Slate On Worms That Plug Security Holes

gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"

Here is a related article...

[Sun Tzu]

...on the problems with beneficial computer viruses [librenix.com].

Nachi was in response to Blaster

[asdavis]

Nachi took advantage of a RPC/DCOM vuln, a WEBDav vuln or a Blaster infected system. It had nothing to do with MyDoom.

Illegal

[vi (editor)]

One should note that a "white kight" worm is illegal like "bad" worm and would fall under the same criminal charges. And the author would have to pay civil damages as the worm consumes bandwidth. The affected party might even argue that such a worm requires a complete security check-up with reinstalls etc. as the source of the worm can't be trusted.
A white kight worm author would end up with the same civil damages to pay only gaining perhaps a small reduction of the criminal charges.

they stuff up networks

[sejanus]

I'm a network engineer at a reasonable size isp.

These bloody worms caused us so much bother, our customer terminating (ethernet) routers (Cisco 7206 NPE300 VXR's) really suffered CPU wise against these because the ethernet based services are procssed switch unlike ATM/POS etc unfortunately. And the netflow accounting tables were just out of control.

AND the old legacy routers we have that still ran snmp based ip accounting, the cpu on them went ballistic. It was a big pain in the butt and took a lot of stuffing around to fix/block etc.

Unfortunately just blocking the traffic doesn't help as you have to recieve the traffic in order to block it, so I was dumping netflow tables and getting the support guys to call infected customers. Many hours of work just because some little shit script kiddie/newbie programmer thought it'd be funny.

On the bright side though, it promped management to give me a lot of money to get some more grunty gear so we are now better prepared for the next time it happens, and I'm sure it will.

Re:Nachi was in response to Blaster

[dalamarian]

I am not sure if nachi was re-released but it did also try to take down older versions of mydoom (a and b) Not surprised if was released as a new version
******** From Symantec **********

W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese (Simplified), Chinese (Traditional), Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.

The worm also attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.

Also Known As: W32/Nachi.worm.b [McAfee], W32/Nachi-B [Sophos], Win32.Nachi.B [Computer Associates], WORM_NACHI.B [Trend],

Jesus Christ!

[Slur]

Dump Microsoft and be done with it. Linux, Unix, and Mac are all viable now, and far more modern than anything Microsoft has going. There is no compelling reason to stick with MS for any reason any more. Seriously, they're really stuck, and they have only themselves to blame.

Don't get me wrong. I like the drama of a vulnerable platform as much as anyone. But I prefer to enjoy it from afar. That's why
I stick with Mac and Unix.

On the other hand, there is the cynical satisfaction of watching stupid people buy MS with a smile on their face, thinking they're gaining a source of pride and joy. Little do they know, only weeks from now they'll be paying me dozens of bucks per hour to run AdAware and reinstall their system.

Thank you MS! Your dedication to backwards compatibility for abandonware ensures me and my MCSE-toting buddies years of capitalizing on the inherent flaw of your approach. I would bow before you if you didn't so resemble a dung beetle.

Paper by Vesselin Bontchev

[sheriff_p]

The definitive (and about ten-year-old) paper on this is:

http://www.virusbtn.com/old/OtherPapers/GoodVir/ [virusbtn.com]

Well worth a read if you've not seen it before

Like linux doesn't get worms.

[oliverthered]

Linux has it's fair share of worms to [google.com], and if you move the same 'stupid' windows users over to linux there still going to be stupid, and your still going to get worms and trojans and spyware, though more will be at user not system level, since it's harder to evevate priviilages on a Unix bos than a Windows one.

user edumacation

[Mickey Jameson]

This crap will be around forever, and the main problem is user education. I tell all 150 of my users twice a month to make sure their systems are up to date, and nearly 300 times a month I get the proverbial "yeah, yeah." It is not my job to do patch their systems. That's another guy's job, who doesn't do his job. I put out reminders because of this.

So when we got hit by Nachi, I tracked down the weak link. It was our Netware admin, who deliberately went around my firewall so he could peruse porn, logged into his dialup ISP, checked his personal POP mail at said dialup ISP, and within minutes, bam. Nachi in the house. Of course, this wouldn't have been a problem if he (and the 2 dozen other users that got hit because of him) had kept their systems up to date.

I was found to be the blame of this, despite the fact that there was absolutely nothing I could do about it, since he bypassed my security. After a week of TRYING to explain to management why it happened, that nobody should bypass security and so on, I took a long hard look at the incident.

While Nachi was good in concept, it had fatal programming errors in it that caused it to be more harmful than Blaster. We all know this. I chalk it up to a learning experience - whoever wrote Nachi definitely learned from this. Too bad there weren't any real variants of Nachi. Yes, I'm serious. However, people actually learned from Nachi. Three weeks after Nachi infections slammed into my firewall, it stopped. Nachi just went away.

Yet I still get pounded by Codered and Nimda YEARS after information, patches, and global press about it were made highly available and easily accessible.

Everybody bitches about spam and viruses and worms and popups, yet so few people actually do anything about it. Don't complain to me about pop-ups. Use a different browser. Refuse to "learn" a new browser, fine. Get Google toolbar. Don't know how check for viruses? Get AVG. Sick of spam? Fine, I'll adjust your SpamAssassin threshold.

But people don't want to do these things. In their minds, everything should just work, and work the way they want it to work. Everybody at my company knows that we have AVG, AdAware, Spybot S&D and so on. When new software is made available, I pass it on to my users. A user came up to me last week and asked why AdAware never has any updates anymore, for like the last year. Because she disregarded my notice about the new AdAware and kept using the old.

I have strict rules about email, and my SpamAssassin 50_scores.cf file is very, very harsh. My users have been told that some of their email contacts may be tagged as spam, and if that happens, let me know and I'll whitelist them. Not one person has asked me to whitelist anyone, yet everyone bitches behind my back that I'm a lousy admin because *I* somehow personally tagged their email as spam. Even the president asked me to remove all graphic/audio/video attachments, so I complied. Yet he complains that he can no longer get pictures and other non-work-related material through email.

It's an endless cycle. No appreciation for jobs well done. This is why I actually welcome such attempts to clean up the filth on the 'net. I originally despised Nachi. I now praise it.

As long as the end user refuses to heed educational advice about how dangerous the Internet is, the Internet needs vigilanteism.

Bring it on.

Re:Viruses to attack Viruses which patch Viruses

[Val314]

microsoft allready offers Free Update CDs [microsoft.com] (but its from Feb 04 so not that usefull for current exploits. i expect them to offer a free XP SP2 CD once its out

Re:Like stealing your bike

[Zebbers]

ummm...please dont equate physical theft with digital concepts. It doesn't work.