Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fight Virus With Virus?

Hemos posted more than 13 years ago | from the cleaning-up-the-mess dept.

The Internet 697

Insanik writes "I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time? " The submittor raises an interesting question - is this possible? I would guess so, in theory. And while we're working on Code Red, can we send a large man to the home of my latest Sircam senders and politely "ask" them to stop clicking on virii?

cancel ×

697 comments

Sorry! There are no comments related to the filter you selected.

A nice thought.... (1)

trazom28 (134909) | more than 13 years ago | (#2110463)

This has some merit, as far as what it would intend to do - go out and fix stuff, making the world a more secure place. (here it comes...) But.... it opens up way too many cans of worms (no pun intended) as far as privacy issues and such. For example, I don't want some unknown worm of some sort poking at my web server. I want *me* poking at it, knowing what's going on with it, etc. If I go to run a patch, and suddenly it says "this patch has already been run" I wanna know why, and how, and who. Also, it comes down to the fact that sysadmins can't be lazy. I've seen so many, many "tech ppl" who think they have a clue, think that all they need to do is install a few things, and they're gods. They forget the second half.. the *work* part of their job.. where they have to go out, get patches, keep up to date, be PRO-active to problems and potential problems. My thought on that is, maybe if a few systems get infected, it might wake up some of these techs and get them to motivate their collective butts to get themselves patched. If they don't, it's nobody's fault but theirs.. the patches have been out for months.

ft (-1)

Anonymous Coward | more than 13 years ago | (#2110742)

First Toast [drtoast.com]

Woke up this morning and my head was in daze (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2131986)

Another war and the Pound is looking weak...

Oh well.

Why do favors? (-1, Flamebait)

brlewis (214632) | more than 13 years ago | (#2110743)

Webmasters who chose IIS made their bed. Let them sleep in it.

Re:Why do favors? (1, Insightful)

Anonymous Coward | more than 13 years ago | (#2115898)

This is such a typical response from a slashdotter. Fine, so these people are using Microsoft, but like it or not there are a bunch of servers that you probably hit all the time that run on IIS. What really pisses me off about this site sometimes is how quick people are to say "screw you" to anything that has to do with Microsoft. I dislike them as much as the next person, but just like all other debates, to each their own. How about we all get to together and help each other instead of constantly ranting about how much 'their' stuff sucks. And if possible, I think the idea of the 'good' worm would be great. Only I doubt the IT people out there would want some random worm playing around with their stuff.

Re:Why do favors? (0, Troll)

CyberPsyko (472791) | more than 13 years ago | (#2126596)

Amen!

Re:Why do favors? (0)

Anonymous Coward | more than 13 years ago | (#2127451)

So let me get this straight: IF you use IIS, then tough shit, right? Well, what a great attitude. Unfortunatley, these Admins with vulnerable boxen help to bog down traffic globally. So letting Admins who "made their bed[s]" sleep in them is a rediculous comment.

If you're going to spout anti-MS rhetoric, at least have something constructive to say...

Re:Why do favors? (0)

Anonymous Coward | more than 13 years ago | (#2153051)

Just because they run IIS doesn't mean they should suffer more. For the good of the internet, ALL web servers need to be secure regardless of the vendor.

Re:Why do favors? (-1)

Raging Idiot (457985) | more than 13 years ago | (#2149217)

MS would never allow this entire idea to fly. At the first sign that someone had made a virus that actually goes out of it's way to "secure" one of their products, they would go out of their minds trying to find a way to shut them down. A secure product never REALLY needs to be upgraded. They need viruses, negative viruses, to keep the public on the upgrade treadmill.

W00t (-1)

Strom Thurmond (R-SC (310866) | more than 13 years ago | (#2110746)

w00t!

yalla fp (-1)

Anonymous Coward | more than 13 years ago | (#2110747)

fp baby!

Re:yalla fp (0)

Deijpimp (512688) | more than 13 years ago | (#2135944)

not

Old idea (2, Interesting)

Gruturo (141223) | more than 13 years ago | (#2117496)

It already happened about 15 years ago or so... it was called "Vacsina" and actually cured 1701/Cascade, 1704/format and Jerusalem, if I recall correctly. It was even auto-updating: different vacsina versions would recognize each other and the most recent would overwrite the older. Sadly, a few "nasty" strains came out too....

Just 13 years behind the times... (5, Insightful)

iapetus (24050) | more than 13 years ago | (#2121584)

The first such anti-virus virus, Den_Zuko, was discovered in 1988. Check out this article [vnunet.com] on VNUnet, which has more info on the history of such software and why it's a bad idea.

More recently, the Linux.Cheese.Worm has done similar things for Linux users infected by the Linux.Lion.Worm.

"Hard Drive" (1)

thePfhitz (446594) | more than 13 years ago | (#2121585)

A technique like that (using a virus to fight a virus) was used in a book by David Pogue called Hard Drive [amazon.com] .

Seems like a smart idea to me.

Don't be a part of the problem (4, Interesting)

Speare (84249) | more than 13 years ago | (#2122162)

Why do schools neglect an ethics curriculum?

Your solutions should not affect the state of the infected machines. Even if you could "fix" their machine. Even telling them that their machine is infected is over the line, if you're using their machine to do it.

If you're being hampered by Code Red hits, make a script to firewall off every infected computer for a day. Allow those firewalls to expire, and if they're still infected, they'll get blocked again.

  • "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
Yeah, that means you. You're giving up liberty-- not yours, but theirs. If you're messing with someone else's machine, you are part of the problem. No matter your intentions, or how nicely you word the "message" you deliver onto their desktop. Just don't touch it.

If you're going to call it a virus, think of the influenza virus. A medicine is widely available on the market. It is up to the infected party to take the medicine, and it would be unethical to sieze the unwitting victim and force the medicine into their bodies.

It's just a small problem, and in a month, people will just roll their eyes about the terrible outbreak. The best thing to do in a storm is to shelter yourself until it passes, not to rage against the howling winds around you.

Re:Don't be a part of the problem (1)

Archangel Michael (180766) | more than 13 years ago | (#2117805)

Why do schools neglect an ethics curriculum? They used to. But the US Supreme Court ruled that freedom of religion means freedom from religion.[br] [br] Besides, who's ethics are you going to choose. Mine (Militant Legalistic Christian) or yours (liberal anyting goes Pinko/Commie)?

Re:Don't be a part of the problem (0)

Anonymous Coward | more than 13 years ago | (#2140668)

Its not the schools job to teach ethics, it's the parents! and Parents today niglect so many of thier duties, and then blam Schools for it! Some people are just Ruthless no matter what kind of upbringing they had! You can only blame that person! Cy.

Re:Don't be a part of the problem (5, Interesting)

CharlieG (34950) | more than 13 years ago | (#2149251)

You say:
It is up to the infected party to take the medicine, and it would be unethical to seize the unwitting victim and force the medicine into their bodies.


The thing is they CAN seize you and force you to take medicine IF you are determined (Usually by 2 doctors) to be a danger to yourself or others. Ever hear the term "Involuntary Commitment"
There ARE times when you are forced to do things

Re:Don't be a part of the problem (-1)

LoRider (16327) | more than 13 years ago | (#2149763)

Great quote, man! You hit the nail on the head with that one.

Be careful what you ask for people, you just might get it!

Re:Don't be a part of the problem (1)

MindStalker (22827) | more than 13 years ago | (#2150641)

How far do you think the "using their machine" to tell them they have the virus goes? I mean does seeing if their website has an email address and emailing that person, is that using their machine to contact them. There are a whole degree of things that can be done, from my example to actually placing a thing on their desktop saying "YOU HAVE A VIRUS".

You'd better not do it wrong. (1)

lavaforge (245529) | more than 13 years ago | (#2123918)

Even if we were to ignore ethics and whatnot, there's still a pragmatic reason for not writing a counter-virus.

I doubt that the person who wrote the counter-virus would get it perfect on the first try, and an "almost ready" virus is a damned scary thing. What kind of excuse would you be able to give for torching a couple thousand web servers by accident?

Possible? Yes, of course. (4, Insightful)

Tim C (15259) | more than 13 years ago | (#2123919)

A good idea? Absolutely not.

Part of the problem with worms isn't just the malicious acts that they perpetrate, it's the bandwidth that they use.

A particularly virulent worm can bring servers and routers to their knees just propagating itself. That's before it even gets the chance to do any of its intended damage. (Remember Melissa, or The Great Internet Worm?)

Add to this very real concern the fact that striking back in this way, no matter the good intentions, is almost certainly illegal, and the whole idea is a definite no-no.

(Yes, it does have a certain appeal - but so do many other things that are bad ideas, too)

Cheers,

Tim

slippery slope (-1)

LoRider (16327) | more than 13 years ago | (#2123921)

Who is going to write this "good" virus? Will this lead to a group of "experts" that write "friendly" worms that patch servers when they are deemed by the group to be bad. This seems like it will turn into a nightmare where we have some politically motivated, corporate controlled group that can create it's own backdoors.

It all boils down to that fact that people, regular people, need to learn how to manage their own equipment and M$ needs to be held accountable for their shitty programming. This M$ hole had been discovered months ago. How many people knew about it until Code Red was released?

Thought of this... (1)

jcronen (325664) | more than 13 years ago | (#2127101)

I'd actually thought of this idea as a way to rid myself of a macro virus I'd had on several of my machines. Write another "virus" that checks for the existence of that virus and neuters it, then propagates to all other files it can find.

My biggest paranoia would be that I'd write it so it would go out of control, then I'd be the one they'd be hauling out of the police car and into the courthouse on CNN.

And I can't honestly think that I'm the only one that ever thought of this.

Has anyone else heard of/attempted/got in trouble for fighting fire with fire in this way?

I don't know if this would be legal. (0, Redundant)

crcerror (266157) | more than 13 years ago | (#2127102)

I've played with this idea before as well but the one thing that I always thought that this seems like it would be equivalent to breaking into someones house and then fixing the way you came in. It's still breaking in, regardless. Kind of a "white hat" hacker deal but that still is considered a "no no" in the eyes of the law.

You're still infecting them with a virus, it's just a good virus and you could probably be brought up on charges under some computer crime legislation.

virus vs virus (1)

motox (312416) | more than 13 years ago | (#2127103)

I think there was a virus a long time ago whose only purpose was to kill another virus, i dont remember if it was on the Amiga or on the PC. Anyway still it ended up being classified as a virus. To be honest i prefer to have control over my anti-virus program rather than have core wars games running on my pc without my control :)

Re:virus vs virus (1)

Chakat (320875) | more than 13 years ago | (#2150387)

Actually, in the waning days of the "high quality" viruses, there were several viruses that, in addition to their payload, would "kindly" disinfect viruses writen by rival virus groups. Of course, now, most viruses are clunky VB things writen simply to cause as much havok as possible, without worrying about size, elegance, etc. Sircam, and it's integrated SMTP server, is the closest virus, in terms of elegance, to the "good ol' days" of viruses.

Anti-Sircam Virus (5, Funny)

zpengo (99887) | more than 13 years ago | (#2127104)

Why not take the Symantec Sircam cleanup utility, patch it to make it self-propagating, and then e-mail it out with the message "Hi there! I send you this because you're a stupid fscking idiot. :)"

Closing the Backdoor (1)

Meridun (120516) | more than 13 years ago | (#2127106)

I've thought quite a bit about this, since my apache server has been getting hammered with probes, and now my ISP (ATT Broadband) seems to have blocked connections to port 80 of it's subscribers, leaving my website high and dry (yes, I can jump ports, but then I have to tell everyone I've jumped ports.)

Unfortunately, the general consensus is that the proper remedy for this worm is to reformat and reinstall on an infected machine. And while the idea of reformatting the drives of all those idiots who got themselves infect and are probing my machine is very appealing, it's also potentially very illegal.

I would be in favor of half-measures, like a script that would patch the IIS vulnerability, and clear out the root.exe and explorer.exe vulnerabilities, but this may be ultimately harmful, since it may not remove all vulnerabilities AND it may make detection of the exploit more difficult for the machine owner.

Does anyone have any ideas in light of these problems?

Re:Closing the Backdoor (1)

JayHerrick (469525) | more than 13 years ago | (#2126092)

Does anyone have any ideas in light of these problems?

It seems to me that everyone has a problem with distributing another "worm" and damaging the infected system. Why not take this approch: First, write an apache module that would use the original exploit the gain access to any system that attacks the "defending server". Second, once the attacking system has been accessed simply disable the TCP/IP stack (no permanent damage). This would result in the attacking system being shut down until an administrator could repair the system (or even be made aware of the problem for that matter). And because the module would have to be installed on a server you would not have to deal with another worm running around unchecked.

Still a virus... (0, Redundant)

rkischuk (463111) | more than 13 years ago | (#2127107)

Technically speaking, this is still a virus, and still costs companies bandwidth and processor time.

Also, it opens the door for a whole new wave of confusion. Suppose I tweak the "good" virus, and add a little bit of insidious behavior? What if I send out a "bad" virus claiming it is a "good" one?

Right now, we're fighting a losing battle to get users to STOP clicking on unknown attachments. Any progress we do make would be COMPLETELY destroyed by encouraging them to install "good" virii. Right now, the optimal virus protection might be a grammar checker. You'd think that the guys who wrote Zero Wing had found a new hobby.

This has already happened (4, Insightful)

cnkeller (181482) | more than 13 years ago | (#2127108)

A while ago (months?) someone had a "beneficial" virus, that was making the rounds and fixing security holes in Windows I believe. The name escapes me. The author (who publicly claimed responsibility) caught quite a bit of flak over it. Who knows what kind of hidden payload your packaging in addition to the helpful features.

Personally, I feel a virus is a virus, regardless if your intentions were good. You're not any better than the hundreds of losers out there creating this mess. If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.

Re:This has already happened (2)

dazed-n-confused (140724) | more than 13 years ago | (#2150583)

If you want to warn me of security holes in my system, send me an e-mail that doesn't contain a virus.
Hi! How are you?

This is the file with the information that you ask for.

[SecurityHoleWarning.doc.exe]

See you later. Thanks.

no no no (1)

aozilla (133143) | more than 13 years ago | (#2127110)

Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time?

Sending to other servers for a certain period of time is not a good thing. First of all, you are causing harm by checking those other systems. Secondly, you are causing harm on the machine you install this on. Thirdly, you might screw it up, and accidently cause even more harm than you intended.

I don't have a problem with exploiting the back door and closing it for any site which specifically tries to infect you, but after that your interaction with the other server should stop. Even that has the problem of possibly not letting the victim know about the problem, and that in itself is troublesome.

Marvin the Martian (1)

IainMH (176964) | more than 13 years ago | (#2127452)

"The submittor raises an interesting question - is this possible?"

Hemos: now read this out loud to yourself in the voice of Marvin the Martian.

N.B. It is spelt 'submeter'.

~Iain

Re:Marvin the Martian (0)

Anonymous Coward | more than 13 years ago | (#2131895)

>It is spelt 'submeter'.

Good joke, man.

Re:Marvin the Martian (0)

Anonymous Coward | more than 13 years ago | (#2141884)

N.B. It is spelt 'submeter'.

Actually it would be spelt submitter if it was a word. I don't think it is.

Oh wait, you're British, nevermind. But don't go correcting our Americanized (with a z) spelling.

Possible but not a good idea (1)

Control-Z (321144) | more than 13 years ago | (#2127453)

I'm sure you could write a "good worm" to roam the Internet and patch IIS servers. But you'd still be executing your code on other people's servers, even if your intent is honorable. Not a good idea.

There have been "good worms" released on the Internet before that had bad bugs. I wouldn't want the FBI knocking on my door and taking all my computers when something went wrong.

Discussed before (2, Insightful)

egjertse (197141) | more than 13 years ago | (#2128366)

This has been discussed before, among other places on Bugtraq [securityfocus.com] . The concept has many flaws:
  • The morality aspect - you are "taking control" of someone elses hardware/software
  • The legal aspect - this still constitutes "cracking" as you have illegally gained access to a computer system that is not yours. Breaking into someones house is not OK just because you only intended to do their dishes.
  • The practical aspect - the worst side effect of internet worms is not primarily damage done to the infected systems, but bandwidth consumed and resources depleted as a result of the worm spreading.
I don't know of any real-life implementations of this (I somehow have the feeling I have heard of it, but it escapes me right now), but the concept has been debated at length during prior "worm attacks". There are probably many other reasons why this is not a good idea, but I think these are the most signifficant.

REDUNDANT REDUNDANT REDUNDANT (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2128497)

EVERYONE has been writing this. in EVERY stupid posting of CR. this submission is REDUNDANT

Why not? (2, Insightful)

Aerog (324274) | more than 13 years ago | (#2128498)

I don't see how it could be a problem, I mean, logically only something like a DoS attack or the like can't be "undone". If it's a bug in the individual system then it should be able to be fixed. The problem arises with the media stigma of a virus.

Now this just goes right back to the whole "but I thought a virus was bad" response that your typical user will tell you. For the most part, it could work wonderfully, but the big thing is, the only people who will need it are those who did not patch a system for the bug (since if they patched it, then the retrovirus (if you will) will not be able to use the same vulnerablilty). Those are most often the same people that opened 40 SirCam attachments even though they were warned ("But it came from my best friend!"). To these people, a virus is something to be afraid of, regardless of purpose. A virus is always a bad thing that will "break the computer" and we don't want to "break the computer" because we can't "fix the computer" <Cue ominous music>

But then again, if these people are so oblivious as to how they're infected, then it just may work as long as the media doesn't blow it out of proportion again.

Funny, (0, Troll)

mackman (19286) | more than 13 years ago | (#2129908)

I've always considered Windows Update the anti-virus virus.

Re:Funny, (0)

Anonymous Coward | more than 13 years ago | (#2152621)

shows what you know

DirectTV hacked the hacker.... (2)

FortKnox (169099) | more than 13 years ago | (#2132050)

Remember the DirectTV [slashdot.org] anti-hack on the hackers? Seems like this is the same idea. Anti-virus the virus...

Hey, if it worked for DirectTV, it should work here...

Actually, this may start a "best of the best" competition with virus writers. They'll come back with a virus to counteract the anti-virus, and on and on.... might be interesting...

Re:DirectTV hacked the hacker.... (2, Insightful)

Coq (204365) | more than 13 years ago | (#2141885)

Ok, what direcTV did is not exactly the same. They were much nastier. also, the people who were effected by direcTV were not hosts to some virus. They were willing participants. An equivalent would be the DVD CCA putting out a virus to kill DeCSS. If a company like microsoft were to do something like this to viruses, it would only close the door for that virus. It wouldn't kill the machine, or write "Game Over" or anything fun like that. It also wouldn't close any other doors, as they would still be unknown. As far as an arms race goes, it would be no different than now. Except, now that I think about it...

Virus writers would close the door they came in in advance and write in another door that would be extremely hard to find. The worm would still infect other machines, and it would be a very long time before the other back door kicks in. People would think the worm they got was a purposeful fix worm, when in actuallity it only would be a matter of time before it became a zombie. Now that would be a smart virus. Of course, the hardest part would be giving the new back door the functionality needed while effectively hiding itself.

The MacOS Autostart worm (1)

SirDrinksAlot (226001) | more than 13 years ago | (#2133292)

A while back there was a vicious little bugger going around called the Autostart worm, it was evil. It made its way onto CD's and across networked macs. While this was happening MacAddict released a CD and it was infected. but curiously enough, it was a good worm. (i wonder how it got there!) Said worm would Infect your machine and spread like the others, but the main differnce was it would remove other autostart worms and destroy it self after Christmas day.

The law's not on your side (1)

anonpoet (249397) | more than 13 years ago | (#2133625)

The last guy that tried that went to jail. I wish we could. I could fix code red in two hours.

Re:The law's not on your side (1)

SomeoneGotMyNick (200685) | more than 13 years ago | (#2123917)

Don't fix it completely... Those who got the virus deserve it for obvious reasons. Let them remove it themselves. Just alter it so that every IP address it connects to is 127.0.0.1

This way, the rest of the internet doesn't have to suffer.

Innoculation worm (1)

Demon-Xanth (100910) | more than 13 years ago | (#2133695)

I've been wondering why this worm doesn't exist: It sends itself to everyone in your email list It disables outlook running .vbs, .com, .pif, and .exe attachments It disables .vbs files for the whole system

Err (1, Insightful)

Anonymous Coward | more than 13 years ago | (#2134417)

... exploited the back door, closed it, then started sending itself to other servers for a certain period of time?

Anybody think about the bandwidth implications of this? We'll have anti-viruses counteracting viruses, viruses counteracting the anti-viruses, etc. This will all eat up bandwidth just as bad as Sircam and Code Red have.

isnt it there own fault (1)

womby (30405) | more than 13 years ago | (#2134418)

while I do agree it is there own fault for picking such a useless product, the idea of fighting fire with fire is an interesting one. but who would want to tread the thin line and do it.

why would symantic or network associates want to do it. there would be less reason for people to buy there products. if a "whitehat hacker" (I hate that term) decided to make the anti virus we can guess that the fbi would be sent down to beat down his / her door because obviously he / she is a hacker who must be stoped

It doesn't cost a dime to pay attention... (1)

miked50 (466948) | more than 13 years ago | (#2134421)

Why not let the sysadmins who chose to use IIS keep up with the latest security patches and such? There was so much hype surrounding Code Red that no one should have been severly affected by it. Surely if your sysadmin is worth his salary he will keep up with the latest news... I'm not saying that he/she know every security hole and exploit out there, but they should try to keep track of the big ones at least

That's just my $0.02

It costs a lot to pay for other's inattention (1)

dingbat_hp (98241) | more than 13 years ago | (#2136056)

Why not let the sysadmins who chose to use IIS keep up with the latest security patches and such?

They aren't the ones with the problem:

  • Those getting thwacked often don't even know it has happened.
  • Code Red is causing more trouble by traffic swamping than it is by nuking some IIS boxes that the admins clearly weren't all that concerned about. This affects everyone, even those who kept their boxes clean.
  • If you're an admin in a large organisation, you'll be knee deep in Code Red hassle from desktop boxes you didn't even know existed. M$oft think everyone needed to be running a web server. I wouldn't be surprised if M$oft Barney had an embedded copy of Exchange in it (probably with XML and .NET extensions too). Pervasive intelligence [hp.com] is great, but not when it's coded by the clueless and security-inept morons of M$oft.

Illegal (4, Insightful)

3prong (241218) | more than 13 years ago | (#2134422)

I keep seeing people talk about how invading a server in some cases is legal, because "the intent was good". That is an incorrect interpretation of the word intent. Intent only refers to the crime itself, i.e. did the criminal intend to break-and-enter or was it accidental.

This means that unauthorized access in the attempt to do a "good deed" is just as illegal as black-hat unauthorized access.

For this to happen, someone with the antidote virus would have to break the law to spread it and apply it. Of course, Robin Hood was considered a criminal too.

Bad, very very bad idea (1)

friday2k (205692) | more than 13 years ago | (#2135246)

Once you do this, you are changing THEIR computers. And you might be a known entity. And their lawyers will be all over you. It is the same whether the system is infected or vulnerable. You are changing what belongs to somebody else. And that puts you in the same position as the author(s) of the CRs.

ISP Level (1)

TwistedTR (443315) | more than 13 years ago | (#2135480)

Could not something like this be done at an ISP level? With simple monitoring finding an infected machine could be done quickly, then the machine is removed from the network or it's outbound traffic is disabled while either the ISP calls the client or an automatic email is sent telling them of the problem? It's not a virus at all so it would be legal, and the only downside would be a temporary loss of service until the sysadmin of the infected machine gets off his ass and downloads the patch thats been blasted on the tv/paper/radio for the last 2 weeks. People may complain that denying inet service to them because their machine is infected is a bad idea, but in a sense they are as bad as the virus creater themselves when they knowingly continue to let a machine run thats spreading a potentially very evil bug to spread.

Because... (5, Insightful)

11223 (201561) | more than 13 years ago | (#2135943)

Everybody with the ability to do something like that and the lack of ethics to consider it realistically actually wants the rooted boxes for themselves?

Seriously, folks, everybody who *could* write something like that either (a) recognizes that infecting someone's box is infecting someone's box, closing holes or not or (b) sees no problems in having the rooted boxen out there anyway. I doubt that anybody else actually has the skills to do it.

Bad Idea (0)

Anonymous Coward | more than 13 years ago | (#2140605)

If you did that then the hacker that created code red might sue you for reverse engineering his code and distributing it! If the hacker lives in California then you are really screwed no matter where you are from.

Go ahead and do it. (2, Informative)

atrowe (209484) | more than 13 years ago | (#2140606)

I don't see why it couldn't be done. The CodeRed worm has already been modified several times and re-released. The original source can be found here [google.com]

Google cache because it looks like the original site has been remove.

I suppose that it would be possible to use the ISAPI filter vulnerability in IIS to get into a system and patch that very same vulnerability. Maybe someone who knows more about this can clarify.

Fighting fire with fire? (2)

Drakino (10965) | more than 13 years ago | (#2140607)

Making a worm to fix the worm is just going to create more problems. My main slowdown of service comes from all the ARP requests from the think scanning my neighboorhood.

Instead, (idea from another ./ reader) make a CGI script called default.ida that fixes just that machine that tried to attack your server. Make sure it can deal with Code Red 1, otherwise once 2 is dead, 1 will be able to swing back easially to the unpatched servers. Also make sure it sends a bill to the company for "IT Consulting".

This reminds me of the Fish Virus.... (2, Interesting)

AhNewBis (42974) | more than 13 years ago | (#2140608)

The Fish virus, IIRC, would remove the Stoned/Michaelangelo virus if it was found, and then infect the machine itself.

Further info about the virus is found here [f-secure.com] from Datafellow's [datafellows.com] virus database.

Preferable method (3, Informative)

Snowfox (34467) | more than 13 years ago | (#2144950)

I'd rather it used the IIS log file to try to spread itself to every system that had tried to infect it, then executed a
%windir%\System32\rundll32.exe user32.dll,exitwindows

(which you can do manually right now with the worm-installed back door.)

Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.

Re:Preferable method (1, Interesting)

Snowfox (34467) | more than 13 years ago | (#2148341)

I'd rather it used the IIS log file to try to spread itself to every system that had tried to infect it, then executed a

%windir%\System32\rundll32.exe user32.dll,exitwindows

(which you can do manually right now with the worm-installed back door.)

Leave that going long enough, and the infected systems will just keep powering off until the IIS feebs get a clue.

p.s. - if you're gonna mod it - mod it as funny. In the real world, this is what we call a capital Bad Idea.

You could do that, but don't! (4, Insightful)

Mendax Veritas (100454) | more than 13 years ago | (#2147800)

A "white hat worm" of this sort could be made, but its deployment would be just as illegal as the original "black hat worm" it was created to fight. You're still making unauthorized use of someone else's computer. It doesn't matter that you have good intentions. And what if a bug in your code crashes some machines? How do you prove it wasn't intentional, and that your "white hat worm" isn't really a "black hat worm" in disguise?

Re:You could do that, but don't! (0)

Anonymous Coward | more than 13 years ago | (#2150105)

Don't send it from your machine or a machine that is none to be used by you. I really don't think getting caught is a problem, they didn't catch the original virii writer. I do understand the part where you say a bug might crash some machines, but it will only crash NT and win2k so I don't think that it is a bad thing :). If a machine is already rooted(if you want to call it that), then it is their own fault, and they are causing more trouble then the new clean worm would cause.

first? (-1)

Anonymous Coward | more than 13 years ago | (#2147960)

prost

@work (2)

clinko (232501) | more than 13 years ago | (#2147962)

A funny story from where I work. Some guy took the code from the melissa virus and tried to do the same thing. While doing it, he accidentally ran it and set off his screwed up version of it accross our network. Big fun :)

It sounds good in theory... (0)

r0ach (106945) | more than 13 years ago | (#2147963)

But even if someone made an "anti-virus" virus, they themselves would probably get screwed over... Even Robin Hood isn't immune to the law...

Unethical (1)

jack.d.ripper (460305) | more than 13 years ago | (#2148308)

I'm sure it's possible, but it's still not ethical to go in and change people's systems without their knowledge or consent, even if you're "helping" them.

Attack the attacker - Apache plug-in? (0)

Anonymous Coward | more than 13 years ago | (#2148343)

Why hop around the entire 'net? This will only waste more bandwidth.

Instead, why not setup something that will detect an attack (check those web logs) and send the "fix" to that attacker? I think it's ridiculous that MS has created such a pile of garbage (ridiculous, not surprising) and helping them isn't something I necessarily favor, but: 1) I'm tired of dealing with unwanted network traffic and 2) the 'net overall has started to bog down because of this crap.

As far as legal issues, well, how legal is it for someone to have a comprimised machine that's attacking your system? The "fix" shouldn't do anything terrible....maybe create a folder on the desktop that says "UPDATE YOUR OS NOW!!" and then disable the machine (nicely).

If someone made a reasonable fix, I'd use it. Just make it, set it up so it doesn't destroy the attacking system, don't let it destroy the host system ;-), and make it available so that anyone who has the balls (or is stupid; same thing I suppose) to use it can do so. The hell with them, I'll deal with the legal issues....just get these comprimised Microjunk web servers off the 'net already.

Why not put up a webpage that people can use? (5, Insightful)

Keeper (56691) | more than 13 years ago | (#2148574)

Just put up a website on your computer that advertises the ability to automatically clean the CodeRedII virus off of the viewer's system, if present.

All the viewer has to do is click a button at the bottom of the screen.

Just so happens that this particular button sends a request to /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (etc), which then scans the sender's IP and proceeds to start a command session, download the patches, and do whatever else is needed to done to vanquish the worm.

Afterall, they did click on the link, right? :)

Seriously though, if someone wants to get all pissy about you going to their box and fixing their screwup, threatening to sue and the like, I'd just countersue ... afterall, they tried to hack your box first. ;)

love Sircam and looking for .aq (1)

pjones (10800) | more than 13 years ago | (#2148934)

I've received sircam documents from every contient except antarctica. just yesterday i got them not only from .mx .ca .edu .de .fr .ru and .kr but also from .ga (can you guess that one?) and .cl i usually get a .in about once a week minimum since the virus started. i have so many new friends!

but when will i get a .aq?

So the solution would be... (1)

Orlando (12257) | more than 13 years ago | (#2149252)

I wonder if you could fit a whole linux distro into a virus? Solve the root of the problem.

orlando.

There is another way... (5, Insightful)

FatOldGoth (207461) | more than 13 years ago | (#2149315)

...though it's not quite as effective.

Since the start of this week, I've been running a Perl script as an hourly cron job that parses my firewall logs, gets the originating IP addresses of any Code Red scans, does a reverse lookup, attempts to extract a meaningful domain name and then mails a polite notification to postmaster and webmaster at that domain. The notification contains a link to the MS page with the details of the relevant patches.

Since doing so, I've had a number of responses from people thanking me for pointing out the problem and confirming that their server has now been patched. The response rate is only about 1%, largely due to the fact that around 90% of the problem servers are on dial-ups/cable modems/DSL, but it's better than nothing.

I'm not advocating that everybody, or even a large number of people, do this, as the amount of traffic it would generate would only add to the problem, but it seems like a more legal solution than another, white-hatted, worm.

independence day (1)

gladysmalone (513104) | more than 13 years ago | (#2149422)

every july 4 at the retirement center they play the movie independence day some of the people don't like it but i thought it was good but even though it wasn't very patriotic. people always tell me to watch out and not catch computer viruses and i always think about that movie because they used a good virus if it was good enough for them i guess it would work. i really liked the black man in that movie normally they scare me but he seemed like a nice young man even though his wife was a tramp. lois' husband ran off with a woman like that but that was years ago and she died of heart failure a couple years back

sean says i have to get off the computer now so he will send this for me goodbye your friend gladys malone

The AntiVirus I wrote... (0)

gamorck (151734) | more than 13 years ago | (#2149429)

Yeah I wrote something - its a set of scripts that work with IIS. I have a web app that will parse through IIS logs and dump a report back to you with a nice little graph.

I've developed a script - though its not fully functioning yet outside my test environment - that will detect a code red attack and immediately strike back by using root.exe to upload serveral files using tftp.

These files are used in an attempt to automatically patch the server and remove the security holes left by code red.

Unfortunately it has yet to actually succeed over the web. Most of the attackers seem to experience problems when it comes to shutting down. My defense routines automatically try two different ways of shutting down the remote machines (both of with work in my internal network between different machines) - but I cant quite get them to work on the machines on the web.

It may because of the increased security of NTFS. As my routines are only designed to work with security lax FAT formatted systems - that be part of it.

Anyway - Code Red is only getting worse. I've had over 2100 attack attempts since saturday. Day by day the daily number is increasing (600 today alone). This has got to stop.... and I do not believe it will until somebody writes a worm like code red that patches the servers instead of opening them up.

Note: I posted this one YESTERDAY in the CODE REDUX and you damn moderators wouldnt even give me one damn point. Idiots. I wonder if my karma can slip below -5?

Breaking into a house to install a better deadbolt (1)

Akatosh (80189) | more than 13 years ago | (#2150366)

Its illegal. A lot of the 'damage' done by code red is not direct anyhow. A friendly worm would cause just as many headaches. It would still crash cisco 600 routers, break web proxies, clutter up logs and waste bandwidth. Its fighting fire with fire, the friendly worm would be just as much of a problem as the unfriendly one. The last guy that did it got arrested.

You also have to consider the implications of rebooting a computer with an unknown function.

What if my 'default.ida' was a program? (2, Insightful)

mgkimsal2 (200677) | more than 13 years ago | (#2150375)

The worm goes after 'default.ida' as I can see. They're trying to execute a program on my system. (default.ida). If my default.ida was actually a script that sent a payload back, and that payload just HAPPENED to be commands to disable their system, what's the harm there? I'm not ACTIVELY exploiting their system. I'm only sending a payload back in response to a request that THEIR system requested. Seems pretty clear cut to me.

Code red backdoor checker [aspsourcecode.com]

again together (0)

Anonymous Coward | more than 13 years ago | (#2150429)

So one intrusion is better than the other, I'd take the French over the British? (vice versa, ad naseum ad infinit ?)

Let Security Focus take care of it (0)

Anonymous Coward | more than 13 years ago | (#2150582)

I know that even if I got on a windows box, I don't think that I could work it. But here [lerner.co.il] is an Apache module I saw on the mod_perl mailing list that will report the Code Red worm to Security Focus, and try to email the admin of the infected box.

It sounds like a good idea, but.. (0)

Anonymous Coward | more than 13 years ago | (#2150819)

Look, as I understand it, the big problem with the code red virus is the amount of network traffic it creates while trying to find vulnerable computers.

So, youve got a worm out there, trying to find a new host, taking up bandwidth. Now release into this a second worm, using the same amount of bandwidth, if not more, because it has to carry the patch with it to do its job. Suddenly, youve got twice the problem you did before. No, you could just write a program that listens for the worms signature http request, and only fixes that one server, but even that has its problems.

The solution to this is not a worm arms race to see who can write the best worms and counter-worms, It is proper system administration. Any other solution is stopgap at best.

Re:It sounds like a good idea, but.. (0)

gamorck (151734) | more than 13 years ago | (#2109649)

Wrong. You dont write a second worm. You simply a write a daemon that runs on an IIS box. This daemon (part of which I have already written - just cant get it to work right) - would intercept code red attacks - and then attempt to deinfect the attackers box using the security holes code red left behind. It wouldnt actually "spread" itself. It would just clean the infected boxes remotely. If enough smart people install it - code red is history.

My damn code works perfectly in my test environment - but only works halfway on the net......

Gam
"Flame at Will"

It has happened already (2, Insightful)

hexx (108181) | more than 13 years ago | (#2151665)

Cheese, a linux worm did this.
Read This [thestandard.com]

Discussion rerun? (2)

abischof (255) | more than 13 years ago | (#2152081)

Haven't we already discussed [slashdot.org] this [slashdot.org] ?

Write one that ... (0)

Anonymous Coward | more than 13 years ago | (#2152468)

...installs Apache instead of IIS :)

Because of this the internet is dying.. (2)

cybrthng (22291) | more than 13 years ago | (#2152469)

Really..

I can no longer run services on port 80. As of tommorow port 25 is filtered.

Verizon is my DSL provider, telocity is the only other choice and they use Verizons network so the filters will remain even if i switch.

I pay for Pro service and now some Virii/Worm has expired my abilities to run a hobby server at home

Cable modems (@Home) aren't available in my area yet and they have a terms of service prohibiting running servers.

Is the internet dying now that monopolies have 100% control? I mean verizon is blocking services, other isp's control the content and now even if i switch providers i'm still paying for a monopoly after all?

Re:Because of this the internet is dying.. (0)

Anonymous Coward | more than 13 years ago | (#2149428)

Yup, the Internet, *BSD, fair use, freedom, and even Slashdot. Why go on living?

Ain't this an old one? (1)

dirtydog (51697) | more than 13 years ago | (#2152620)

Wasn't this same idea brought up a month or two ago and sufficiently trashed at that time???? Is /. the department of redundancy department?

Heh (1)

ioexcptn (190408) | more than 13 years ago | (#2152685)

I thought of that myself...seems very possible...might be an invasion of privacy though.

Its entirely possible (5, Interesting)

baptiste (256004) | more than 13 years ago | (#2152686)

CodeRed II leaves a huge hole - the virtual C and D drives so even if they remove the root.exe file, as long as the explorer.exe is infected, you can access any file via /c or /d in your GET request (ie /c/winnt/system32/cmd.exe?any cmd you want)

I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

Why not apply the same logic to this, they are probing me to infect my server so why can't I probe back and disarm them?

Re:Its entirely possible (0)

Anonymous Coward | more than 13 years ago | (#2133291)

I'm sure folks will scream its illegal and it probably is - but can't a case be made for 'self defense' I mean if someone brandishes a gun at me am I not within my rights to shoot them or at least take their gun away?

Clue: threatening someone with deadly force and cracking their webserver are not even remotely of the same magnitude.

Take it one step futher... (2, Flamebait)

Overt Coward (19347) | more than 13 years ago | (#2152687)

And after closing the hole, the counter-virus should stay resident and launch a counter-attack against anyone who tries to exploit the hole with anything other than the counter-virus.

It was proposed before with MS Outlook viruses (1)

the_olo (160789) | more than 13 years ago | (#2152937)

Read that [insecure.org] post from bugtraq archives: The proposal of creating such an automatic healer worm started a fierce discussion.

where's (0)

Anonymous Coward | more than 13 years ago | (#2153050)

"Radek" when we need him....:)

Or not (0)

Anonymous Coward | more than 13 years ago | (#2153052)

This would be a BAD idea. It's still a virus, and regardless of intent, you'd be open to litigation / incarceration because of it.

This is definately not a good idea (2)

Foxman98 (37487) | more than 13 years ago | (#2153228)

While the Code Red virus has been spreding rapidly, in part due to all those Windows 2000 users on cable modems, I think this idea of "fixing" everyone's computer is a really really bad one.

By connecting to someone elses computer, and running code on it without their permision you are in fact committing an illegal activity. I think a much better idea would be to politely inform the machines' owners that their server is infected. Also providing a link to the patch.

Any unauthorized access is scary. Remember that worm a while back that went around and "fixed" unix systems by patching holes? Remember the outcry about how no one would want that because it was "Their" server and whatnot. Same thing applies here.

first of all... (0)

spam368 (43865) | more than 13 years ago | (#2156553)

first of all, i know I wouldn't want a virus continuously polling to see it someone is trying use a backdoor, hell i dont need the slowdown after the virii is history... second, is it ethical to "fix" someone else's machine?

This is a Bad Idea (4, Insightful)

Satai (111172) | more than 13 years ago | (#2156567)

This is a very Bad Idea. First of all, unauthorized access to a computer is, by definition unauthorized. Any worm which spreads changes is illegal and as such a Bad Idea.

No matter how good your intentions are (RTM just wanted to play around, right?) you cannot take the "law" into your own hands.

Ethical issues aside, it would be very dangerous to being publicizing that there was a beneficial worm available; immediately, we would get copycat worms everywhere, appearing the same (yes, this could probably be circumvented by MD5 checksums or something, but jeez, if the webmaster was going to go through THAT much trouble, they'd install the damn patch themselves!) but doing far worse things.

I'm not usually one to spout Libertarian philosophy - but in this case, if somebody wants to leave their box open - through ignorance, laziness, or some other ineffable reason - that is their choice and not the choice of some 15-year old hacker who thinks he'll redeem his l33t friends' images in the media's eyes.

The defenses always have to be kept up - or else you have to start making judgment calls about which outside sources to give access to, which is a path no one wants to go down.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?