Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Kraken Infiltration Revives "Friendly Worm" Debate

Posted by kdawson on Tue Apr 29, 2008 07:08 AM
from the damned-if-you-do dept.
Security
Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
+ -
story

Related Stories

[+] 'Friendly' Worms Could Spread Software Fixes 306 comments
An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."
[+] Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins 337 comments
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
[+] New Botnet Dwarfs Storm 607 comments
ancientribe writes "Storm is no longer the world's largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers."
Submission: New Kraken research renews "Friendly Worm" by Anonymous Coward
[+] Malware vs. Anti-Malware, 20 Years Into The Fray 62 comments
jcatcw writes "Steven J. Vaughan-Nichols considers the dissimilarities between malware of yore and current infiltrations as we approach the 20th anniversary of the Robert Morris worm. Modern malware apps curl up and make themselves at home in your system, where they wait for a chance to snatch an important password or a credit card number. Welcome to the era of capitalist hacking. Any self-respecting malware program today is polymorphic, making signature-based antivirus approaches difficult. Heuristics and virtual sandboxes offer alternatives, but all such methods are reactive. Unfortunately, monitoring lists and networks is about the only current alternative."
[+] Technology: A Few Firefox 3 Followups 407 comments
An anonymous reader writes "Using data generated by the Mozilla Firefox download pledge page, the map on this blog post ranks countries, not by absolute number of pledges made, but rather on a per capita basis. This analysis yields some interesting conclusions about where open source is strongest and weakest." Anonymous Warthog writes "That didn't take long. In a blog posting from the TippingPoint DVLabs security team (of Kraken and CanSecWest hacking contest fame), they confirmed that they reported a vulnerability in Firefox 3.0 to Mozilla a mere five hours after it was released. Additionally, there was a posting on the Full Disclosure security mailing list from someone that purports to have another vulnerability in the works as well. In the grand scheme of things, this probably means nothing to the general security of Firefox, but you can be sure the browser zealots on all sides will be watching carefully." Finally, from reader Toreo asesino: "Microsoft have congratulated the Mozilla team by sending them their second cake (minus recipe) to Mozilla's Mountain View headquarters to congratulate them on shipping FireFox 3, which went live right on time last night." Congratulations are indeed due on both the browser and the release process — looks like the Firefox fever (despite some seriously taxed servers) resulted in more than 8 million downloads in 24 hours.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Kraken Infiltration Revives "Friendly Worm" Debate 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Had me up until the sensationalism (Score:5, Insightful)

    by dreamchaser (49529) on Tuesday April 29 2008, @07:13AM (#23236500) Homepage Journal
    " is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

    I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.
    • Cleary you have never been to Singapore.

      Oh wait, wrong movie

    • I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection.
      Would that be a 'heartworm'?

    • Re: (Score:3, Insightful)

      by mlwmohawk (801821)
      I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

      Well, maybe not the primary machine, that may be true, but there are monitor "stations" on the patient floor at the nurses desk area that run networked windows using monitor applications to display heart data.
      • Yes, but those are not the same thing, and the primary machine still has alerts that sound (quite loudly) if something goes amiss.

      • Re: (Score:2, Interesting)

        by seramar (655396)
        I have two things to add, one in response to your comment about the monitoring stations and the other just in general on this topic, but they tie together: 1. If a hospital is running a machine that is vulnerable to any worm, including a friendly worm, then I question their entire network/security structure in the first place and it is only a matter of time until the monitoring station goes down, anyway. 2. Friendly worms? Definitely. I am a technician/manager of a small shop and see people whose machines a
    • You'd be surprised I'm guessing.

      Think of it this way a company probably could save a lot of money if they could run a heart monitor through a generic machine rather than a dedicated machine. Also a program running on a more generic machine setup may also be able to collect other information and send it over the net to say, a doctor's pager automatically. So there are good reasons as to why a generic machine which might be infect-able would be used.

      This is not to mention the other similarly critical uses a

  • What kind of idiot... (Score:3, Insightful)

    by llamalad (12917) on Tuesday April 29 2008, @07:13AM (#23236502)
    What kind of idiot would have a windows box controlling a heart monitor?
    • I wouldn't have a problem with the machine running Windows; I'd have a problem with it being on the network at all.
      • I wouldn't have a problem with the machine running Windows; I'd have a problem with it being on the network at all.

        Brave soul.

        heart.exe application error
        the instruction at 0x6a9210e5 referenced memory
        at 0x6a9210e5 the required data was not placed
        into memory because of an I/O error status of
        0xc0000185.
        To continue, type an administrator password, and then click OK.

      • Re: (Score:3, Interesting)

        by rtb61 (674572)
        These people really are crazy, especially when you consider the warranty/EULA that accompanies the windows OS. A warranty that basically stipulates that it is wildly unsafe for that kind of use.

        Hence if there is a software failure that results in a death the full liability falls back on the hospital and the staff responsible for that software purchase and their criminally negligent willingness to use software the is clearly unfit for the purpose based upon the warranty/EULA supplied with the software.

        It

  • For goodness sakes.

    Don't tell anyone!!!

    All the lawyers in the world will converge on you if you do.

  • This is one of those moments where something ruthless should be done for the greater good. Then ends do not always justify the means, but in this case they would.
    • It would be illegal in many (if not all) countries. Specifically here in the UK it would almost certainly fall foul of the Computer Misuse Act.
      • There's an easy work around to this, just add a popup window saying "YOUR COMPUTER HAS WORMS PRESS OK TO FIX!" The majority of the people with worms on their computers would not think twice about pressing it.
  • As someone said last time this topic was up. White-hats deploying "friendly" botnets will never see any benefit, but potentially be sued into oblivion. In the end, you're infiltrating someone elses computer, that is illegal even if you do it for a good cause.

    The people deploying "evil" botnets do so for profit. And they earn enough to cover the risks.

    In short, we're not going to see many friendly botnets.
  • OMG, It's a giant squid! Run for you [CARRIER LOST]
  • controlling a heart monitor somewhere?

    For FSM's sake, who thinks that heart monitors are both networked to the outside world and running Windows XP? Any manufacturer that did so would be open to all sorts of legal trouble, assuming they could get any hospital to risk using such a thing.

  • This Kraken 'bot
    Oh, fear it not
    The zombie slave
    Needs just
    Burma Shave

  • DUH! (Score:3, Insightful)

    by zappepcs (820751) on Tuesday April 29 2008, @07:18AM (#23236552) Journal
    If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?

    Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.

    Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.

    There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.

    Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.

    If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.

  • important difference (Score:5, Insightful)

    by Tom (822) on Tuesday April 29 2008, @07:19AM (#23236558) Homepage Journal

    (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released)
    That's not a small difference! Pushing an update to a known list of hosts is a vastly different thing from starting a self-replicating autonomous agent.

    There is still the "messing with other people's computer" issue, of course.

      • Re: (Score:3, Insightful)

        by MMC Monster (602931)
        If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.

        There is no way I would think it was legit.

  • This raises the old moral dilemma about a hypothetical 'friendly worm'

    No, it doesn't.

    It raises the old moral dilemma about messing with other people's computers, for a good purpose.

    But the "friendly worm" issue is a different one. The main problem is control. I've done the math and published a paper on this. You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.

    So, like a dog, can you guarantee that it will listen to you, instantly, in all situations especially unfamiliar ones?

    • You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.
      I'm sure Cyberdyne Systems wishes you were on their payroll.
    • In this case, yes. They would not make "friendly worm", only update those worms which connect to them. So no autonomous spreading, only uploading to a list of kown hosts.
  • I'm, all in favor of terminating botnet infestations even if it means terminating the OS of the computer infected. I've wondered why the computer security feild has not had more people working hard of find ways of rendering these insecure machines useless. Seriously. If its infected, terminate it.

  • The law needs to catch up (Score:4, Insightful)

    by Ice Tiger (10883) on Tuesday April 29 2008, @07:32AM (#23236638) Homepage
    As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.

    Botnets also span more than one country so maybe this needs to be international law.
  • I guess I've got my Evil bit set because if I had the know how I would send a low level format command out. The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe install a boot loader that puts up a "error" message:

    "Your version of Microsoft XP has expired. Please buy a version of Microsoft Vista at your nearest authorized Microsoft dealer. If your computer does not support Vista you will be required to upgrade your computer.

    Thank you for supporting Microsoft and not Linux or Apple. We appreciate your business.".

    Sure it's not nice, but if it gets people to actually take action then I'm all for it. There will always be more companies trying to profit, new botnets, etc, but if you can actually stop the bot

  • Barn door closed, horse left six months ago (Score:4, Insightful)

    by glindsey (73730) on Tuesday April 29 2008, @07:34AM (#23236662)

    is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
    I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

    • is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

      I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

      The botnet itself is not harmless, and could just as easily overload or crash the computers in a hospital or powerplant. In other words, doing nothing could potentially be far more harmful than trying to wipe out the botnet.

      In light of this, and the tremendous resources being wasted by these botnets, I am strongly in favor of eliminating them entirely.

      I wouldn't boast about it on slashdot (or anywhere else) though...

  • Liability for 'curing' the problem is a great question. I don't want to see the 'cure' become another infection vector. Do we know that the cure is going to disable this network, but not enable a subsequent one?

    It's a lead-pipe cinch that law enforcement people will and can do nothing to disable the network, and it-- like others-- represents a huge security hole and a big problem in terms of potential misuses of the existing botnet.

    The 'authority' to even legally disable botnets is onerous. What's a botnet-
  • What it has an OS independent Mac and Linux payload too?
  • We have this law in my country where if you can help someone who is in danger without risking to harm yourself you may get legal trouble.

    I am pretty sure that a good lawyer could twist it enough to sue those researcher because they DID not kill the botnet while they could. Instead they published a report explaining to the botnet creator how to plug the hole. Next time they should just ask for a subversion comiter account a fix it themselves.

    I can almost see how the patriot act could apply here. I thin
  • I do not eat meat, nor do i clean infected boxes; all life is holy...

  • No Moral crisis here. (Score:4, Insightful)

    by Forge (2456) <forge@noSPam.myrealbox.com> on Tuesday April 29 2008, @07:56AM (#23236838) Homepage Journal
    A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.

    Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.

    I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.

    Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.

    Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?

    Kevin.

  • Sabotage the botnet (Score:5, Insightful)

    by CvD (94050) on Tuesday April 29 2008, @07:57AM (#23236840) Homepage Journal
    I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.

    I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).
  • I think there are ways they can proactively use their control over the botnet relatively safely.

    They can update the infected computer with a program that causes an annoying popup to occur until the machine is sanitized by the owner. Then update the machine's firewall (if it has one) to block the controlling UDP port.

    That solution should be fairly low risk.

    I get so much spam of late, that I have no problem if they deliberately break the entire IP stack on the infected computers. Serves the owners right.
  • I had all my servers issue a reverse "attack" to shutoff the IIS service and then put a winpopup up that their computer was infected with CodeRed virus and they need to take cleaning steps.

    Buddies of mine were a bit less nice. They put the machines into spontaneous 3 minute reboot cycles. They figured that would get the users to get a clue and fix it. I though that was a bad idea.
  • No, don't try to fix the machines. If the authorities are watching this worm, they may be tracking down the owners. If you mess with things, they'll come after you for obstructing justice.

  • I did this once... (Score:3, Interesting)

    by el_flynn (1279) on Tuesday April 29 2008, @08:11AM (#23236960)
    ...and nearly paid for it.

    We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.

    The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.

    I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.

    Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.

    So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.

    My 2 cents anyway.

  • Plausible deniability? (Score:3, Interesting)

    by martyb (196687) on Tuesday April 29 2008, @10:57AM (#23239254)

    For those who are advocating that an anti-bot be released (or whatever you want to call it) so as to disable this pest, I have a question for you: how is someone going to be able to tell the difference between these:

    1.) A user who creates and releases an anti-bot, but through an error (design, programming, whatever) inadvertently causes "harm" to the system.

    2.) A user who creates and releases an anti-bot that appears to try to block the worm, but is in fact designed to cause "harm" to the system.

    Recall that the Morris worm [wikipedia.org] was not intended to bring down the internet:

    According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. An unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable.
    AND

    The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether or not to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times [3]. This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Rabin remarked when he heard of the mistake, that he "should have tried it on a simulator first."

    See also A Tour of the Worm [std.com] for a more detailed account of how it unfolded.

    The intention may have been good, but the implementation had an unintended consequence that led to a major disruption of the internet. I remember full well the confusion at the time as the details unfolded. I was working at a major computer manufacturer that dropped its connection to the net to protect itself. Ultimately, none of our systems were hit (wrong OS), but the sheer volume of packets on the net led, effectively, to a DDOS'ing of the uninfected systems, too.

    So, in a nutshell, how can one objectively tell the difference between an attempt to kill the worm that causes problems, and an attempt to cause problems that looks like it is trying to kill the worm? In a non-static environment. With our limited ability to write bullet-proof, error-free code. Besides, someone else could capture and re-purpose the good code to cause more problems.

  • KILL THEM ALL (Score:4, Funny)

    by brassman (112558) on Tuesday April 29 2008, @11:11AM (#23239504) Homepage
    "Kill them all. God will know His own."

  • Yes, it is justifiable in this case (Score:3, Insightful)

    by irenaeous (898337) on Tuesday April 29 2008, @01:17PM (#23241632) Journal

    Why?

    Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.

    There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.

    That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.

    Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.

    Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.