Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Kraken Infiltration Revives "Friendly Worm" Debate

Posted by kdawson on Tue Apr 29, 2008 08:08 AM
from the damned-if-you-do dept.
Security
Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

Related Stories

[+] 'Friendly' Worms Could Spread Software Fixes 306 comments
An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."
[+] Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins 337 comments
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
[+] New Botnet Dwarfs Storm 607 comments
ancientribe writes "Storm is no longer the world's largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers."
Firehose:New Kraken research renews "Friendly Worm" by Anonymous Coward
[+] Malware vs. Anti-Malware, 20 Years Into The Fray 62 comments
jcatcw writes "Steven J. Vaughan-Nichols considers the dissimilarities between malware of yore and current infiltrations as we approach the 20th anniversary of the Robert Morris worm. Modern malware apps curl up and make themselves at home in your system, where they wait for a chance to snatch an important password or a credit card number. Welcome to the era of capitalist hacking. Any self-respecting malware program today is polymorphic, making signature-based antivirus approaches difficult. Heuristics and virtual sandboxes offer alternatives, but all such methods are reactive. Unfortunately, monitoring lists and networks is about the only current alternative."
[+] Technology: A Few Firefox 3 Followups 184 comments
An anonymous reader writes "Using data generated by the Mozilla Firefox download pledge page, the map on this blog post ranks countries, not by absolute number of pledges made, but rather on a per capita basis. This analysis yields some interesting conclusions about where open source is strongest and weakest." Anonymous Warthog writes "That didn't take long. In a blog posting from the TippingPoint DVLabs security team (of Kraken and CanSecWest hacking contest fame), they confirmed that they reported a vulnerability in Firefox 3.0 to Mozilla a mere five hours after it was released. Additionally, there was a posting on the Full Disclosure security mailing list from someone that purports to have another vulnerability in the works as well. In the grand scheme of things, this probably means nothing to the general security of Firefox, but you can be sure the browser zealots on all sides will be watching carefully." Finally, from reader Toreo asesino: "Microsoft have congratulated the Mozilla team by sending them their second cake (minus recipe) to Mozilla's Mountain View headquarters to congratulate them on shipping FireFox 3, which went live right on time last night." Congratulations are indeed due on both the browser and the release process — looks like the Firefox fever (despite some seriously taxed servers) resulted in more than 8 million downloads in 24 hours.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Kraken Infiltration Revives "Friendly Worm" Debate 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.

  • Had me up until the sensationalism (Score:5, Insightful)

    by dreamchaser (49529) on Tuesday April 29, @08:13AM (#23236500) Homepage Journal
    " is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

    I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

  • What kind of idiot... (Score:3, Insightful)

    by llamalad (12917) on Tuesday April 29, @08:13AM (#23236502)
    What kind of idiot would have a windows box controlling a heart monitor?
    • I wouldn't have a problem with the machine running Windows; I'd have a problem with it being on the network at all.

      • Re: (Score:3, Interesting)

        by rtb61 (674572)
        These people really are crazy, especially when you consider the warranty/EULA that accompanies the windows OS. A warranty that basically stipulates that it is wildly unsafe for that kind of use.

        Hence if there is a software failure that results in a death

  • For goodness sakes.

    Don't tell anyone!!!

    All the lawyers in the world will converge on you if you do.

  • This is one of those moments where something ruthless should be done for the greater good. Then ends do not always justify the means, but in this case they would.
  • As someone said last time this topic was up. White-hats deploying "friendly" botnets will never see any benefit, but potentially be sued into oblivion. In the end, you're infiltrating someone elses computer, that is illegal even if you do it for a good cau
  • OMG, It's a giant squid! Run for you [CARRIER LOST]
  • controlling a heart monitor somewhere?

    For FSM's sake, who thinks that heart monitors are both networked to the outside world and running Windows XP? Any manufacturer that did so would be open to all sorts of legal trouble, assuming they could get any hospi

  • This Kraken 'bot
    Oh, fear it not
    The zombie slave
    Needs just
    Burma Shave

  • DUH! (Score:3, Insightful)

    by zappepcs (820751) on Tuesday April 29, @08:18AM (#23236552) Journal
    If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?

    Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.

    Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.

    There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.

    Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.

    If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.

  • important difference (Score:5, Insightful)

    by Tom (822) on Tuesday April 29, @08:19AM (#23236558) Homepage Journal

    (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released)
    That's not a small difference! Pushing an update to a known list of hosts is a vastly different thing from starting a self-replicating autonomous agent.

    There is still the "messing with other people's computer" issue, of course.

      • Re: (Score:3, Insightful)

        by MMC Monster (602931)
        If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.

        There is no way I would think it was legit.

  • The law needs to catch up (Score:4, Insightful)

    by Ice Tiger (10883) on Tuesday April 29, @08:32AM (#23236638) Homepage
    As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.

    Botnets also span more than one country so maybe this needs to be international law.

  • Barn door closed, horse left six months ago (Score:4, Insightful)

    by glindsey (73730) on Tuesday April 29, @08:34AM (#23236662)

    is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
    I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

  • No Moral crisis here. (Score:4, Insightful)

    by Forge (2456) on Tuesday April 29, @08:56AM (#23236838) Homepage Journal
    A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.

    Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.

    I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.

    Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.

    Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?

    Kevin.

  • Sabotage the botnet (Score:5, Insightful)

    by CvD (94050) on Tuesday April 29, @08:57AM (#23236840) Homepage Journal
    I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.

    I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).

  • I did this once... (Score:3, Interesting)

    by el_flynn (1279) on Tuesday April 29, @09:11AM (#23236960)
    ...and nearly paid for it.

    We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.

    The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.

    I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.

    Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.

    So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.

    My 2 cents anyway.

  • Plausible deniability? (Score:3, Interesting)

    by martyb (196687) on Tuesday April 29, @11:57AM (#23239254)

    For those who are advocating that an anti-bot be released (or whatever you want to call it) so as to disable this pest, I have a question for you: how is someone going to be able to tell the difference between these:

    1.) A user who creates and releases an anti-bot, but through an error (design, programming, whatever) inadvertently causes "harm" to the system.

    2.) A user who creates and releases an anti-bot that appears to try to block the worm, but is in fact designed to cause "harm" to the system.

    Recall that the Morris worm [wikipedia.org] was not intended to bring down the internet:

    According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. An unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable.
    AND

    The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether or not to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times [3]. This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Rabin remarked when he heard of the mistake, that he "should have tried it on a simulator first."

    See also A Tour of the Worm [std.com] for a more detailed account of how it unfolded.

    The intention may have been good, but the implementation had an unintended consequence that led to a major disruption of the internet. I remember full well the confusion at the time as the details unfolded. I was working at a major computer manufacturer that dropped its connection to the net to protect itself. Ultimately, none of our systems were hit (wrong OS), but the sheer volume of packets on the net led, effectively, to a DDOS'ing of the uninfected systems, too.

    So, in a nutshell, how can one objectively tell the difference between an attempt to kill the worm that causes problems, and an attempt to cause problems that looks like it is trying to kill the worm? In a non-static environment. With our limited ability to write bullet-proof, error-free code. Besides, someone else could capture and re-purpose the good code to cause more problems.

  • KILL THEM ALL (Score:4, Funny)

    by brassman (112558) on Tuesday April 29, @12:11PM (#23239504) Homepage
    "Kill them all. God will know His own."

  • Yes, it is justifiable in this case (Score:3, Insightful)

    by irenaeous (898337) on Tuesday April 29, @02:17PM (#23241632)

    Why?

    Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.

    There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.

    That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.

    Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.

    Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.