Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"Cheese Worm" Fixes Broken Linux Systems?

michael posted more than 13 years ago | from the also-orders-pizza,-pepperoni,-thin-crust dept.

Linux 240

Wakko Warner writes: "According to this article, a new Linux worm named "Cheese worm" has been spreading lately. The difference between this and other Linux worms is that Cheese worm attempts to fix backdoors added by other worms, removing malicious code and user accounts and scanning for other infected systems on the network. Now if someone would only release something like this for Outlook that turns off VBScript..."

Sorry! There are no comments related to the filter you selected.

Re:Someone actually did it. Awsome (1)

Anonymous Coward | more than 13 years ago | (#217646)

That would make it an antibiotic rather than a virus, wouldn't it??? "The box said that it needed Win95 or better, so I installed Linux"

Re:Ever heard of Ramen worm? (1)

Anonymous Coward | more than 13 years ago | (#217647)

Ok you know the OS wars have gone too far when you compare who has better viruses.

Re:Good worm, Bad worm. (1)

Anonymous Coward | more than 13 years ago | (#217648)

Why does this have to be so complicated? Patch servers, nagware, key revocation...yeesh. It should go like this: When you connect your computer to a public network, you must agree to certain terms and conditions. Many of course vary by ISP, but it would not be difficult to impose a couple of "good neighbour" restrictions from the Tier 1 providers on down.

First among these is that you agree not to operate your systems in a reckless or negligent fashion. This of course is vague and needs to be pinned down, but a good guideline is probably running systems outside the local firewall which have not been audited for unnecessary services and out-of-date patch sets within the past three months. It might also include running any software which contains well-known exploitable holes; from the time a vulnerability is announced you have 7 days to patch or disable the software in question. Of course, systems inside a suitable firewall are exempt from most of these requirements, which means that "suitable firewall" must be defined. All of these definitions are tricky both politically and technically, but the overriding goal is simple: be a responsible netizen, and recognize that your insecure systems represent a threat to others as well as yourself.

The obvious means of enforcement is post-mortem analysis - in 99% of all cases, any system used to propagate a worm, virus, or ddos attack has been inadequately secured. Therefore the burden should be (steel yourselves...) on the person whose system was compromised to prove that the attack was novel, or that adequate patches were not available, in which case the vendor assumes full liability for all such systems and any and all attacks based on the vulnerability. Unless it can be shown that the operator could not reasonably have prevented the attacks launched from his systems (not on his systems - a terminal attack is not covered by this, only those which are used for subsequent attacks), he must be disconnected from the network for a period of N months. Harsh? Hardly. Consider - a hotel proprietor allows violent criminals to stay in his hotel. If it can be shown that he knew, or should have known, that crimes were being committed at his hotel, he is guilty of negligence, harboring, and/or facilitation, depending on the specifics. There's an important distinction to be made here - an ordinary looking guy unknown to the proprietor who stays one night and quietly kills a man while there presents no liability; there was no reasonable way to have expected the crime. On the other hand, if the proprietor is aware that drugs are being sold, and he allows the guest to remain after that time, he incurs liability. It's the exact same thing - by allowing criminals refuge, lazy and incompetent operators are jointly responsible for actions of the criminals they harbor.

Understandably, these tough requirements will piss people off. Many who can't be bothered to learn how to secure systems and choose not to hire competent help will be cut off, forced to outsource their Internet presence to those who are more conscientious. There will be costs associated, as with any security initiative, and in some cases they may be quite high. But there is no reason we should all have to suffer service interruptions so that Joe Six Pack can run his unpatched Red Hat 6.0 system exposed to the world. Internet connectivity is a privilege, not a right. It's time to send the message that if you don't earn the privilege, you will lose it. This is what's called self-regulation. The Internet is a hierarchy - each provider need only be responsible for ensuring compliance by it's own customers and everyone will be covered. Or would you rather the governments step in and implement some wildly broken, hideously expensive scheme to "protect the children?"

I for one am ready to pull the plug on these jokers. You're on notice: maintain your systems or get the fuck off my network.

Re:But do I trust it? (2)

Anonymous Coward | more than 13 years ago | (#217652)

If you have any savvy at all, this worm will not hit you since you have patched your system yourself. This is designed for those without savvy. A protective angel. Protecting you while you don't realize.

The idea is brilliant.

Re:But do I trust it? (2)

Anonymous Coward | more than 13 years ago | (#217653)

I'd rather have fixer worms running amuck then hacked drones flooding things. If you're clean, it'll pass right by you, if you're dirty, it will attempt to cleanse you. If you were dirty and it fucked up your box cleaning you, then fix your holes quicker next time and you won't have to worry. This might sound cold but if admins were more aware, worms like this wouldnt spring to life.

The problem... (1)

drdink (77) | more than 13 years ago | (#217655)

This worm looks good at first, but the problem is that a worm is a worm. I don't want any worm-style program doing anything to my machines, whether good or bad. As an administrator, I want to know every damn single thing that is done to the machine on the level that this worm operates at. This worm may look friendly, but the next one might not. Secure yourself to avoid all worms, not just bad ones.

Re:Two sides ... (1)

Naikrovek (667) | more than 13 years ago | (#217657)

This doesn't have to stop, are you nuts? until every person knows how to secure their boxes (never) things like this will do good, at least the ones that are meant to.

There will always be room for these "goody-2-shoes" worms in my world, because I know how to secure my own boxes against them. Whoever doesn't deserves what they get, good or bad.


Good Samaratin Worm. (2)

Craig Maloney (1104) | more than 13 years ago | (#217658)

It's nice to see something like this out in the wild. Honestly I think I get a probe from a wormed machine at least once a day now, if not more. Good to see someone taking advantage of the situation to spread something good. Now if they'd distribute those Anna Kornukova pictures and the animation of Snow White and the Seven Dwarfs that the outlook viruses promised, I think the writers of this worm would be sainted. :)

At least they don't send you a bill (2)

brion (1316) | more than 13 years ago | (#217659)

or it could be some odd sort of new Antivirus software prototype (laugh!)

Naw, if the antivirus folks were behind it, it would also look for credit card numbers so they could charge you for the priveledge of having your system secured.

But do I trust it? (5)

mikl (2371) | more than 13 years ago | (#217663)

The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?

Further, it is still using my system resources (bandwidth, etc.) to spread itself without my permission, which amounts to trespassing in my book, even if it is supposed to "help".

If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.

Origin of the name "Cheese worm"? (1)

Jack9 (11421) | more than 13 years ago | (#217677)

The name may have come from the program "queso" which is an augmented variant of nmap which was used specifically to look for trojans and OS type based on packet flags, etc etc, used extensively by script kiddies.

Often wrong but never in doubt.
I am Jack9.
Everyone knows me.

the value of this thing (3)

mr_burns (13129) | more than 13 years ago | (#217680)

This is valuable not because it fixes a hole. It's valuable because it makes the community look cool.

Think about it. In the 'doze world, there's MS, the, the Vendors and the hackers on a bad day. There is no sense of community...if you help your're likely breaking some kind of law.

On the other hand, with Open Source, here's an instance where some lone hacker takes a paradigm and smacks it upside the head for our mutual benefit. This is wonderful PR!!!

Just when MS gave a speech about how Open Source OS's are insecure, and the community aspects are negligible at best, this guy kills both birds with one stone. And it didn't cost any of us a "beer" dime.

You just can't buy publicity like that. I think I'll start preaching "Random acts of kind InfoWar". Really....this whole thing is a head scratcher we could use to our advantage.

oh.....check /var/log/messages NOW!!!

Major problem with this sort of thing ... (1)

Roy Ward (14216) | more than 13 years ago | (#217681)

is can you trust it?

Not so much that someone could give this a malicious payload (although that is possible), more that all software contains bugs, so even a 'good' worm could have unplanned unpleasant side effects.

On the Macintosh (a platform I am more familiar with), the vast majority of viruses were benign (as in did no deliberate damage), but many of those had bugs or resource usage that caused infected machines to have problems.

If I got this worm, I'd still have to treat the machine as compromised - of course that may be no great loss given that it only infects already compromised systems.

Roy Ward.

Kind of Amusing . . . (2)

Robotech_Master (14247) | more than 13 years ago | (#217682)

. . . to see people complaining about this worm, even as harmless as it is. "How dare they patch our systems! We want to be used as catspaws in denial of service attacks!" If they find out who wrote it and try to prosecute him for damages, will they have to make it a negative amount since it essentially fixed a broken system, instead of the other way around?

Sure, the idea of a worm in general might not be a good idea. But then, the only people who will be affected in a nontrivial way by this worm will be those who've been infected by another, malevolent worm anyway. Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong, if the one wrong meant there were all those compromised computers out there that could be used in Denial of Service attacks, and the second wrong took those out of the equation.

Re:It leaves this message... (3)

Zico (14255) | more than 13 years ago | (#217683)

And how long before someone modifies the Cheese worm so that it still patches the system from 1i0n, leaves that exact same message, and then goes and deliberately opens up a brand new hole for exploitation? I'd say seven days is a conservative estimate. If it appears that your system has been "patched" by the Cheese worm, you're best off wiping your system and restoring from backups.


Re:Avoid nasty Linux bugs (1)

Spruitje (15331) | more than 13 years ago | (#217685)

What the hell? AOL uses Unix systems. Most of their network is based around Unix servers.

Yep NSDi.

Interesting Concept (2)

thesteveco (20012) | more than 13 years ago | (#217688)

Could you imagine how wonderful something like this could be for all the rookies out there? Especially if it was configured to constantly look for updates from a known-safe location managed by a group of white hats, constantly updating the system and patching necessary software?

What a great deal of sand in the face for Microsoft to learn of the open-source community banding together to secure the systems of the untrained, locking them down against participation in DDoS attacks and such. As if they don't already need a bulldozer to get the sand out of their faces with all the high-publicity IIS compromises of late. =)

Sure, some of us don't want something like this getting onto our systems as it demonstrates that we've not locked it down well enough to begin with. But for those who truly *can* stop it from exploiting known vulnerabilities, we obviously don't need it. However, I'd wager that well over 90% of the people using Linux don't know what to do to lock their systems down.


(that is, until someone finds out that this worm is actually doing something malicious while pretending to patch the system)

Re:Why... (1)

spectecjr (31235) | more than 13 years ago | (#217693)

I've got a halfway there solution for that: p []

20kb of quick anti-script-virus bliss. Basically forces all script files to open in notepad by default, instead of run. You can still run them by selecting Open from the context menu though.


Not so much a virus or worm.. (1)

MrCreosote (34188) | more than 13 years ago | (#217696)

More like a dung beetle.

It's a dirty job, but someone's gotta do it

In the "impressive, but not really" department... (4)

Platinum Dragon (34829) | more than 13 years ago | (#217698)

It's rather sad to see a worm do the work for clueless sysadmins. I'm not a sysadmin in the least, yet somehow I do a fairly decent job keeping my DeadRat 7 box updated and locked down as much as I can.

A while back, I noticed a port 111 scan from what appeared to be a company's mailserver, setting off "worm" alarms in my head. Though I normally ignore such things, I was in a rather giving mood, and decided to alert the company of their potentially compromised box. Several bounces and lack of replies later, I gave up. The company just didn't seem interested in making it possible to report potential security holes or server problems - no addresses on their website, several possible leads gathered through bounces failed, and the whois lookup revealed a Hotmail address for the technical contact. I wonder how many other companies are as difficult to warn, and may not even care that their boxes are insecure.

Maybe I just don't understand how hard it is to be a sysadmin, but can it be that difficult to at least glance at your operating system vendor's updates site once a week to check for patches and warnings? Is it that hard to do a simple system lockdown after the initial install and reopen services as necessary? Or am I just clueless?

<Blatant flame>
Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...
</Blatant flame>

Sorry if I insulted anyone with that short rant, just thoroughly unimpressed by the number of port 111 scans I see coming from what should be very carefully watched boxes all over.

Re:But do I trust it? (3)

rarose (36450) | more than 13 years ago | (#217699)

You forget: This worm is no skin off you a55 as long as your system is secure. I don't see anything but goodness here...
If you don't like worms, keep your system secure before you get hit.

What happens when ... (1)

perrin5 (38802) | more than 13 years ago | (#217701)

Someone modifies this one to do some other useful stuff, like say turn off and remove telnet, and vulnerable apps.

I had thought about this when the first linux worms this year started getting announced. I can see it now on securityfocus:

The worm installs itself on the macine, checks for the instalation version, logs into the bug report homepage for that distribution, and updates all of your packages or binaries from a set list of servers...

kind of pleasant (2)

seanw (45548) | more than 13 years ago | (#217707)

hmm, I know this kind of worm is really a virus in itself and not a good idea or something to welcome, but I have to admit I kind of like the idea myself. it's nice to think of a benevolent force propagating itself out amongst the web. there are enough malevolent ones to go around.


Re:kind of pleasant (3)

seanw (45548) | more than 13 years ago | (#217708)

and, thinking more about it, this has possibilities. this could be used as a distribution system for almost instant bug fixes, via "worming" the systems together. participation in the chain would be voluntary, of course. but, like another poster already suggested, it resembles the human immune system. and using this kind of "swarming" bug fix/patch distribution system would result in exponentially faster bug fixes. the admin doesn't even need to be awake.

and new systems would be patched immediately, no more hunting down and downloading a bunch of old fixes every fresh install.

imagine bands of roving web worm maintaining and managing the security of the net. am I just tired, or does this sounds really cool?


earth worm worm (4)

seanw (45548) | more than 13 years ago | (#217709)

oh I get it, kind of like the "earth worm" of the computer virus world. it's a bug, yes, but you want it in your garden; it's good for the soil.

just don't believe people when they tell you that you can cut it in half and both halves live


SysAdmin Worm (2)

Velox_SwiftFox (57902) | more than 13 years ago | (#217712)

The worm installs itself on the macine, checks for the instalation version, logs into the bug report homepage for that distribution, and updates all of your packages or binaries from a set list of servers...

It'll need to detect I've rebuilt Sendmail with regular expressions, and connect with some machine out on the net that has the same version of gcc, libraries, et cetra as I used on the build machine to create the binaries.

It'll do the same for SSH, turning on the ability to invoke it from inetd, and without opening the hole closed by turning off X forwarding.

It will need perhaps the skill to rebuild Apache properly to include mod_perl and OpenSSL.

Somehow it will know which of my two Perl binaries it will update.

I think I know what to name it.

Missing the point (2)

Gorimek (61128) | more than 13 years ago | (#217715)

If you're making a conscious decision you would of course lock your door while on vacation. But if you didn't, it sure would be nice if the first stranger who discovered it locked it for you, and checked the gas and watered the plants while he was at it.

It's a bit like someone turning in a wallet he found instead of keeping the money for himself.

Re:Someone actually did it. Awsome (1)

Drooling Iguana (61479) | more than 13 years ago | (#217716)

Got any data to back that up? I'd be interested to know exactly what it was supposed to do, and why it went wrong.

nicely done... (2)

joq (63625) | more than 13 years ago | (#217718)

Kudos to the person who made this one, although I'd still be leary about with even this one "worm" especially when groups like s0ftproject [] keep creating these sometimes outrageous backdoors.

Someone should set out to write an informative document which isn't so bloated with too many tech terms for the newbie Linux admin [] that shows them how to lock down their Linux systems on an install. I wrote a lame one about 2 1/2 years ago, but never bothered following up on it.

Education, education, and more education. I wonder how come many complain about security, when so little take a few hours to actually inform themselves of the risks/fixes for typically easy problems.

2600 is being run by Peter Pan []

It leaves this message... (4)

The-Pheon (65392) | more than 13 years ago | (#217720)

# removes rootshells running from /etc/inetd.conf
# after a l10n infection... (to stop pesky haqz0rs
# messing up your box even worse than it is already)
# This code was not written with malicious intent.
# Infact, it was written to try and do some good.

Reminds me of the 70's (2)

Allnighterking (74212) | more than 13 years ago | (#217729)

There was a worm back then that was spread by data disks and tapes called animal. Now animals like to eat. They also store food for the winter. So animal would slowly grab any and all available memory *of any kind* it could find. Until the mainframe choked due to insificiant memory. The cure was a worm called hunter. Now hunters, hunt animals and kill them. What hunter would do is replicate itself onto disks and tapes and first look for animals. If it found one it killed the animal and then would lie in wait until it saw anouther one. I also would like to report that within a few weeks the animals were all extinct.

Re:Neat.... but... (2)

blakestah (91866) | more than 13 years ago | (#217737)

I wouldn't trust this would secure my system. The only way to do it is to go through the security bulletins, patch, patch, patch and conf like mad.

Obviously. If you KNEW you were compromised, you would reinstall if you had half a brain.

However, if you did not KNOW you were compromised, it might be nice to have the "white" virus remove the holes before more malice comes to your box.

I think that is the entire point.

Re:You've got Root! (1)

niekze (96793) | more than 13 years ago | (#217741)

I know :)

Re:Good worm, Bad worm. (1)

niekze (96793) | more than 13 years ago | (#217742)

Well, I did kind of misread your post to be suggesting something of a 'autopatching' idea. But, you misread my response as a 'make it difficult' patching system. But, we can find problems with *any* level of patching system. What happens if someone sets off your car alarm everynight, but doesn't break in the car? After a while, you start ignoring it. The real problem is the software itself. Many software products have this 'more more more' mantra and don't worry about things like bugs. I'd suggest a weekly 'patch check' for systems. Not often enough for someone to get annoyed by it (windoze critical update fails that one) and still often enough to stay current. (I'd suggest more often, but once again, people get numb.) I think this would be a good 'Ask Slashdot' question. What kind of patching system provides the best balance of security and effectiveness.

And yes, I agree that hacking a patch server would be a considerable challenge, but the risk is too high. I think the best 'fix' is to stop shipping distros with services enabled. If you need it, you'll turn it on. If you don't, you won't. Not a great solution, but it would blanket quite a few of those 'lazy' users. Essentially, I don't think it should be 'difficult', but it shouldn't be 'trivial', since, given the word, would make it something that didn't matter.

Look at RedHat's errata page (hmm. I havn't in years) and you'll find a bajillion patches. Who the fuck wants to download a bajillion patches? Personally, I *wouldn't* spend 2 hours downloading and applying patches, it just isn't worth it. I'd quickly find something better. I better stop now, since I am rambling...

Re:Better Idea (1)

niekze (96793) | more than 13 years ago | (#217743)

Well, obviously it isn't that simple. But, what can you do? It really isn't easy to protect against exploits that aren't public. But keeping up-to-date with patches is a start. The goal is to make yourself a harder target. I did oversimplify it, but hell this is /.

A good firewall, good admins who keep up with security, encrypted communication, Intrusion detection systems, physically secure machines, and proper management of services won't make you 'unhackable', but you quickly seed out most of the script kiddies like you mentioned. I could talk about security all night and I still would leave things out. Like minimizing effectiveness of a hack (chroot jails, physically read only binaries, etc) or even transparent bridging where the machine doesn't have an ip. We can both agree that 'security' is an unreachable goal, but every step away from 'insecurity' reaps positive results. Besides, you know how it works and my comment wasn't directed at you. It was directed at those who really have no idea about the importance of security. (which is fear is a *large* percentage of the /. crowd)

Re:Good worm, Bad worm. (1)

niekze (96793) | more than 13 years ago | (#217744)

Of course, systems inside a suitable firewall are exempt from most of these requirements, which means that "suitable firewall" must be defined.

Hmm. Think how hard it would be to make a trojan like program where it contacts a http server (which would most likely have no problems with a firewall) and then gets instructions from the attacker's site. Perhaps downloading tools to attack the firewaill from the inside (not everyone secures the firewall from the inside) or perhaps sends the contents of a directory listing inside a form.

Such is the problem with security. Kinda reminds me of Dubbyah's missle defense system. Build a rock-solid defense and not many will test it out. Instead, they'll try to get around it. Plus, if any ISP were to create 'mandatory security' policies, one of two things would happen: People would secure their boxes or AOL would gain quite a few more customers. :) Not even getting hacked will convince people to take security seriously.

Better Idea (2)

niekze (96793) | more than 13 years ago | (#217745)

Why not make a worm that installs OpenBSD on other machines? It would save time. I don't think a worm would be 'smart' enough to patch all 200+ exploits in the latest RedHat distro. Oh well....Security isn't magical or mystical. All you have to do is stay current with exploit advisories and patches.

On the flip side. This worm is still using other machines unauthorized and I am sure the author could get in considerable trouble with the law. Shit...what about all those nice honeypot networks that are supposed to be all messy and bad. (redhat full istall..boom honeypot)

Nevertheless, this will probably get negative spin:

"Linux Users are so mindless about security, that vendors have to release worms against their users to protect them from hackers."

You shouldn't try to force people to be interested in security, especially against their will. It's like using the ATM in the worst part of town at 3 AM. Not a good idea. Once you get mugged, you will start worrying about security.

Re:You've got Root! (2)

niekze (96793) | more than 13 years ago | (#217746)

Sorry, I wouldn't say that Debian is more secure than Win2k. Find a Win2k admin that thinks security is an important issue and compare him with a debian admin who doesn't. The results will show up. It works both ways. Look at OpenBSD. 4 Years without a remote exploit in the default install. This comes from 2 things: a source audit for bugs (any bugs. since exploits can appear from places previously thought unexploitable.) and they don't have a base install that turns *everything* on by default. I seriously think linux security would jump a few notches if they just didn't turn all that crap on by default. I've seen people install RedHat and have DNS, Web, Mars, Samba, nntp, ntpd, nfsd, ftpd, telnetd, and countless other services and they couldn't even tell me what 4 of them did. "why not, I might need them later." is the usual response. what the fuck? Learn what it is, then learn how to turn it on. Maybe in that step, you'll realize that you don't need DNS running from every box on the network (especially that nasty, bug-filled bind 8.) I've said it many times: There is no absolute security. The only thing you can do limit access, run only what is necessary, and keep up with patches and the like. I figure your comment was just for humor, but Debian ain't a uber-secure system either. Shit, it responds to pings sent to the broadcast addy by default. Just what we need.

Re:Good worm, Bad worm. (5)

niekze (96793) | more than 13 years ago | (#217747)

I agree with most of your points except one, which I *really* disagree with.

Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.

Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.

Re:Good worm, Bad worm. (1)

vultureman (98555) | more than 13 years ago | (#217751)

..I'm the one with the anti viral software.

With apologies to Bruce ,
Campbell that is.

Re:Good to see (2)

Trepalium (109107) | more than 13 years ago | (#217757)

It's certainly a nice idea, but rather misguided. It's generating traffic that people who do maintain and check firewall logs would rather not deal with, and doesn't fix the core problem -- machines that aren't kept up-to-date with security fixes. You'd think that with all the press these self-replicating worms are getting that people'd be more vigilant about updating their systems. Hell, I was gone for a week and was nervous about not having the systems constantly up-to-date.

Re:Neat.... but... (2)

tftp (111690) | more than 13 years ago | (#217759)

I wouldn't trust this would secure my system.

Well, this cheesy virus can "infect" only boxen that got the virus and stay unpatched for a long, long time. These are likely to be unattended or purely adminned boxes. They can become a breeding ground for a new wave of DoS attacks, but now they are fixed as easily as they were br0ken into.

This is a totally new, proactive approach to Internet security. As soon as new virus is found it gets rev-engineered and an "antibody" is released (officially, from very official Web site, cryptographically signed if you like). This can be permitted by laws.

This antibody then may check certain file in certain place, like /etc/please_no_antibodies, and if this file does not contain a valid gpg-signed request to bug off then it proceeds, cleans up the virus, creates log of changes and mails it to the box owner.

Thinking commercially, this can be even a subscription service. You register IPs of your boxen on the Net, and the service scans your boxes (from a central server) from time to time; if the box is r00ted with known virus then it will inform you.

Even if you don't like this "commercial" approach, I hereby transfer this business plan into public domain. Logs of /. and Google will preserve it forever. Patent this! :-)

Re:You've got Root! (1)

rjamestaylor (117847) | more than 13 years ago | (#217761)

Dude - it was a joke.

You've got Root! (2)

rjamestaylor (117847) | more than 13 years ago | (#217762)

Now if someone would only release something like this for Outlook that turns off VBScript...
How about a worm that automatically detects insecure installations (Win2K, say) and automatically patches them with the recommended patches (Debian, say)?


Re:But do I trust it? (2)

CaseStudy (119864) | more than 13 years ago | (#217764)

This is stupid. Of course you shouldn't trust it. You should fix the holes yourself, and not allow the worm on your system.

However, for those who are less security-conscious, this is a Good Thing. Not infallible, and not the best alternative, but perhaps (and only perhaps; I don't know enough to judge) better than leaving the system wide open.

Re:Two sides ... (1)

Forrestina (120989) | more than 13 years ago | (#217765)

i think the diamond age comparision is quite a good one.


Microsoft has this already (2)

Animats (122034) | more than 13 years ago | (#217766)

Doesn't Microsoft have something like this already? Isn't there a Trojan horse in Windows 98 that periodically contacts Microsoft HQ and downloads patches?

Re:Why... (1)

samorris (125056) | more than 13 years ago | (#217768)

The platform SDK is actually fairly well documented now... its gone from abysmal to nearly excellent in the last five years. (I'm sure people that were playing with this stuff before five years ago will say it was even worse before NT4 was released)

But IIS its a very complicated thing to evaluate because in addition to auditting the usermode code, its spud.sys actually registers a new system call table for use by IIS... so you have to audit those system calls' behavior within the kernel in addition to the normal NT system calls called by IIS, along with the usermode code and all of its places it interacts with extensions.

But for killing a crashed service, it should die if it doesn't have an exception handler registered from a __try block... unless you have a non-default system debugger set (I've had numerous cases where services have died from unhandled exceptions... perhaps there more to the problem than it apparent initially: have you verified which thread is crashing?). If there's a reason you need to be catching your exceptions with a __finally or an __except, you might be able to support to your service control handler routine to detect the problem and return a SERVICE_STOPPED status on a SERVICE_CONTROL_INTERROGATE request so that some other watching service can learn thats stopped and restart it.

As for a fork(), yes, the lack of an equivalent in the Win32 API has definitely been a royal pain on occasion... more than a pain, actually. One solution you might look at, if you don't mind using the native API, is Gary Nebbett's example in chapter six of his book [] with does a fairly thorough implementation of fork() for Win32 processes. Its a bit painful... the native api's process routines definitely make Win32's already painful CreateProcess() look trivial, but if you need a fork(), it might by one solution.

Another interesting approach to fork() is cygwin's... its not as elegant, as they're confined to the Win32 API, but it does work, though you'll want to strip out the cygwin-specific stuff.

Two sides ... (5)

legLess (127550) | more than 13 years ago | (#217769)

On the lighter side, this must really tweak the folks at the Honeypot Project [] . "Dammit - just when we got the network nice and insecure, those cheese bastards fixed it! Where's that RH6.0 CD?" They'll be in the unenviable position of having to protect their systems against worms just so that they can be 0wn3d by script kiddies.

On the darker side, this reminds me of the "toner wars" in Diamond Age [] , where good and evil nanites ("mites") battled in the air, and the carnage was horrific. Going outside during a toner war was like breathing straight graphite powder. Is this the future of security? The future battleground for white hats and black hats?

It's a cute idea, really, but it has to stop. All property rights aside, we cannot afford to fight this war in this arena. The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization. But in some ways the battleground already is the property we need to protect; worms are in a real way terrorist rather than military. What's to be done? Education, and lots of it. Hope it's enough.

question: is control controlled by its need to control?
answer: yes

Re:Avoid nasty Linux bugs (1)

Code Archeologist (128429) | more than 13 years ago | (#217770)

What the hell? AOL uses Unix systems. Most of their network is based around Unix servers.

Clever spoofing though.

Re:Good worm, Bad worm. (1)

evilviper (135110) | more than 13 years ago | (#217775)

You say OS manufacturer's should become more responsible and make better default decisions. While true for Windows/Linux, OpenBSD does exactly that, and other BSDs (to a lesser extent) try to do the same. If you want a more secure OS, you use a more secure OS. Unfortunately, most people out there aren't installing Linux because it's secure, and securing it would give the majority of users a much harder time.


Now I've seen it all..... (1)

jailbrekr2 (139577) | more than 13 years ago | (#217776)

A Linux virus that fixes things, as opposed to the majority of virii (which are windoze based) that do damage.........

I'm sure there is something about this which can be used to express the advantages of open source, but I can't quite think of it right now. I'm too busy laughing my ass off.

Neat.... but... (2)

Darth Turbogeek (142348) | more than 13 years ago | (#217777)

I wouldn't trust this would secure my system. The only way to do it is to go through the security bulletins, patch, patch, patch and conf like mad.

I really dont like the idea of worms like thi. I sure as hell dont like the idea of ANY worm or any mutant program trying to do something to my systems without me knowing. Whatever reason it was done for, thanks, but no thanks. I'd rather secure my system the old fashioned way.

Re:Neat.... but... (2)

John_Booty (149925) | more than 13 years ago | (#217780)

Well, it sounds like this worm only affects you if you've already been compromised by the other one- it enters through the same backdoor.

I mean, yeah, I agree with you- not a good idea to rely on benevolent virii to have a secure system, lol, but this "benevolent worm" is only gonna affect those who couldn't or didn't secure their own systems "the old-fashioned way" :-P []

Something I think should be said... (2)

aardvarkjoe (156801) | more than 13 years ago | (#217781)

Well, I see about 12 +n, Insightful posts saying, "Well, even though it tries to do good, it's not a good idea/it's a bad precedent/I wouldn't let it on my system/etc." This thing doesn't need your approval or disapproval any more than a malicious worm. Of course you don't trust someone else to anonymously fix your system. Only a complete idiot would infect themselves on purpose. But saying "I don't think it's good" on Slashdot doesn't secure your computer.

The real good I see in it: if this shows up on your computer, you know that you haven't been taking appropriate safety precautions. Count yourself lucky that nothing bad happened, and fix it.

Re:Why... (2)

john_many_jars (157772) | more than 13 years ago | (#217782)

Hey, I've got a thought. Let's write a security patch for IIS. Wait a sec, am I supposed to rewrite a dll? To do this, I would need the api for the dll. have you seen the MS SDK? There are so many partially documented functions, not to mention evidence of undocumented functions as far back as Windows 3.1, possibly farther. You can't rewrite the dll since you don't know what the undocumented functions are doing. Believe me, there have been many _many_ times I wish I could fix NT's inability to kill a crashed service. A service that crashes when a thread tosses the ms equivalent of a SIGSEGV. I would also do my best to add a POSIX.1 pid_t fork (). I am in no way proseltyzing, just presenting facts.

well (1)

confucious (159379) | more than 13 years ago | (#217785)

it's nice to know that I don't have to worry about keeping my box secure anymore. I can just wait around for capta1n inf3ct0 to send out the anti-worm every once in a while!

MS (what else?) (2)

kruczkowski (160872) | more than 13 years ago | (#217787)

Does anyone know of something like this in Windows? This is a great example why I recomend Linux to people. Community. People willing to help. Logon to IRC and ask, someone will help, search google for your problem and you'll find a answer or at least a clue.

Try to search "Windows NT unknown error" on google!

Better not be swiss (1)

Narmi (161370) | more than 13 years ago | (#217788)

Too many security holes to patch up.

Say what? (2)

ZoneGray (168419) | more than 13 years ago | (#217790)

"if someone would only release something like this for Outlook that turns off VBScript..."

Hey, wait just a minute there. I get paid good money to do that. Don't go replacin' me with no worm.

Re:But do I trust it? (3)

tvon (169105) | more than 13 years ago | (#217791)

I dont think anyone would "let" any worm into thier system on a voluntary basis, but if you read the story I believe it will tell you that the Cheese worm enters via a port that the 1ion worm leaves open. So, if you get the Cheese worm you have already been attacked and most likely didnt know about it.

The fact is, if you are security concious and have all the latest patches and follow the proper regime for maintaining your system, it is fairly unlikely that your system will ever get compromised......and if you "let" any worm into your system you should be shot without any hesitation.....though in this case if the Cheese worm _can_ get into your system it seams to mean that you have already been attacked and your sysem is not what harm could it do?

# Tom von S.
# -------------
# "Nuclear weapons can destroy all life on earth,

Cheese Pleez (2)

jester-tx (170962) | more than 13 years ago | (#217792)

I should not be posting, as I am quite drunk on Yagermeister. BUT -- being a Linux/Windows sysadmin (is that bi?) I find this article particularly hilarious/intriguing/hopeful. So there are alot of script kiddies out there just prone to doing damage and otherwise very fscked up shiite. Why not work for the right side of the force? I happen to work for a company (name withheld - faux humility) whose product, although profitable for us, is a noble and useful thing. Companies that are wise enough to use it often save half a million and up -- Mainly helping geeks like ourselves as well as others to be gainfully employed in a fraction of the time it might normally take. All the fluff aside - we are a mixed linux/windoze environment and to be frank, ILOVEYOU seriously kicked our asses for at least 3 hours. Just the thought that someone would write an anti-worm gives me great hope, even FAITH in the human condition. Some folks deserve massive downtime, I agree, but some definitely do not. More power to this digital angel I say! Linux renewed my faith in computing - but I have found that the ones today who really have huevos are those who are truly platform independent. And that does mean Windoze. And VBS. And Activex.(excuse my vomit).
I feel like a geek Rodney King here - but the goddamn salespeople have got to use something they can somewhat understand! Lusers or not. Am I not right?
I'm getting off subject - great post though. Got me fired up.

what this worm does... (1)

zentex (176409) | more than 13 years ago | (#217795) different from installing linux how?

I actually tried the install of RH...I laughed at the X-based was sooo cute...and then my jaw dropped as i seen what it considered "default applications"...installing stuff you dont want or need is no different than this worm fixing backdoor's w/o your consent or knowledge..

all aside, it's pretty sad that it takes a worm to patch a server...

(smell something? I do, it's called flamebait :)


Why... (1)

Karl_Hungus (180893) | more than 13 years ago | (#217801)

Now if someone would only release something like this for Outlook that turns off VBScript...

Why would you want to do M$'s work for them? Besides, wouldn't linux zeal- uh, I mean, advocates no longer be able to wave that particular weakness around when proseltyzing? Just a thought.

Re:Why... (1)

Karl_Hungus (180893) | more than 13 years ago | (#217802)

Your example is a different can of worms. The suggestion was about disabling execution of VB scripts via Outlook; the problem there is one of bad default settings, which can be fixed without access to the source code or fully-documented APIs. And yes, the "proseltyzing" remark was meant tongue-in-cheek. ;)

cool1 (2)

gregoryl (187330) | more than 13 years ago | (#217805)

- Internet Anti-Bodies

Now this... (1)

7-Vodka (195504) | more than 13 years ago | (#217807)

IS very interesting indeed!
This is a whole new concept for the linux community, now you can help look after other careless peoples mistakes and make linux more secure!

This would be great as a full-time project for someone. It works kind of like a distributed effort and is completely automated. When someone releases a new toy for the script kiddies it should be even easier to release the patch, but a MOBILE patch in this case. Awesome..

Oh but I would suggest that the roaming patches like this worm only inform the owner of the box of a URL where a disinfectant can be obtained, that way the 'good' worm won't damage some systems by accident.

"just connect this to..."

Re:Is this really a good thing? (5)

phaze3000 (204500) | more than 13 years ago | (#217812)

It may use your CPU cycles, but if you were remise enough to fail to patch well-known security holes then you should be grateful someone is using your CPU time to stop your PC from being used in malicous ways. This worm will help deplete the number of boxes which script kiddies are able to use to crack other systems - which can only be a good thing.


Re:Ever heard of Ramen worm? (1)

Cirvam (216911) | more than 13 years ago | (#217820)

I think his point was, there is a helpful virus for linux. How many helpful viruses do you know of (in the wild) for windows? Not the lack of destructive viruses, although if 1/4 of linux worms are helpful (Ramen, Lion, Adore, Cheese) that's a hell of a lot more then on a windows based platform.

Re:Wait a sec... (1)

Cirvam (216911) | more than 13 years ago | (#217821)

You seem to of missed the big point with this worm. It only gets in though a back door left by the l1on (or whatever) worm. Therefore, if you secured the system in the first place neither would of gotten though

Macintosh AutoStart worm (2)

SirDrinksAlot (226001) | more than 13 years ago | (#217826)

When Autostart worms were going around sneaking their way onto CD's and spreading across networks a mysterious variant showed up on a MacAddict cd that did pretty much all that execpt it removed all the others and protected you against them. It also removed it self on Christmas day.

Is this really a good thing? (4)

hillct (230132) | more than 13 years ago | (#217829)

So, someone actually did it. They wrote a worm that did good rather than bad. Cool, but it still trespasses onto my box, uses my CPU cycles and bandwidth to propogate itself.

This may be a white hat release, or it could be some odd sort of new Antivirus software prototype (laugh!) but in reality it's just a virus/worm like any other. The payload is just some wierd combination of benign and melignant (but not militious per se). I still object to any software that modifies my system configuration for me, regardless of it's moralistic approach.



technical aptitude? who needs that? (2)

corvi42 (235814) | more than 13 years ago | (#217831)

Surprised nobody noticed some of the glaring holes
in the technical quality of this article. Its really sad that tech writers on average have such a lousy grasp of what they're talking about and/or that they end up garbling facts trying to talk-down to the level of the average joe public.

Its also sad that so many of these articles end up on /. Example from the above article:

"Web browsers wait for data on port 80 and 8080"

Maybe I'm just being persnickity - but I've never had mozilla running from my inetd.

I do not trust it. (3)

einhverfr (238914) | more than 13 years ago | (#217832)

If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.

I agree completely and would probably reload an infected machine from backup just to be safe...

That being said, I have thought about makign similar programs with limited spreading abilities (i.e. only able to transverse private IP networks, not cross the internet, etc.) as a self-policing action within a network.

Buzzword Compliance. (3)

iomud (241310) | more than 13 years ago | (#217833)

Is this the first form of distributed security?

Great! I just hope it doesn't get carried away... (1)

sachachua (246293) | more than 13 years ago | (#217834)

I hope the people who wrote it really, really tightened up their code. I'd hate to have it corrupted and turned into yet another bad worm...

This kind of worm would probably get in through a known exploit and then patch the exploit behind it... kinda screws up software darwinism, yes?

Re:What happens when ... (1)

epicurus (252619) | more than 13 years ago | (#217837)

Aside from the worm part, that's a damn good idea...could make plenty of money from corporations that use linux and don't know/understand security...McAfee does something similar w/ myasap or whatever the hell they call it now (used to be myCIO).

It reminds me of... (2)

jsse (254124) | more than 13 years ago | (#217839)

This worm is welcomed just like 'PingPong' virus. I still remember everybody in our lab got one of this harmless virus just to watch a 'O' bouncing on screen when doing DOS homework.

"Virus? You mean it's a virus?"

Well said (2)

jsse (254124) | more than 13 years ago | (#217840)

"I would rather not have anything that comes in uninvited and messes with my computers," he said.

Said by an idiot who has his boxes infected with The tHing, SubSeven, NetSphere, Deep Throat,Master Paradise, Silencer, Millenium, Devil, NetMonitor, Streaming Audio Trojan, Socket23, Gatecrasher, Net Control, Telecommando, Gjamer, IcqTrojen, Priotrity, Vodoo, Netspy, ShockRave, Stealth Spy, Pass Ripper, Attack FTP, GirlFriend, Fore, Schwindler, Tiny Telnet Server, Kuang, Senna Spy Trojans, WhackJob, Phase0, BladeRunner, IcqTrojan, InIkiller, PortalOfDoom, ProgenicTrojan, Prosiak 0.47, RoboHack, Silencer, Striker, TheSpy, TrojanCow, UglyFtp, WebEx, Backdoor, Phineas, Psyber Streaming Server, Indoctrination, Hackers Paradise, Doly Trojan, FTP99CMP, Shiva Burka, BigGluck, NetSpy, Hack?9 KeyLogger, iNi-Killer, ICQKiller, Portal of Doom, Firehotcker, Master Paradise, BO jammerkillahV, AOLTrojan1.1, Hack'a'tack, The Invasor, SpySender, The Unexplained, Bla, FileNail, ShitHeep, Coma, Bla1.1, HVL Rat5, BackConstruction1.2, Kuang2 theVirus, Xtcp 2.00 + 2.01, Schwindler 1.82, Doly trojan v1.35, Doly trojan v1.5, Vampire, DeltaSource, Trojan Spirit 2001, Maverick's Matrix 1.2 - 2.0, Total Eclypse 1.0, OOTLT + OOTLT Cart, Eclipse 2000, NetMetro 1.0, Illusion Mailer, InCommand 1.0 + 1.3 + 1.4, NeTadmin, Logged!, Shitheep, Schoolbus 1.6, Schoolbus 2.0, Chupacabra, TheThing 1.6, AimSpy, NetMetropolitan 1.04, Transcout 1.1 + 1.2, SoftWar, Ambush, Der Spaeher 3, Insane Network, The Prayer 1.2 + 1.3, Host Control 1.0, Yet Another Trojan, NetRaider, TCPShell.c, PC Crasher, Mini Command 1.2, Mosucker, Rat 1.2, FakeFTP, Intruse Pack 1.27b, Snid X2, Freak 88, Asylium 0.1&0.11&0.12&0.13, Prosiak, Traitor 2.1, Connection, Host Control 2.6, BIONET, Rux.PSW, CrazyNet, Rux.Backdoor, Infector 1.x.


outlook (2)

kilgore_47 (262118) | more than 13 years ago | (#217844)

a friend of mine got hired to do that with VBScript actually, because an entire company had melissa or one of those nasty outlook ones.

Re:Someone actually did it. Awsome (1)

zsau (266209) | more than 13 years ago | (#217847)

How about one that emailed the owner of the computer about holes, giving them ideas on how to fix it, rather then fixing it itself? Now, that wouldn't actually have to break into the computer, would it? Or would it?

Is this helpful? (1)

J3zmund (301962) | more than 13 years ago | (#217848)

Should 'white hat' hackers help the hapless with worms that patch known vulnerabilities? Does this make the lazy more lazy? Is it helpful to plug someone's machine and then put that machine to use scanning for other vulnerable machines? Do you (if you're too lazy to patch your server) want your machine wasting resources to help others who are also lazy?

Ever heard of Ramen worm? (2)

ViVeLaMe (305695) | more than 13 years ago | (#217850)

or Lion? or Adore?

those are Linux worms. destructive worms.

You think one can use those to express the advantages of open source? (i may be stupid, or maybe it's because i haven't slept at all, but i fail to see your point..)

Imagine escalating patch-virus wars... (3)

Some call me...Tim (307785) | more than 13 years ago | (#217851)

Sure, it starts with the cheese worm. But then another group comes up with the mouse worm that breaks in through security holes left unpatched by the cheese worm, removing the cheese worm and installing itself. Then comes the morphing cat worm, that not only breaks in on mouse patched sites, but also downloads updated patches from servers that further increase security...

The war of the patch-virii.

A friend of mine suggested to me that whatever you look for on the Internet, it will seemingly spring into being simply by the fact of you looking for it. That same friend came up with this idea of patch viruses that break into and repair security holes. And **Poof**, it exists.

Be careful what you look for...

Wait a sec... (2)

Salieri (308060) | more than 13 years ago | (#217852)

Remember back in September, when Slashdot was hacked [] ? The guys that did it apparently just wanted the experience of hacking Slashdot; they posted a victory story and emailed Taco will full details about how they did it.

But Taco & company decided to rebuild the entire system as though they had maliciously took over.

Similarly, even if this "good" worm hits me, I'll treat it like a bad one. You never know, it would be ingenious for some l4m3 (or whatever the numeric abbreviation is) hackers to release a version that looks like "Cheese" but actually does a "rm -rf /".


Good to see (2)

techman2 (312067) | more than 13 years ago | (#217856)

It really is good to see people finally doing something towards a good cause, rather than attempting to create destruction. I certainly hope it continues.

Re:Good worm, Bad worm. (1)

sleeper0 (319432) | more than 13 years ago | (#217860)

With all due respect, I think it's complicated because it's a complicated problem.

It might be ideal if you could make rules that would be followed. But the biggest issue i see with all the automated hacking and/or worms on the internet is that it simply swamps the human resources available. I get a bunch of legitimate intrusion attempts every day. I couldn't possibly report them all. And I guarantee the ISP's aren't anywhere close to having enough people to respond to the problem. Even the low amount of email they get now goes unanswered unless the abuse is gross.

Default security will go a long way to fixing that. But with attacks against core services common (bind, iis, ftpd) that may be intentionally configured, default security is not the only answer. People need to patch boxes, there need to be patch servers, and I think any notion that using opt-in email and a web browser and a sysadmin typing 'aptget blah blah' is somehow a better secured system than a default alerting system is misguided. Just because it's the way we do it now doesn't make it infallible, as similar attacks (imagine if i replaced the SP2 binary at microsoft right now) could happen just as easy or easier right now.

Really you are using the same mechanisms right now, it's just harder to use.

Think about this:
alert system: email list
patch server:
PKI: pgp signature
key revocation: urgent email
patch application: download & run rpm -u

So... why not make it easier so that compliance goes from xx% to 95% ?

Re:Good worm, Bad worm. (2)

sleeper0 (319432) | more than 13 years ago | (#217861)

Well, I intentionally never suggested automatic patching. When I said semi-automated, I meant "check for new patches regularly, alert user, make it as easy as possible for user to install new patch, nag regularly when they don't".

While your opinion that security patches should be somewhat difficult to install to make the admin learn more about the system is a valid one, I think that it's pretty unrealistic. The ones who run open bsd, keep up with security patches and source patch the systems aren't the ones getting owned all over the place. It's the folks that don't know there is even a patch, or are too lazy to download it even in binary form that are causing 99% of the problems.

While I agree that no patch should be 100% automatically applied, I think the typical gloom and doom story about the patch box being owned is somewhat overblown. A very secure system can be arranged using public keys and key revocation, coupled with close monitoring of the patch box. Any serious OS vendor could manage this if they made it a real priority. As it is now, standard update methods are indeed less secure than this now.

Regardless of whether you agree with the implementation, I find it had to believe you truly think that patching security holes should be a hard job. It needs to be made as easy as possible, so that you get the closest to 100% usage as possible. Right now you get nothing like that.

Good worm, Bad worm. (5)

sleeper0 (319432) | more than 13 years ago | (#217862)

I see a lot of tacid support for this worm here. Really, it's not surprising to see. Earlier linux worms have started the practice of patching the holes, if for no other reason than to make sure they have full reign on the box and won't be stepped on by the next leet worm to come along.

I know the author had semi-good intents, but the effort is really mis-guided. Worm proliferation has become significant in the last year (really, six months). A number of effective worms are out there that target both linux and windows. Watching my firewall logs on a variety of hosts (cable, and several colo ISPs) show that the number of intrusion attempts (or at leasts scans, but 90+% of this has to be worm traffic) has increased for me by a factor of 10 since the 1st of the year.

This kind of traffic, whether good or bad intentioned, adds to network congestion, makes running an IDS challenging at best, and has made the ISP's effectively throw their hands up at having any kind of enforcement about hacking attempts. I don't know if anyone has tried reporting the sources of intrusions to their ISP's, but such reports now fall on dead ears almost all the time. Plus, it decreses the S/N ratio on the network security wise considerably. It is much harder to back-track or IDS post-mortum a REAL threat/attack with all of these other attacks going on at the same time. While worms may pose a minimal threat as far as their attack sophistication, a skillfill hacker can use all this worm traffic as an effective cloak.

Even though you can argue that it's all relatively low traffic, that you need a good firewall, and that IDS should only be run inside those firewalls, you still have the possibility of serious network problems of the horizon. It's not un-thinkable that in the near future a large percentage of linux boxes will have multiple worms, exploiting multiple vulnerabilities all running and infecting other boxes. The fallout from this could be severe. Throw in a few anti-worms, and a few bugs caused by the interactions of it all, and could have a real hellstorm, quietly building now. Surely people remember the morris worm in '89? While bandwidth was more easily swampable at that point, we are perhaps only a few years away from waking up to that kind of destruction one morning.

The only real answer is for us to forceably demand that OS vendors become much more diligent about security. If I was a national government I would truly consider this a serious threat to my infrastructure. While OS vendors have become more responsible across the board, we need to shoot for a higher bar. OS vendors need to provide very paranoid installations as default, with software firewalls enabled. The user should have to be asked for each service to be enabled. 100% available services such as ICMP echo should be required to be sandboxed or stack protected. OS's need to provide as a default security update monitoring, and easy, semi-automatic processes for installing new security related patches quickly, even if the admin is prone to do nothing. Nag the hell out of them to update. I would even argue that services with secuiryt holes should be automatically disabled by the OS, forcing the user to either update the service or manually restart the service essentially accepting the liability fo acting like a moron.

I'm sure a lot of you will think I have an overly extreme opinion, and that things are mostly fine. I can't argue that I think the situation is out of control now. But with our infrastructure as vulnerable as it is right now, it will only take one or two really good worms to show everyone how it should be done. The only thing that has really saved us so far is the fact that no one has done it... It is easily accomplishable.

Re:Someone actually did it. Awsome (5)

sleeper0 (319432) | more than 13 years ago | (#217863)

I really can't stand behind the release of that kind of worm... While it's entertaining, and certainly well-intentioned... I just can't condone worm proliferation.

You know what would be great though, and be essentially the same code? Something that listened to your firewall logs, detected worms that scanned you, and then went out to their hosts and basically ran it's course, disabling the other worm and closing security holes. But not leaving code to proliferate itself.

I know this would be no different legally, but I would sure feel 100% better about it. How poetic is it to detect a scan and then hack in to shut it down to keep it from scanning anymore. Without any scanning yourself.

Any takers on a modified cheese worm?

Someone actually did it. Awsome (3)

Bakajin (323365) | more than 13 years ago | (#217864)

the ethics are debateable, but its incredible to think someone actually did take the time to make a 'good' virus.

Re:Ever heard of Ramen worm? (1)

ComaVN (325750) | more than 13 years ago | (#217866)

I don't know about Windows, but good old dos certainly had some good virii! Ping-Pong and Cascade definitly improved the "look and feel" of the command line (Not to mention my wordperfect 4.2 files)


Mmmm. no worm patches for me.. (2)

popeyethesailor (325796) | more than 13 years ago | (#217867)

Talking about worms, i was just reading this [] a few days ago. This dude Max Vision spread a worm which closed many backdoors, but opened a few too.

Mmmm.. Sad that the FBI caught up with him..

Re:Now I've seen it all..... (1)

ma_sivakumar (325903) | more than 13 years ago | (#217868)

How about this?

When Linux becomes more popular and widespread among non-technical users, there will be more and
more worms targeted at Linux systems (as is the case with Windows today).

If you have a good Virus prevention program installed you can have a virus free Windows system. The problem is majority of ordinary users are not aware of such programs or too careless to install one in their system. Therefore, Windows machines are breeding ground for various virii.

In case Linux, if some one creates a worm and spreads it around, it is easy for the community to create a vaccine and send it using the same route as the virus. This will take care of the users even when they are not paying attention.

Something along this line should sound good.

This reminds me of those commercials... (1)

GearheadX (414240) | more than 13 years ago | (#217872)

  • Yeah.. this definitely reminds me of those 'Behold The Power Of Cheese' commercials. Now it not only will get Santa to leave you a car or bring your imaginary friend to life.. it'll debug your network security too.

    There are many, mighty-proud cows tonight...

Berk Watkins

Re:Avoid nasty Linux bugs (1)

yassax (416227) | more than 13 years ago | (#217874)

yes, but then you would be using it on a windows system and would be hit my a million more windows viruses. besides... its AOL... *snicker*

Quote (1)

miklernout (444473) | more than 13 years ago | (#217876)

"I would rather not have anything that comes in uninvited and messes with my computers,"

Two words: Microsoft Windows

Red Dwarf meets Red Hat (1)

Monkeychunks (449273) | more than 13 years ago | (#217881)

Does this remind anyone immediately of the positive viruses in Red Dwarf which conferred good luck, sex appeal and such?

good ideer (1)

Pet_Targ (449857) | more than 13 years ago | (#217882)

From said article;
"But Roger Thompson, technical director of malicious code research for security services firm TruSecure, stressed such programs are generally a bad idea.

'I would rather not have anything that comes in uninvited and messes with my computers,' he said. "

I feel the same way, but I applaud whoever thought of using a WORM to do something useful for society! Commendation for original thinking!!

Besides, 1i0n sounds like one of those obscure infectants that you find weeks or months after the fact.

#!/bin/Good vs. #!/bin/Evil (1)

qubithaze (452816) | more than 13 years ago | (#217883)

everywhere you look you will see this. it's classic good vs. evil. Freedom (implies linux) is the good. I beleive the spirit of linux and the "linux community" is embodied in this, however it was done within the context of deprecated ideals: As long as evil exists, we must engage in the enemy with countermeasures. This leads to new agression . countermeasures. new agression.
we're dealing with exactly the same issue in the US when talking about the proposed missile defence system. an arms race will occur. countermeasures. . . new agression . countermeasures. new agression.
we should engage ourselves in answering the following question: how is it possible to move away from these destructive thought patterns. This worm definatley wears a halo, but the evil around it's ankles is in the way of thinking.

Freedom is exponential!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?