A Worm's Worm

Carnildo writes "There's a new worm out, according to the Register, but one with a twist. This one, called 'Dabber', infects computers by exploiting a security hole in the Sasser worm."

planned

[name773]

did the sasser writer make it expandable on purpose? this isn't the first time a thing like this has happened.

Spyware and others

[r.jimenezz]

Just thought about this... With the huge number of machines out there "infected" by spyware, adware and similar programs (and many of them without their users even knowing), how long will it be until a worm is written that exploits a vulnerability in one of these programs?

Antivirus!

[ForestGrump]

"Dabber then installs itself and deletes the registry keys of Sasser and other viruses. It creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code, which might be far more malicious than Dabber itself."

sounds like its doing some antivirus while its at it. Good!

Just be sure to block off 9898.
-Grump

Re:Antivirus!

[c0dedude]

Do you really think those infected with sasser will know how to block off a TCP port, much less what TCP is?

Re:Ugh...

[Anonymous Coward]

Most virii are rather small in code size compared to a typical project using CVS or similar tools. That means a single person can easily manage and oversight the code.

Re:This is why...

[wmspringer]

You mean like IE? I've certainly had enough programs try to get me to install that on my computer..

Remind Anyone of Blaster

[erikharrison]

Gosh, this whole mess looks just like Blaster from down here in the trenches.

I'm tech support for Tremendously Large ISP. From down here this looks just like Blaster did. Customers calling in complaining that their machine is restarting without their consent. And now someone has a follow up virus that attacks the virus - as some may recall there was a Blaster variant that patched systems AGAINST Blaster. This was terrible - if you got this variant inside a corporate network not only would your bandwidth use skyrocket, but since NAT tends to fubar Windows Update, the variant never managed to patch a system. God that was hell . . .

It's almost enough to make you want to write a virus in revenge . . .

Re:Plug-in

[SharpFang]

Yes, for quite a while.

Quite a bit of modern worms in this or that way provide just a generic backdoor to the infected machine without performing any extra malice. Some of them just open oprts, some trick firewalls and actively "call home", which usually happens to be some random IRC server on some compromised machine (IRC seems to be preferred method for the virii writers for controlling worms, which just act as bots on the channel). Then the virii can upload a spamming software, a DDoS attack plugin, a keystroke logger, a file transfer thing, a tunneling/relay program to mask an attack, or whatever the twisted minds come up with.

It's amazing the harm one person can do...

[exp(pi*sqrt(163))]

...with some software with the ability to self-replicate. God help the rest of the universe when life finally manages to get off this planet.

Actually sounds like somebody trying to fix things

[Ungrounded Lightning]

This is an all new low. Now virus programmers will have to make their virus's better so they dont get infected by another virus.

Actually, this sounds like somebody trying to make a disinfectant worm. Look at the description:

- It only infects infected systems, using a flaw in the previous infection.

- It cleans out the infection of the worm that it exploited, and several others.

It does open a new backdoor. But while that might be preparation for some future malicious action, it might also have been the author leaving himself a way to fix things if his initial worm got out with a destructive bug. (Of course it could be the worm cleaning up signs of previous infections in order to hide itself and thus head off other cleanups.)

I wouldn't be surprised to see, on further analysis, that it does other antimalware things (like fix the flaw the other worms used).

(Not to say that it IS somebody trying to fight virus with virus. But it might be interesting if it turns out that it is.)

I think everyone should go ultra secure, the best firewall ever... Disconnect from the net. It would make this all alot easier on us.

Which is exactly what the military does with some of its really secure stuff.

Now if we can just get the Microsoft users to emulate them. B-)

OS Popularity?

[One Louder]

The tired argument is that Mac OS X and Linux are too unpopular to build worms and viruses for - but apparently it's worth writing worms just for Windows machines infected by a single strain of worm.

Does this situation imply that the sum total of Sasser-infected machines outnumber Macs and Linux boxes?

Re:Ugh...

[drskrud]

That's something that really depends on the school. I remember my elementary school would have a class that consisted of Logo Writer / Microworlds that I took in the first grade...

My former high school offered a Visual Basic course in grade 10... but that's VB.

However, there's a lot one can learn by teaching themselves from a book, and I think that's where a lot of the talented young programmers get their starts. It may be that writing annoying viruses and worms are just some kid's way of testing and/or proving the knowledge s/he's gained. But I'd like to think that usually the smarter ones find more meaningful applications of their skills.

Re:Ugh...

[inertialmatrix]

Hrmmm... I think the first programming class I took in school was during 4th grade. I think it was LOGO, and then that summer my school started a computer camp that focused on BASIC.

But still... it is just getting younger and younger. During the summer my University hosts several computer camps, and I see 7,8, 9 and 10 year old kids programming in C ++ and other OO programming languages.

Crazy indeed

Re:Remind Anyone of Blaster

[B1ackDragon]

I'd be interested to see what would happen if someone were to write one that would actually really mess up a machine, make it unusable. The repercussions would be huge, but more than that it would get something done either in the way of a huge code audit (with everyone from Microsoft to OSS looking very carefully at their stuff) or of some other possibly policy change - that would ruin the game for them. I bet thats why they're not doing it too, they know the greater public would finally have to find a way to protect themselves, and then the jig would be up. If only...

Re:Ugh...

[Pikhq]

You mean, like my little EZcompile (a frontend to the Linux compiling process) project that I've been working on while learning Tcl/Tk?

Re:This is *almost* a wonderful thing

[alonsoac]

This was never about doing a good thing. It's plain competition. Any decent worm should be able to remove all other worms and viruses from the system in order to have complete control over it. I bet this will only get more common.

Then again it should be easy to release this new work without the code that opens the backdoor so that it only does the removal part?

Re:DMCA violation?

[Jahf]

There's a little difference ... if you want to use a burglar analogy, then use the analogy of a burglar stealing property from another burglar that stole it from the owners.

Both are illegal, both are prosecutable, but the "victim" burglar can't sue for loss of property from the 2nd burglar because the property belongs to the original owner.

Fun!

[Ketnar]

This sort of reminds me when I wrote a counter-bug to combat an email worm that had infested an office building I was contracting to. Worked through the ever-so-lovely 'You don't have to really click the attachment for it to go off on you' bug in an older version of outlook.

It sat and watched a users inbox for the big bug at the time and pretty much acted like a counteragent, the instant they showed up, it nuked them off the machine (inbox and all) and undid whatver they managed to do.

Send one copy to everybody in the office, and instantly watch outgoing network mail traffic DROP back down to normal levels and my phone stop ringing.

I seem to recall distinctly 'forgetting' to mail it to key people, however.. *cough* :)

Would be a real shame if some of the geek-prowess around the OSS world were to start doing such counter-bugs. Alot of these backdoors, trojans, and whatnot, have gaping flaws in them because..well, guess. :P

Just think:
Infect > Disinfect > Patch > Scan nearby machines (proceed life cycle)> Local Self-remove

Could be the next revolution. Don't bother patching or downloading, we bring the cure to YOU.. :)

Re:Ugh...

[lommer]

I have a very serious suggestion, namely that Agobot, once it infects a host, should patch the host, remove spyware, and remove other virii, and then propogate itself a maximum of 10 times (to conserve bandwidth). Though you are still doing unauthorized stuff to other peoples' computers, if you're gonna make a virus, you may as well make it beneficial. Maybe that way fewe people would get arrested...

Given that it's a GPL project, I can't imagine that it would be too hard to find a few dedicated coders who would be willing to work on such a fork.

Re:Ugh...

[Rob Simpson]

Of course, and its a sad comment on the state of computing today that this is a unique case. Human viruses are thoughtfully provided with their source code - exceeding even the requirements of the GPL - so they can be compiled by your cells.

Yay for Free Software! (Achoo!)

creativity foo

[Anonymous Coward]

None of them live up to the Original Morris Internet Worm. It infected multiple operating systems running on different hardware platforms. Combined they constituted an even greater portion of the Internet than Windows NT4 to XP command today (I'm not including Windows Server 2003 since it isn't vulnerable to Sasser). It also originated the techniques of automatically exploiting remote vulnerabilities to spread without human intervention across a network.

This was a unique idea at the time, and spawned not only the modern worms that copy that model, but also formed the basis for many science fiction stories, including well known ones like SkyNet in the Terminator, and the rampant AI in Bungie's Marathon.

Is this a beginning of a new virus era....?

[standing_still]

Is this a beginning of a new virus era? I can see virus programmers making holes in their code on purpose just to release a second virus to take advantage of it. virus 'a' is programmed with a hole - virus 'b' takes advantage of it! A fine case of hit them when they are down!

Re:I'm not "apologist" anything

[Douglas Simmons]

Hey cut this guy some slack.. it ain't easy timing first posts anymore like the old days. Plus, I did it for his clan. He's a soldier and that's why Slashdot has threshold levels. I happen to enjoy first posts and I always browse at -1 Oldest first. I suggest you do too. Funny people, these guys, particularly those gay negros.

Re:Ugh...

[ajs318]

You should try my personal favourite software licence:

Copyright (c) yyyy, The Author and Contributors. All rights reserved until yyyy when this work will enter the Public Domain.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Any redistribution of the software or derived work in binary form must be accompanied by an offer of the source code, to be valid until the lapse of copyright on the work in question. In case of default on this offer, any affected party may use reasonable force to obtain the source code.
• The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
• Modifications on such a scale that they are deemed by applicable local laws to constitute a whole new work are exempt from this licence.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Re:Ugh...

[Technonotice_Dom]

Welchia perhaps? It doesn't remove spyware and was designed to remove just one worm but that's kind of what you're on about I think.

I ran into Welchia.B the other day which went after MyDoom (SCO) and downloaded 5 patches or so from MS and installed them on the system. Trouble is, that it's still a worm - nobody wants it on their system - it took me a couple hours to identify and remove it then get Windows running again.

Welchia.B was trying to run four different exploits on remote IPs - I sniffed all the traffic it was generating - trying to exploit up to a hundred IPs a second at one point. Max of 10 times to conserve bandwidth...? It has to find the other PCs first.

The patches it downloaded screwed up the XP installation badly, so a reinstall over the top brought it back. I don't want worms that try and fix other worms (get Avast or AVG etc instead).

Re:Spyware and others

[skinfitz]

I'm just waiting for someone to root Gator's..oops - sorry Claria's [claria.com] download servers and replace "precisiontime.exe" and so on with trojaned alternatives.

In fact.. thinking about it what's to stop me capturing requests for this crap on my proxies and redirecting them to an exe that removes gator? Hmm...

Re:Ugh...

[Killall -9 Bash]

AVG? Now why would anyone in their right mind run a perfectly good program that likes to dissable/cripple/delete other perfectly good programs? Here's a few examples of how the AVG programmers think: example 1- Problem: worms/virii that use built-in IRC clients or exploit IRC as a propegation medium. Solution: mIRC.exe is a virus. delete. example 2- Problem: a few worms exist that install and run the distributed.net client software on infected computers. Solution: Dnet-*.exe is a virus. delete. Yeah. I think ill take my chances with an NAT gateway and a strict policy of not downloading ANYFUCKINGTHING that isn't from a source i trust and/or contains executable code.

Re:Ugh...

[lostchicken]

All binaries come with "source code", machine code. It's a language that most of us don't use, but it's still a language. My CPU uses this "source code" to create a different set of instructions that are executed by the core of the CPU. You can read the machine code and see what the app is doing. DNA and RNA are pretty much just machine code for cells.

Re:Ugh...

[jesser]

The interesting thing is that by saying "All rights reserved until yyyy when this work will enter the Public Domain", the license prevents the work from being affected by retroactive copyright extension.