Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Slate On Worms That Plug Security Holes

timothy posted more than 10 years ago | from the anti-missile-missile dept.

Security 417

gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"

Sorry! There are no comments related to the filter you selected.

No. (2, Insightful)

mirko (198274) | more than 10 years ago | (#9820144)

But are 'good viruses' really a good idea?

These could be Trojan.
If I give you some worm that's supposed to cure another but which in fact is another one...

Re:No. (0)

Anonymous Coward | more than 10 years ago | (#9820149)

What if I give you a worm that is supposed to cure the flaw it exploits, but in return gives you another worm which cures itself?

Shit, better post this anonymously.

Re:No. (2, Interesting)

munter (619803) | more than 10 years ago | (#9820193)

I agree. There's a fine line between a white worm and black worm. Before you know it, worms will be the next ICBM, with people seizing the transport to change the payload. Bad bad bad.

Re:No. (2, Insightful)

mwvdlee (775178) | more than 10 years ago | (#9820230)

If it were a Trojan, it wouldn't be a "good virus" anymore :) It isn't about worms purporting to be good, it's about worms that are actually trying to do some good.

I'd prefer that no worms existed at all but given the choice I'd much rather have my idiot neighbor to open a good virus then a bad one, there's going to be wasted bandwith either way but atleast the good virus could stop some waste in the future.

You girlie men! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9820346)

You people here on slashdot are such girlie men. Talking about computers and worms when you should be having sex and pumping iron instead.

about that (0)

Anonymous Coward | more than 10 years ago | (#9820146)

isnt microsoft gonna do this with"trusted computing"?

if it wasnt for all the network traffic (1, Funny)

sgbett (739519) | more than 10 years ago | (#9820147)

it would have been 1st post.

Er... (0)

Anonymous Coward | more than 10 years ago | (#9820150)

Wasn't Nachi supposed to patch against Blaster and NOT MyDoom??

Well, (-1, Offtopic)

ooze (307871) | more than 10 years ago | (#9820153)

Who says removing a Windows install isn't a good thing?

A REALLY black-hat one would be healthier (2, Interesting)

CaraCalla (219718) | more than 10 years ago | (#9820299)

If someone came along to write a really nasty one, that could have certain beneficial side-effects
  • zero-day remote hole
  • replicate for 24 hours
  • then really mess up the filesystem, destroying most of the data
That would teach most people to patch there systems.

The Big One, anyone taking?

no sig

One bad idea (5, Insightful)

gowen (141411) | more than 10 years ago | (#9820154)

It could even launch warnings on the user's screen for a few days ("Hey dummy! Click here to protect yourself!")
Gee. Thats a fine way to train users to just click "OK" on every dialogue box they see. And we all know what a great idea that is....

Re:One bad idea (1)

carnivore302 (708545) | more than 10 years ago | (#9820267)

It could even launch warnings on the user's screen for a few days ("Hey dummy! Click here to protect yourself!")

This will do nothing about the bandwidth problem. In an ideal world this wouldn't be necessary, but since we're not living in one I prefer this approach where the bandwidth is wasted once per exploit.

Too bad the number of possible exploits is unbounded...

Why don't you CLICK HERE [] ? Maybe some doom3 stuff behind it...

There is no "good virus". (3, Insightful)

JanMark (547992) | more than 10 years ago | (#9820156)

Next thing in line: an automatic spyware remover. Followed by: an automatic licence checker. And in true 1984 style: an automatic open source software remover.

Re:There is no "good virus". (0, Funny)

Anonymous Coward | more than 10 years ago | (#9820183)

that'd be superdoubleplus bad.

Re:There is no "good virus". (1)

9Nails (634052) | more than 10 years ago | (#9820331)

Quote: " ...Followed by: an automatic licence checker. "

They have those, it's called Steam.

In Soviet Russia.. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9820158)

Oh forget it..

incent (v.) (0)

Anonymous Coward | more than 10 years ago | (#9820159)

The correct PHB word is "incentivize". Thank you for your attention.

Here is a related article... (5, Informative)

Sun Tzu (41522) | more than 10 years ago | (#9820160)

...on the problems with beneficial computer viruses [] .

Nachi was in response to Blaster (5, Informative)

asdavis (24671) | more than 10 years ago | (#9820161)

Nachi took advantage of a RPC/DCOM vuln, a WEBDav vuln or a Blaster infected system. It had nothing to do with MyDoom.

Re:Nachi was in response to Blaster (5, Informative)

dalamarian (741404) | more than 10 years ago | (#9820228)

I am not sure if nachi was re-released but it did also try to take down older versions of mydoom (a and b) Not surprised if was released as a new version
******** From Symantec **********

W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese (Simplified), Chinese (Traditional), Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.

The worm also attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.

Also Known As: W32/Nachi.worm.b [McAfee], W32/Nachi-B [Sophos], Win32.Nachi.B [Computer Associates], WORM_NACHI.B [Trend],

Probably.. (5, Interesting)

manavendra (688020) | more than 10 years ago | (#9820165)

for most users, who experience bewildering slowdown of the internect connectivity, or the intranet access, which mysteriously disappears after a few days - for them, such "White Knights" may probably be useful. For grannys, gramps and other naive users it would be a blessing.

For others, who have mission critical application or other extensions on the target OS, such "White Knights" may send a shiver down the spine:

What if it plugs a hole, but breaks something else?

From what I have seen, such socialist stuff doesn't really go down well with corporations. They don't give away things for free, and they don't expect anything given to them for free.

Re:Probably.. (2, Insightful)

iLEZ (594245) | more than 10 years ago | (#9820246)

Also, virus writers, black or white hatted, should never do the work that every experienced sysadmin should do.
Kind of like having robbers in charge of security in a bank.

Re:Probably.. (5, Interesting)

Mr.Cookieface (595791) | more than 10 years ago | (#9820255)

It would be interesting to see some trusted repair networks emerge which deliver fixes to unpatched vulnerabilities for users who want them, similar to those who maintain spammer lists. The patches could be delivered over a trusted P2P network which has as its only purpose to deliver these files and of course would use hashes to verify the integrity of the files it delivered. That way, the white worms would only travel where they are wanted and could be tested a lot better than by the lone hacker.

The only problem is that the users who would most benefit from this type of service aren't the type to be proactive in their fight against viruses and would probably never use something like that unless it came preloaded and turned on by default and Micro$oft would never let that happen.

Perhaps the ISPs need to take more responsibility for identifying viral network activity and block it, while notifying the end users. Something like when they go to connect to the internet, they get a page notifying them that their machine is infected and they need to call a certain phone number before they are let back on.

Re:Probably.. (1)

byssebu (797117) | more than 10 years ago | (#9820292)

Sounds like the anti virus software that's used today :)

Re:Probably.. (1)

surstrmming (674864) | more than 10 years ago | (#9820305)

It would be interesting to see some trusted repair networks emerge which deliver fixes to unpatched vulnerabilities for users who want them, /.../

Ahem... Windows Update, up2date, apt-get... but I suppose you never used these.

Re:Probably.. (1)

RMH101 (636144) | more than 10 years ago | (#9820308)

what, you mean like windows update and all the spyware/av companies? sheesh.

Re:Probably.. (1)

MrRTFM (740877) | more than 10 years ago | (#9820310)

What if it plugs a hole, but breaks something else?

If a 'good' virus manages to get onto your system without you installing it, then you are already fucked and it really doesnt matter.

Of course no one here is going to like this idea, but as you say - its for granny and gramps and others who aren't running firewall and antivirus software and blindly open every damn attachement they get.

I think its a great idea - it can only 'cure' people who are at risk, and even if it does break their system, they probably would have had it turn into a zombie soon anyway.

Re:Probably.. (1)

lucas teh geek (714343) | more than 10 years ago | (#9820325)

For others, who have mission critical application or other extensions on the target OS, such "White Knights" may send a shiver down the spine:

its their own fault for not securing the flaw, be it through patches, firewalling or what ever other method would help. If the "white knight" can exploit a vunerability then so can a real virus, and i know which id rather have forced upon me

Re:Probably.. (0)

Anonymous Coward | more than 10 years ago | (#9820332)

This is not socialist, communist, capitalist, fascist, democratic, republican, tribal or otherwise a system of organized government or economic.

We in the U.S. live in a capitalist, constitutional democratic republican society. There's plenty of room in there for lots of different solutions to problems.

It's not hard to come up with public programs from which corporations happily benefit (e.g., education, roads, monetary policy). Nobody minds getting something for free: it's the hidden costs that people worry about.

It's silly to throw around governmental structures over a simple issue of individual preference.

Viruses to attack Viruses which patch Viruses (5, Insightful)

singleantler (212067) | more than 10 years ago | (#9820166)

If White Knight viruses become common there will be viruses designed to attack them as well, it's just making an extra battleground. This has happened with anti-adware products - many of the new trojans and viruses try to stop software like Adaware working.

The answer is to have a secure system, as that's not happening in the Windows world at the moment, then frequent patches to plug the holes and a way to encourage everyone who uses Windows on the net to download them is the way to go, as is installing more secure software (e.g. Firefox rather than Internet Explorer.)

Re:Viruses to attack Viruses which patch Viruses (5, Interesting)

FireFury03 (653718) | more than 10 years ago | (#9820348)

The problem with patches (and this goes for the linux world as well) is that people who don't have DSL are stuffed - how am I going to convince my dad to download all 70 meg of WinXP-SP2 over his pay-per-minute 56k dialup?

(and no, "White Knight" viruses are not the answer)

If ISPs start taking a hard line against exploits instead of ignoring them then people might pay more attention - it's not rocket science for the ISP to detect the signatures of worms scanning the network and automatically pull the plug on anyone compromised. I favor a "internet rating" system in the same way you get a "credit rating" - if you're shown to repeatedly get compromised then it's clear you can't run a secure system and no ISP should allow you full unrestricted internet access.

I'd also like network-connected software you pay for (e.g. Windows) come with free updates _on CD_ for a reasonable life of the product instead of requireing you to download it. If my car has a fault (e.g. the brakes don't work under some conditions) then the manufacturer writes to me and fixes it at their own expense - they don't quietly put a notice up somewhere out of the way saying that if I want to I can send off for the replacement part and then wait for the media to actually publicise it after a few people crash coz their brakes didn't work.

Before anyone complains, the whole on-CD updates idea wouldn't apply to free linux downloads like Fedora since you're not paying for it in the first place, but quite rightly it should apply to stuff you do pay for like RedHat Enterprise, etc.

Like stealing your bike (5, Insightful)

Anonymous Coward | more than 10 years ago | (#9820168)

It's like somebody is stealing your bike just to take it for a service.

Would you like that?

Re:Like stealing your bike (1)

dalamarian (741404) | more than 10 years ago | (#9820253)

Well, apparently in the US we do, it's called reality TV, but they do it with cars and call it OverHaulin :-P

Positive compunded interest (1)

foniksonik (573572) | more than 10 years ago | (#9820169)

A "White Knight" worm can establish a positive compounded interest "pluggin" of potential holes... ie: for each system plugged it can, if coded correctly, decrement the number of systems it evaluates. A good system would be to create a temporary "white list" of plugged systems which a pro-worm could ignore as it had already visited that system and plugged it.

Given this assumption, a white knight worm would have a heavy impact intially but after the first day would drop off dramatically in an exponential manner.

If done correctly it would work amazingly well.

Are they a good thing? (5, Insightful)

rebeka thomas (673264) | more than 10 years ago | (#9820170)

No. My reasoning is that a trojan, no matter how it modifies a system, has a chance of fucking it up.

Even valid updates from manufacturers have the odd really bad messup. Making a service crash, modifying a config file so it doesn't work, causing unexpected behaviour.

To give support to those writing such whiteknight worms gives support to any anonymous coder who might wish to fix a problem, with no concept of testing things on a system other than their own or a few others belonging to a "friend of a friend".

Re:Are they a good thing? (0)

Anonymous Coward | more than 10 years ago | (#9820225)

But the thing is these will probably do more harm than good.

When ur company is on the receiving end of a DDOS caused by a virus, you'll be glad to know there is something out there going piecemeal through all those infected DDOS machines and cleaning them out.

If their DDOSing you, they're performing an illegal operation, and surely that must be stopped any way possible.

re-evaluate your reasoning (1)

oliverthered (187439) | more than 10 years ago | (#9820312)

Sir, you system is was fucked in the first place, that's why it's being modified.

It's a bit like the dentist giving you a filing because you teeth are fucked, and will get more and more fucked until the hole is patched.

It would be nice if you could see the source code so that you know nothing else is going to be affected, but then it would also be nice if the dentist told you that the filling contained heavy-metals :-

Re:re-evaluate your reasoning (0)

Anonymous Coward | more than 10 years ago | (#9820334)

you system is was fucked in the first place, that's why it's being modified.

Show the proof that a whiteknight worm will only modify a broken system.

It's may a good idea. (1)

redgrid (787315) | more than 10 years ago | (#9820172)

Supose the PC is like man body. Then, It contains either good and bad germs at the same time. The good are fighting against the bad for us all along with our lives.

Re:It's may a good idea. (0)

Anonymous Coward | more than 10 years ago | (#9820207)

This is an oversimplification. Besides, there are no such things as good "germs".

Think about this. If a "white knight" (ridiculous name by the way) were made which emailed itself around to remove let us say MyDoom - how about a guy like me who uses linux and doesn't really care what happens to windoze users ? Why should my mail box be filled up with such useless mails ?

fixing without permission (1)

martin (1336) | more than 10 years ago | (#9820173)

you mean like windows autoupdater???

why do think alot of these don't outside a broadband connected home??? prob 'cos of change management within companies so they turn it off, but then they don't have a decent test/patch system to replace it...

of course that assumes the patch doesn't break your favourite application.

Again the problem isn't so much patching the holes (which is a problem with any piece of software) as the massive *monoculture* (sorry market dominance) of WIndows and it's security issues that's the issue. Sure

The Big Picture (-1, Redundant)

Aggrazel (13616) | more than 10 years ago | (#9820175)

"Do we really want programs jumping onto our systems and 'fixing' them without permission?"

I can see it now:

"Hello, this is your friendly neighborhood good virus, it looks like your computer is vulnerable to a nasty microsoft RPC bug, would you like us to patch this up for you?"

This is a plot to a movie, "I Robot" (1)

jageryager (189071) | more than 10 years ago | (#9820176)

I don't think we need white hat worms running around plugging all of the security holes in my honey pot servers.


Re:This is a plot to a movie, "I Robot" (0)

Anonymous Coward | more than 10 years ago | (#9820303)

Speaking of honey pots, your mom's taste's delicious...

How would Anti-virus programs react ? (2, Insightful)

phreakv6 (760152) | more than 10 years ago | (#9820177)

Anti-virus programs like Norton AV,McAfee etc would still block these intelligent programs.They are still viruses.are they not?

Hell (1)

manavendra (688020) | more than 10 years ago | (#9820180)

Some of the obvious reactions :

1. What if a "White Knight" leaves or opens a new vulnerability?
2. How is one to know if the "White Knight" is actually what it claims to be? Better still, a "White Knight" closing a vulnerability, but opening a backdoor?

It's wrong. Next. (1)

Threni (635302) | more than 10 years ago | (#9820181)

I chose what runs on my machine. I don't want other people deciding on my behalf. If someone else writes code to run on my PC without my permission then it's breaking the law as far as I'm concerned, or should be. I should choose to download it, and it should tell me what it's going to do.

Illegal (2, Informative)

vi (editor) (791442) | more than 10 years ago | (#9820185)

One should note that a "white kight" worm is illegal like "bad" worm and would fall under the same criminal charges. And the author would have to pay civil damages as the worm consumes bandwidth. The affected party might even argue that such a worm requires a complete security check-up with reinstalls etc. as the source of the worm can't be trusted.
A white kight worm author would end up with the same civil damages to pay only gaining perhaps a small reduction of the criminal charges.

Re:Illegal (1)

GigsVT (208848) | more than 10 years ago | (#9820327)

People running Windows would have a hard time arguing they need to see source code to be able to trust their software. They blindly trust software that is known to be faulty, that's why there even this discussion in the first place.

But yeah I agree, so called white-hat worms are illegal and stupid.

If I Want It On A System... (1)

Rob_Warwick (789939) | more than 10 years ago | (#9820186)

If I want to have something on a system, then I will put it on the system myself. I trust me, as I tend to work in my own best interests. If the virus pops up a box that says 'Protect yourself by clicking...", I still don't want it. If I wanted to use security software, I would make the choice to download it. How do I know this won't interfere with something running on my system? Or worse. Suppose it patches without permission. I can just see someone writing one with the best of intentions, and causing some side effect. What if an important port was closed? Or if the port is in legitimate use? In short, if I want to protect my system, I want to be the one who decides that. Without that choice, I lose control over how my machine is protected, and risk possible conflict with any security I have in place already. Whoops. I'm a Mac user. I guess I'm covered either way. (Awaits the inevitable comeback from a hundred people telling me that just because nobody writes viruses for Macs doesn't mean they can't be!) -Rob

Bad Idea.. (1)

bus_stopper (746613) | more than 10 years ago | (#9820188)

Its bad enough managing several thousand PC's with users who want and try to download everything and anything they can lay their hands on without having the extra administrative burden of so-called good worms screwing things up too! Honestly though, if you tie the machines down and implement regular automatic updating of OS and anti-virus you should be OK, if you dont do the above, well, you only have yourself to blame.

Analogy in biology, symbiosis. (0)

Anonymous Coward | more than 10 years ago | (#9820189)

The human body needs good bacteria, parasites etc. to function properly. Why should computers be any different? (This is Slashdot, after all :)

Maybe this is just a step towards software that lives within internet and iPods for example, fighting against bad code... or on the other hand, wreaking havoc.

No, no, and no. (2, Insightful)

mercan01 (458876) | more than 10 years ago | (#9820190)

"White Knights" are a horrible idea. They're a horrible idea for the very same reasons letting MS automatically push upadates onto your computer without your knowledge or permission are a bad idea.

It's not for someone who "knows better" to decide for me how to "Secure" my computer. What happens if one of these virus-like apps(either from MS or a third part) "patches" my server with my multi-million dollar application system and somehow breaks it, as unintentional as it may be?

If these hackers want to do good and create 3rd party patches that people can download and install on their own, that's one thing and I applaud them for their efforts. But, please, don't insult my intelligence and do something that's "best" for me without my knowledge or consent.

What is a 'white worm' (1)

UnderAttack (311872) | more than 10 years ago | (#9820191)

So called "white worms" have the habbit of installing their own backdoors (e.g. like Nachi). In many cases, they only fix the vulnerability to gain a stronger foothold in the system and prevent others from taking them away.

Other than that, the usual rule applies: The difference between a criminal and a security expert is written permission!

That's just not acceptable (1, Funny)

hdparm (575302) | more than 10 years ago | (#9820194)

Whoever tries to muck around other people's computers should be prosecuted and punished. Not doing any damage? I don't care. What's next - random passers by jumping through my window to turn off the light I left on when I went out?

Good virus. (1)

astellar (675749) | more than 10 years ago | (#9820196)

I think this is generally good idea. Like a vaccination for humans, these programs can help us to keep computers healthy.

Wrong approach (2, Insightful)

vandan (151516) | more than 10 years ago | (#9820198)

I really am sick of viruses.
Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers.

Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation.

If I were writing a worm, however, I'd take a different approach. I'd make it spread quietly, and then destroy the Windows install completely 1 day after infection. The whole fucking lot. People who get viruses are asking for it. If you put your computer on the internet, you have a responsibility to do the right thing by everyone else. If you stick your head in the sand and click on all the 'click here' and 'free hardcore XXX' links, then come bitching to me when the whole thing comes crumbling to the ground then you really only have yourself to blame.

ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean.

Once a few viruses start doing this, people will get the hint and keep their systems secure.

Re:Wrong approach (0)

tehcyder (746570) | more than 10 years ago | (#9820232)

Good attempt at a troll, but not terribly subtle.

Re:Wrong approach (0)

Anonymous Coward | more than 10 years ago | (#9820273)

>Being an IT professional

Can you be an IT professional at 13?
You don't seem to have a very professional attitude to your users.

Either you're a neophyte troll or a complete fucking retard.

Re:Wrong approach (1)

JudicatorX (455442) | more than 10 years ago | (#9820284)

The problem is, inevitably, who will decide "what is reasonable". We don't need a bunch of rogue grey hats attempting to see what systems they can destroy because the person managing them hasn't secured them against XYZ.

However, to a certain extent I agree with you: but the sad truth is that people don't learn, and most people haven't got a clue in their heads that the "would you like to remove spyware from your machine" popup windows might result in malware being downloaded to their machine.

Re:Wrong approach (1)

AkaXakA (695610) | more than 10 years ago | (#9820285)

Someone needs a hug.

Re:Wrong approach (1)

Spellbinder (615834) | more than 10 years ago | (#9820322)

i think it should be easy to flash the BIOS to death
i never understood those virus writers
why write a virus at all if it does not destroy the victims computer?
are those virus/worm writers all good people???

Like linux doesn't get worms. (2, Informative)

oliverthered (187439) | more than 10 years ago | (#9820329)

Linux has it's fair share of worms to [] , and if you move the same 'stupid' windows users over to linux there still going to be stupid, and your still going to get worms and trojans and spyware, though more will be at user not system level, since it's harder to evevate priviilages on a Unix bos than a Windows one.

The only good virus is a dead virus... (1)

TheTXLibra (781128) | more than 10 years ago | (#9820199)

"What about a socially engineered worm that claims to be doing good?"

That would be called a "Virus".

Bleh. To be honest though, I don't see a whole lot of difference between a "good" worm and "good" bacteria. Your hands, skin, blood, etc, already have millions of bacteria feeding off your system. They assist in choking out the "bad" organisms. Eh... poor analogy, but what do you want for 6am?

QOTD particularly appropriate (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9820200)

Even if you can deceive people about a product through misleading statements, sooner or later the product will speak for itself. - Hajime Karatsu

Too true!

Path to hell was paved with good intentions... (1)

dalamarian (741404) | more than 10 years ago | (#9820208)

I admit the idea at first sounds very cool, however it never works and always poses as yet another vulnerability. Several times in the past year those "white knight" worms/viruses have done more harm to my networks than good. What is needed is more knowledgeable/competent admin and users, even better patch delivery systems, and for the makers of the OS that dominates most of the market to actually practice security and not just preach it when the media puts the spotlight on them. Yes that was wordy, need more coffee.

Noway i need some unauthorized 'patch' (1)

88NoSoup4U88 (721233) | more than 10 years ago | (#9820209)

Just because other people are too dumb to open attachments with the topic 'if you open this attachment, Bill Gates will send you a million bucks !', doesn't mean my connection should get bogged with worms trying to 'patch' my machine.

I take care of that myself, thankyouverymuch...

We could axe most of these easily enough... (1)

shaitand (626655) | more than 10 years ago | (#9820210)

Although they only hold 93% of the market last I checked (96% according to some sources), 99.999999999999999% of viruses only affect windows, and/or Microsoft applications. Between fingers and toes (haven't tried honestly) you might just manage to count all the viruses which have affected OTHER platforms combined throughout history... and you don't need any digits to count the number that affect other platforms NOW.

So obvious answer, rape, pillage and murder anywhere you see a windows box. You will see a dramatic decline in viruses. Harmful viruses will generally decrease proportionately to the murdering of course... the raping and pillaging are purely recreational and perfectly harmless if accompanied by murdering anyway.

Besides, I'm almost positive it's in the commandments somewhere... Thou shalt act with holy vengence and slain my enemies who come flying the butterfly standard.

Re:We could axe most of these easily enough... (1)

Sircus (16869) | more than 10 years ago | (#9820243)

The Amiga had plenty of viruses. DR-DOS was, I believe, just as susceptible to boot-block viruses as was MS-DOS. Macs have viruses [] .

Windows viruses are certainly the most common at the moment, but to say that 99.9...% of all viruses are on Windows is inaccurate.

Tit For Tat (1)

sridhar.g (791166) | more than 10 years ago | (#9820213)

Doing good in bad way??.. alas!!..
Certainly an alternative to deal virus problem.
Hope it cannot be an effective solution.
Coz, Bad people can take it as an advantage to come with various tricks.. Where end users will be in utter confussion.
If there is a trusted Organization to deal it. Name it as Virus Guards
Every Net users should aware of Virus Guards. This Virus Guards, need to circulate a immune in a way it should not affect network.
Each time Virus Guards need access, They can ask user permission, saying XXX virus affected.. We have immune, should we immune it?.. some thing like this..
If user says ok, it can cure and patch it..
Hope, Prior to all these, there need to be some Apex Body to define, Do's and Do n,t.. Like W3C for Web..
To deal it effectively, Our Biggies .. MS,SUN,IBM and our OpenSource community. Should come to a single path.. Is that possible??

The road to hell is paved with good intentions (5, Insightful)

minus9 (106327) | more than 10 years ago | (#9820216)

Blaster had very little impact on our network. Nachi on the other hand caused absolute bloody chaos.
There is absolutely nothing "white hat" about running code on someone elses machine without their permission.

To minimize the traffic (2, Interesting)

Prong_Thunder (572889) | more than 10 years ago | (#9820220)

The white worm needs to be passive; a compromised system will try and attack other systems - all the "good" virus has to do is wait for an attack. When an attack occurs, our "good" virus has the IP of a compromised machine on which to mount a counterattack/patch.

The white worm should also uninstall itself after a predetermined length of time, say 10 days.

I understand the concern people have about auto-patching, however I am certain that none of those people would put themselves into a situation where they were vulnerable in any case - they would only see a benefit from this, in the overall lessening of net traffic.

Good news for M$ (1)

XemonerdX (242776) | more than 10 years ago | (#9820223)

Instead of having to patch all their security holes themselves, they can now blame everybody else for not having written a 'white worm' yet for every worm/trojan horse/etc out there that exploits their security holes. Clever.

they stuff up networks (5, Informative)

sejanus (18670) | more than 10 years ago | (#9820224)

I'm a network engineer at a reasonable size isp.

These bloody worms caused us so much bother, our customer terminating (ethernet) routers (Cisco 7206 NPE300 VXR's) really suffered CPU wise against these because the ethernet based services are procssed switch unlike ATM/POS etc unfortunately. And the netflow accounting tables were just out of control.

AND the old legacy routers we have that still ran snmp based ip accounting, the cpu on them went ballistic. It was a big pain in the butt and took a lot of stuffing around to fix/block etc.

Unfortunately just blocking the traffic doesn't help as you have to recieve the traffic in order to block it, so I was dumping netflow tables and getting the support guys to call infected customers. Many hours of work just because some little shit script kiddie/newbie programmer thought it'd be funny.

On the bright side though, it promped management to give me a lot of money to get some more grunty gear so we are now better prepared for the next time it happens, and I'm sure it will.

nothing wrong with it (0)

Inominate (412637) | more than 10 years ago | (#9820226)

There is nothing wrong with the concept of 'good' worms/viruses. The problem comes in implementation, making sure that your so called 'good' worm really is. So while in theory it's a good thing, in practice it's difficult to provide adequate testing to ensure that the 'good' worms really are.

Must... find... water.... *gasp* (1)

Omni-Cognate (620505) | more than 10 years ago | (#9820227)

This colour scheme's making me thirsty.

It would be far simpler... (1)

mikael (484) | more than 10 years ago | (#9820233)

... if Windows had an "update required" icon as used by Red Hat Linux/Fedora Core (and others). To me, this seems to be the optimum solution. It's not updating files without your knowledge (Windows Update), and you are informed at every stage of the process as to what changes are taking place.

The only way this could be made any simpler is if you had a happy face for a system with all updates installed, an unhappy face when there were new updates available, and an angry face when no updates had been made in several weeks/months.


RMH101 (636144) | more than 10 years ago | (#9820323)

...right out of the fucking box. You'll get a windows updates available icon on the systray.

Teller worm (1)

TobiasSodergren (470677) | more than 10 years ago | (#9820235)

What about a worm that points out that the computer has been infected and tells the user where to find a cure for the infection?

Re:Teller worm (-1)

Anonymous Coward | more than 10 years ago | (#9820339)

How about a FLOPPY COCK?

its a grey issue (0)

Anonymous Coward | more than 10 years ago | (#9820238)

well i don't personally think there is any ethical issue in invoking an exploit with the intention of pathching it, an issue does arise when your good worm causes the detrimental effects to a network that the original worm would. An interesting solution would be a passive client that reports the originating IPs of exploit attemts to a database to be processed by one of these autopatchers.
While most of i assume most of these packets would be spoofed at least on a local network they might give enough away to be isolated, and on the internet as a whole, if the clients had knowledge of each other perhaps they use hop counts to attempt to isolate out the infected,
it might be an interesting module for a router firmware distribution

No thank you (1)

panurge (573432) | more than 10 years ago | (#9820247)

I do not want anything going around the network trying to do automatic patching, thank you very much. I'd much rather see ISPs mandated to remove machines from the network which are originating virus-laden emails, and a more aggressive approach to denying all access to ISPs that don't control the problem.

In the physical world, you may be a common carrier but you are not exempt from all control over the things you carry. The US post office is not _allowed_ to carry letters full of anthrax without regard to the consequences. The contents of trucks can be inspected if it is suspected they are illegal. It used to be regarded in some quarters as a joke that strong encryption is treated in the US as a "munition", but it's quite a rational point of view. In the same way if an email contains a virus, it could be considered to be a weapon - intended to cause damage to a system or be used as an adjunct to stealing email addresses. If airlines can be required to screen passengers for concealed weapons, I do not see why ISPs should be exempt.

OK, in the short run it might cost a little more. In the long run, it should save us all time and money.

There is also the separate issue of whether Microsoft is liable in some way for supplying products which make it easy for such things to spread. I guess this occupies the minds of their lawyers since their efforts to fix the problem are now so intensive. I am not suggesting that something which innocently contains a security hole is liable, but I am suggesting that manufacturers of operating systems should have a duty of care. Designing everything to interoperate silently perhaps could be regarded as negligence.

This is not a libertarian attitude, but it is rooted in the idea that the freedom of movement of your fist stops short of my nose. The solution to that kind of problem is rule of law, not to have a crowd of alternative fist-swingers who attempt to collide with your fist before it reaches my nose.

Nachi (1)

jdhawke (797924) | more than 10 years ago | (#9820250)

True Nachi did download and install the Blaster patch, but some of its varients also did things like overwrite a random help file in the windows IIS install. Sophos Analysis of Nachi-G [] Not to mention its use of a tftp server leaving yet another opening into the system.

NO! (1)

Y Ddraig Goch (596795) | more than 10 years ago | (#9820254)

As a programmer responsible for production systems I don't want ANY untested programs on my (our) systems. We even (especially) test MS security patches to make sure that they don't break any functioning software systems.

better popup window (and more generic) (1)

zoefff (61970) | more than 10 years ago | (#9820257)

As stated elswhere, clicking on every popup window that comes around is not a good idea. Therefore another proposition: A 'whitehat' virus with the following text:
"You have a security hole and this window is the proof of it. Please go to the ManufactorX site to download a patch, before malicious content can access your computer"

No links, no OK button, just a little clickable X in the upper right corner.

Jesus Christ! (1, Informative)

Slur (61510) | more than 10 years ago | (#9820265)

Dump Microsoft and be done with it. Linux, Unix, and Mac are all viable now, and far more modern than anything Microsoft has going. There is no compelling reason to stick with MS for any reason any more. Seriously, they're really stuck, and they have only themselves to blame.

Don't get me wrong. I like the drama of a vulnerable platform as much as anyone. But I prefer to enjoy it from afar. That's why
I stick with Mac and Unix.

On the other hand, there is the cynical satisfaction of watching stupid people buy MS with a smile on their face, thinking they're gaining a source of pride and joy. Little do they know, only weeks from now they'll be paying me dozens of bucks per hour to run AdAware and reinstall their system.

Thank you MS! Your dedication to backwards compatibility for abandonware ensures me and my MCSE-toting buddies years of capitalizing on the inherent flaw of your approach. I would bow before you if you didn't so resemble a dung beetle.

Yeah, that will help... (1)

Kernel Kurtz (182424) | more than 10 years ago | (#9820270)

"It could even launch warnings on the user's screen for a few days ("Hey dummy! Click here to protect yourself!") before going ahead and patching the hole itself."

Yeah, teach people to click on unsolicited messages. That'll go a long way towards educating DFUs.

Subscription system (3, Insightful)

Lord Grey (463613) | more than 10 years ago | (#9820272)

There are pros and cons to having 'good worms' patch systems. For most Slashdot readers, it's probably not a good thing. We tend to pay attention to patches, what our systems are doing (so as to detect strange activity), etc.. But as others have pointed out, such a worm might not be a bad thing for the non-tech computer users.

What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.

How do... (1)

goatan (673464) | more than 10 years ago | (#9820279)

You know that it's a "good" Worm how does your firewall or AV software? What if "bad" worms start to pretend there "good" ones? Or piggy backs themselves onto "good" worms? Will this "good" worm stay on my machine forever looking for Virus ridden machines to cure, not to mention the increase of network traffic that "good" worms cause. I think there is to much potential for things to go wrong, be abused and just be a plain nuisance

Its NOT for Slash readers (2, Interesting)

SalsaDot (772010) | more than 10 years ago | (#9820281)

Of course we want control of our machines and would object to anything running on them. Thats why WE protect and patch them regularly, RIGHT?

NO... this is for those Joe Sixpacks, grandmas and - worse of all - the selfish dumbasses who dont know OR CARE if their machine on their spanking new broadband connection is fouling the net for the rest of us.

If ISPs dont employ some kind of active blocking, then the combination of the worlds most used OS (STILL having gaping holes) + users who'll open any attachment and OK every install query + broadband means the battle will be lost without some "friendly agent" on our side.

And whats with these PCs you buy with one years free subscription to virus updates? Whaddaya think happens when that expires? The expiry warning dialogs get dismissed, the machines become increasingly vulnerable.

For these users, patching needs to be proactive, automatic and on by default.

Course the nay sayers will argue that an auto update mechanism creates a vulnerability in itself. This is arguable, but the fact is you're not gonna win trying to "educate" users.

You could just sit back until a nice cosy CLOSED internet standard is imposed on us by the powers that be when the frustration level reaches breaking point.

It could be a good thing. (1)

JamesTRexx (675890) | more than 10 years ago | (#9820293)

For one, systems that are critical should be patched anyway, or shouldn't be linked to a risky network. This is about those systems that would be infected by any destructive worm anyway. Those systems should be patched automatically, even if it's through the use of a white worm.
As long as the worm is passive and can self destruct, the risk of one could be acceptible. It would take up more bandwith in the beginning, but every infected system that gets patched will stop it's own broadcast of the black worm, so after a while traffic would be much lower.
Anything that can be fixed automatically saves time and bandwidth in the end.

Paper by Vesselin Bontchev (2, Informative)

sheriff_p (138609) | more than 10 years ago | (#9820301)

The definitive (and about ten-year-old) paper on this is: []

Well worth a read if you've not seen it before

Yes (1)

9Nails (634052) | more than 10 years ago | (#9820314)

For those Windows users who are clueless that they are even infected with a virus, there is no alterntative; beyond the ISP detecting infections and blocking the infected computer from the network.

WhiteHat viruses are benificial and necessary. But they need to be smarter than Nachi, move slower and more methodically, and put up a red flag that remains until the user fixes the problem. I think it's okay that they clean off the previous infection(s). And perhaps they should block all ports other than POP and HTTP.

Secure systems are (probably) not the answer. (1)

baadfood (690464) | more than 10 years ago | (#9820317)

The issue is this. Nature - and by that I mean an awful lot of biological systems evolving at various rates - has not yet - to my knowledge - developed a single system where immunity is by security. That is to say, no non trivial software system can be proved bug free. By induction, no non trivial system can be proved secure against the sort of "security holes" that will allow exploits to happen. If security cant ever be proved... then we better come up with a different idea for mitigating the effects of virus attacks. Perhaps though the "fixes" dont need to be viruses. Viruses have a certain economy of scale that allows them to propogate and infect many machines. Perhaps instead of self propogating patches we deploy a system of server propogated patches to systems. Major ISPs could deploy a network of machines designed to, in the event of a virus exploiting a known weakness, systematically transmit an exploit closing patch. Sure, the counter patch might fuck a number of systems up, but by definition those would be systems that would otherwise be utterly compromised.

Network shutdown (1)

dr. electron (463820) | more than 10 years ago | (#9820324)

I would like to see the "Swiss army knight", the ultimate white knight for viruses.

It hacks into your computer and disables the network connection after some period. No software/installation damage.

Sure, it stops your buissness, but it minimizes damage for others using the internet.

Lucky (1)

AngryScot (795131) | more than 10 years ago | (#9820333)

I currently use an unupgraded version of WinXP home. Mainly because I dont want to spend hours downloading patches on my connection.

I have never been infected by any of these viruses and I feel like (at least compaired to the people I know) very lucky.

One of my friends was told by his PC company to do a full format and re-install windows when all that would have been needed was for him to Download Grisoft's AVG []

I really feel sorry for the countless hundreds of people who must have been told by advisors to do that same.

Nachi a white worm? (0)

Anonymous Coward | more than 10 years ago | (#9820335)

If nachi is a whiteworm, then why the hell
does it have a keylogger installed?

Why doesn't Windows Update fix all these problems? (-1, Troll)

gilesjuk (604902) | more than 10 years ago | (#9820336)

Why can't you simply go to Window Update and have that check the health of your system, rectifying any problems?

Wasn't Skynet supposed to do that? (1)

momche (458491) | more than 10 years ago | (#9820344)

Did I read about a system called Skynet that will take over all our computer systems and free them from suffering caused by humans.

Or was it a movie about a girl named Sarah Connor?

this strikes me as a no brainer (1)

justin_speers (631757) | more than 10 years ago | (#9820349)

Installing something on someone's computer without their consent is wrong and there are no exceptions to that rule.

My computer is my property. You have no right to modify or tamper with my property in any way, even if you think it's for a good cause. Just like you have no right to bust in the windows on my house and install properly working smoke detectors.

Not only that, I've seen a few posters point out the obvious bandwidth suckage issues associated with "good" worms.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?