, on it's merits alone, a good thing, is that the operators are human. Add the human element and you have a built in exploit.
What happens if BOFH numero uno for instance gets his hands on some access? What about someone 'trusted' to run it, does that mean they are themselves free of malice? Is the system itself going to be free of security holes?
I don't think you could reasonably comfort me with an answer to any of these questions.
Seriously, is it supposed to look like that?
I do not eat meat, nor do i clean infected boxes; all life is holy...
Vulnerable SCADA systems are numerous and Homeland Security has several initiatives to get them under control. Earlier this year they demonstrated how easy it was to take over a generator and make it crash and burn ...
So, fixing worms or not has its consequences. If you are successful you might reboot a control computer and bring down the grid. If you don't somebody in Russia might. In any case, with networked controllers all over in our water, gas, and electrical infrastructure, things will get interesting eventually. It is a sad situation the people who understand enough to automate large control systems don't realize the impact of a vulnerable network on their systems.
I'm in favor of them sending the fix to shut this down but at the same time I have to wonder what part of that botnet is connected to computers that could be monitoring a life support system for a patient in a hospital or something just as critical.
The fix could cost lives just as much as the infection could depending on what happens.
~~ Behold the flying cow with a rail gun! ~~
Yes IF you can deal with the 3 main issues of 'friendly worms' (autonomous patching agents): 1/ Control (this may have been dealt with) 2/ Testing 3/ Consent I suspect the big stumbling block would be consent, any thoughts?
we are all cosmic nuclear waste
Well, you could just release the worm AND concise instructions on how to block it.
The only people I could think of that could REFUSE to update their computer / network (as opposed to just not caring), are network admins that have very good reasons (known incompatibilities, critical systems, etc.) for not doing so, or just feel more confident updating manually. If this "good worm" were to be released along with blocking instructions, this admins could decide whether to let it in or not; and the rest of the uncaring, "do as you want as long as it doesn't bother me", "i don't give a sh*t" mass would be happily up to date and (hopefully) with less vulnerabilities, for the good of all of us.
There's the problem where the "bad worms" make use of those instructions to block the "good worms" - up to you to find a solution for that problem.
English is not my native language. Corrections are not only welcome but encouraged. Thanks.
-Walenzack.
I would change the wallpaper to display a notice about the infection.
Let the user know that their computer is responsible for SPAM, identity theft, and don't forget file sharing.
Maybe even mention that the RIAA will get them if they do nothing about it.
If only they would do the same thing to the guys writing these worms.
I read the internet for the articles.
A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.
Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.
I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.
Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.
Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?
Kevin.
--= Isn't it surprising how badly I spell ?
I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.
I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).
The Official Steve Ballmer Webpage
I think there are ways they can proactively use their control over the botnet relatively safely.
They can update the infected computer with a program that causes an annoying popup to occur until the machine is sanitized by the owner. Then update the machine's firewall (if it has one) to block the controlling UDP port.
That solution should be fairly low risk.
I get so much spam of late, that I have no problem if they deliberately break the entire IP stack on the infected computers. Serves the owners right.
there are 3 kinds of people:
* those who can count
* those who can't
I think the detection method and patch solution should be handed off to the ISP. They are the ones that suffer the most damage from the worm besides the host and already have the identifying information for the customer so they can contact them in prior to the push. And to everyone saying heart monitors are no big thing, people who use network attached heart monitors do so because they have some need to be monitored. So a monitor going off line is likely going to result in a false alarm generating a trip to the hospital or at the very minimum an emergency response team being dispatched to the residence. And for someone with already substantial medical conditions, the extra expense might not be a non-trivial thing.
Oh honey look... How cute... an angry slashdotter!
I had all my servers issue a reverse "attack" to shutoff the IIS service and then put a winpopup up that their computer was infected with CodeRed virus and they need to take cleaning steps.
Buddies of mine were a bit less nice. They put the machines into spontaneous 3 minute reboot cycles. They figured that would get the users to get a clue and fix it. I though that was a bad idea.
Do not look at laser with remaining good eye.
No, don't try to fix the machines. If the authorities are watching this worm, they may be tracking down the owners. If you mess with things, they'll come after you for obstructing justice.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
...and nearly paid for it.
We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.
The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.
I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.
Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.
So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.
My 2 cents anyway.
The Wknd Sessions - Malaysian and South East Asia independent music
I think the issue is similar to vaccination http://en.wikipedia.org/wiki/Vaccination where you will have a small part of the population vaccinated have adverse effects or die from the vaccine. However, this is risk worth taking because if the population were to be unvaccinated many more people will die or have after effects of the disease.
Shakespeare poems - infinite monkeys with infinite time.Computer tech support - a few trained ones working from 9 to 5.
If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.
There is no way I would think it was legit.
Help! I'm a slashdot refugee.
I would argue, by analogy, that it should be done, ie. the computer participating in a botnet should be patched.
Consider this example: You find that someone robbed your neighbor's apartment (who is on vacation), and left the door opened and broken. Should you fix the neighbor's door, or leave them open for anyone to enter?
The correct answer is: You should fix the door, but with the permission of the police. Therefore, I think, the computers should be patched, but with the approval of legal enforcement (if it's in the your country, patching computer in other country should be supervised by their legal enforcement).
A bot is more like someone breaking into your house and stealing your stuff. If someone was walking past your house and saw someone breaking in and stealing stuff, would you want that person to enter your house to try and stop the burglar (and to return all your stuff to you)?
Same thing applies here, would you want some random software program infesting your PC regardless of what it actually does?
Sleep ...
If you're running something on my pc without my permission, that's not a "good" worm. So don't worry about how to clean it off.. don't infect it in the first place no matter how good your intentions are.
Feel free to ask them. From my experience they build their ECG's on Windows.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
As if leaving the existing worm would actually prevent that from happening if said computer were infected? What a crock!
Bryan
. . . how could they make it worse? I mean, what could possibly go wrong?
I used to work in a hospital on the IT side and the only 'monitoring' systems I can think of where this would be a problem aren't so much the ones that keep track of vitals but the ones used as the primary method of observation (think cath labs). Even then the vulnerable workstations/machines are used more for archiving and cataloging of imagery and procedure. Any real work is done on an embedded system with that particular piece of equipment. So if you have to get your heart cathed, don't worry as that machine probably isn't exposed to the internet. Those machines do not and should never be exposed to an open network. Some embedded systems ran a version of Linux, others were embedded NT and a couple were actually DOS (This varied by maker and age of equipment).
Someone pointed out fetal monitoring systems, I installed one last year a the hospital I worked at and the set up as as follows:
Server - (1x) Win2k3
Polling - (2x) DOS 6.22 (these boxes only relayed mesgs)
Monitoring Stations - (24x) WinXP Pro
The server itself was in a datacenter and the two polling machines were in a networking closet (easier to run lines from the actual monitoring hardware this way). The Workstations were XP and had internet access. They were locked down enough such that net access was allowed for research. Every so often one got infected (research apparently means games too I guess). It was pulled and one of the already staged spares was put into it's place until the infected machine had a chance to go through restaging. Through all this time, the nurses had MULTIPLE workstations, including two huge ass monitors (nice Dell 24inch flat screens with an 89' view angle) at the nurse's desk from which to view the babies. And they had manual procedures if the system went down. Which it was for two days during the initial move from testing into production. If there are no 'manual procedures' in place for when a system goes down the hospital is just ASKING for trouble. Granted in this case manual involved getting more nurses on the floor in that section, but they had it covered in case of a catastrophic event with that system.
While the monitoring systems may be vulernable, any decent hospital will not have it set up so the actual work horses doing the procedures are not exposed and have manual procedure in place should the machines go down.
"Quote me as saying I was mis-quoted." -Groucho Marx
If someone is killed by a zombie (botnet) they obviously become a zombie themselves. Haven't you seen the films? Chop their head off or throw New Order records at them.
I have excellent Karma and I am not afraid to Troll it.
My wife had Lasix recently, about six months ago, and I got a seat in the doctors office watching the procedure on a computer screen. The screen showed the software interface controlling the laser for the procedure - the correction matrix, the number of shots taken, the number of shots still to go, the laser power per shot and the material ablated per shot, right down to a progress bar at the bottom - all in Windows XP. Networked? I have no idea. But would you want to see a BSOD come up during the procedure?
Jealously hoarding mod points since 2007.
There is a big difference, I think, between releasing something like a worm to patch un-patched boxes -- i.e., computers that haven't been "broken" yet, but potentially could be, and hijacking an EXISTING botnet to inject a "self destruct" update into it. I have some problems with doinking with other people's computers if they aren't infected yet (there are a lot of critical things that you could break, and there may be other reasons why they haven't updated some particular part of the OS which you don't know about). I have much less problem with counter-attacking an existing threat. If someone's computer is already "owned", then they are definitely already part of the problem, and they are a direct threat to the rest of the Internet community.
OK, so it really is a matter of degrees. Some people might say that the existence of a Microsoft OS is already a state of being "infected," but I'd draw the line at being a member of an existing, identified and wide spread botnet.
Your Servant, B. Baggins
If one constructed a program which detected incoming infection attempts and counter-infected the attacking machine with a "friendly" worm - one might call it a "vaccine", even - couldn't that be classed as simple self-defence?
Been there, done that.
:-)
There was an anti-exploit for one of the early windos worms, I forgot which one. My website was running it for several years. Essentially, it was a perl script that hid behind the well-known URL that the exploit was targetting, hit the machine back with said exploit (after all, it had already proven to be not only vulnerable, but actually infected) and shut it down with a log message that should tell the sysadmin after reboot that his machine is infected.
Worked fairly well. Few hosts tried my site more than once.
Assorted stuff I do sometimes: Lemuria.org
To quote from some other post: "In a war between weapons and armor, weapons always win". It's time to take the war to the streets instead of cowering in our imaginary secure cells. Next step: take care of the servers...
double penetration;
Are you allowed to go after them?
Really, if they have a way to safely remove the infection, they should go right ahead. Preventing harm from someone without risking any other harm should not require informed consent.
If their cure involves a potential risk to the infected computer, then it's more questionable. But allowing the bot to continue to thrive is to convenience an irresponsible user whose computer got compromised at the cost of a responsible user whose secure computer is still vulnerable to DoS attacks...
do it, ofcourse. the chance of crashing a computer is much lower than the change of the botnet crashing a computer. i don't imagine they were really this reserved with the small pox vaccine. "should we innoculate?" ofcourse.
The debate seems to be if crashing a critical machine is worth taking out a bot net. Personally, I say yes, reasoning to follow. The administrators of these critical machines that run Windows know what they are doing, ok, maybe not as well as some of us, but better than most, and certainly better than average joe who's home computer became part of a botnet 3 years ago. They know what security updates are, they know how to patch systems, and they know that windows are the most vulnerable machines. They are prepared for attacks, BSODs, viruses, and any number of things which are much worse than a "friendly worm". In case you haven't faced it yet, those that control bot nets aren't playing by the rules. If a friendly worm can whipe them out, then lets be on with it! If average joes computer crashes in the process, guess what, in a technological age, he should have learned the basics, in the modern world it's the equivalent of not being able to read or do basic math. Maybe that's stretching it a bit, but if you don't think it's true yet, then it will be soon. His computer was already infected, probably with more than just a bot, but with other viruses as well. If my computer becomes infected, I HOPE one of you sends a friendly worm my way, I don't want to be adding to a bot net. Basically, if Average Joe gets screwed, a) he was already infected and b) sucks to be him. If a critical matching becomes infected. a) it was already infected and b) they are prepared to deal with it.
"What do you think - is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
Absolutely. Quickly before the worm itself crashes the machine.
You wouldn't... but the same people that get infected with every bot known to man would probably think it was legit and click on it. I've seen these people; I've seen their computers... if there's a buttons - they will click it.
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
For those who are advocating that an anti-bot be released (or whatever you want to call it) so as to disable this pest, I have a question for you: how is someone going to be able to tell the difference between these:
1.) A user who creates and releases an anti-bot, but through an error (design, programming, whatever) inadvertently causes "harm" to the system.
2.) A user who creates and releases an anti-bot that appears to try to block the worm, but is in fact designed to cause "harm" to the system.
Recall that the Morris worm was not intended to bring down the internet:
ANDSee also A Tour of the Worm for a more detailed account of how it unfolded.
The intention may have been good, but the implementation had an unintended consequence that led to a major disruption of the internet. I remember full well the confusion at the time as the details unfolded. I was working at a major computer manufacturer that dropped its connection to the net to protect itself. Ultimately, none of our systems were hit (wrong OS), but the sheer volume of packets on the net led, effectively, to a DDOS'ing of the uninfected systems, too.
So, in a nutshell, how can one objectively tell the difference between an attempt to kill the worm that causes problems, and an attempt to cause problems that looks like it is trying to kill the worm? In a non-static environment. With our limited ability to write bullet-proof, error-free code. Besides, someone else could capture and re-purpose the good code to cause more problems.
"Kill them all. God will know His own."
"Ain't no right way to do a wrong thing."
Well, if I planned to seed a worm in a botnet that would patch machines against said botnet (or crash them spectacularly, requiring reboot/patch), my reputation is on the line. I'd probably announce "This is possible", not "I'm gonna do it".
Which is precisely what they did. Hmmmmmmm...where's my tinfoil hat?
Practice Kind Randomness and Beautiful Acts of Nonsense.
All they need to do is have each machine create a popup message on each host telling the owner they are infected, but nothing any more invasive than simple notification. They should _not_ be changing any binaries or updating/patching the machine, but the owner of the machine does need to be made aware of the problem. Of course making the machine beep every ten seconds until it is fixed might help annoy them into fixing it sooner rather than later, or at least turning the machine off.
Where are my 10 mod points when I need them? Bravo, sir! Bravo!
"Ain't no right way to do a wrong thing."
Give the white-worm to M$ to include it as a 'patch'...
A thought that sometimes makes me hazy: Am I - or are the others crazy? - Albert Einstein
The morals behind writing a "good worm" seem to generally point in a good ethical direction. Unfortunately, the morals, ethics, and understanding of people you try to help this "good worm," could bit you back, there are plenty of written laws that could make the intentions of a "good virus," a criminal offense. Let us not forget, we live in a world where a women has spilled a cup of coffee on herself and successfully put the "80% of the blame" on the fast food franchise that sold it to her. Of course the problems of this may stem from potential problems with our legal system.
Why am I reminded of the Buddhist pest controller from Goodness Gracious Me?
nm
My guess is they've announced it because they want the botnet shut down, and are relying on someone with the altruism, nerve, and seven proxies to actually do it.
I am trolling
IMHO regardless of intentions, writing/releasing something that installs/spread itself to otherwise uninfected PCs without express prior agreement of the PC owner is bad. Period.
I personally do think its OK and even desireable for any owner of a botnet-infected computer to install something that will use the botnet mechanism itself to undo/unifect the whole botnet though.
It's too late anyway. Presumably the Kraken authors aren't stupid and will find out about this soon, at which point expect the vulnerability to disappear.
First, the user is contacting the guys who pwned the bot server. Unlike a worm, the infected user makes the first move. Secondly, they are requesting, receiving and then executing the "cleansing code". The fact that they requested the information, you didn't misrepresent *completely* who you were (e.g. a redirect attack where someone THINKS they are logging into their PayPal account), and then they executed the code, makes the morality moot.
Why?
Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.
There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.
That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.
Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.
Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?
if the trojan {botnet-client} can have its update ability compromised "update" the trojan with a executable that first simply finds the desktop {all users version} and adds a txt file titled "you were infected, read for details.txt" saying what they were infected how it was removed and offering urls of sites they can consult to verify the details and add software to reduce their future infection risk and secondly replaces the running version of the trojan with an exe that simply does nothing and exits killing the infection without needing to remove the autorun lines from the registry, so little risk of error/crash
you leave infected shit on the net, it get's killed. easy way to deal with this.
I'm surprised nobody brings up The Shockwave Rider, which is the book from where the Worm got its name.
The protagonist wrote his own worms to reverse the worms of his enemies. They'd send worms to hack into his bank accounts or disable his electricity, and he'd write counter-worms to undo it.
Why not let Microsoft test it and release it? They already push Windows Updates out on a regular basis, why not a targetted de-worming?
Barbara Felden claims prior art on the flip phone, sues Motorola, Nokia.
Here's an option that's between doing nothing and launching a "replicating avenger":
When anti-virus software recognizes an incoming network packet as one crafted to
infiltrate a machine, it responds in kind with an infiltrating packet of its own
that will cure the infection. But there's no replication, no selecting of targets,
only self-defensive responses.
This doesn't address every legal issue, but it does have a nice "ring" to it that
I believe would sound "fair" even to non-computer savvy individuals.
Hide all sigs: Click HELP+Prefs (top), VIEWING (last on right), DISABLE SIGS (3rd on left) and SAVE (hidden at bottom).
I am more concerned with the technical details of the worm, but have no patience reading the Owning Kraken article. Any who, I blogged some of my thoughts here http://tientadinh.blogspot.com/ In summary, as far as I know, Kraken does not scale as well as Storm, because it relies on the the DDNS providers. Plus, how the owner can orchestra a DDOS attack is not very clear for me.